cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

920
Views
0
Helpful
5
Replies
Volodymyr Morskyy
Participant

no traffic on IPS promiscuous

Hi,

Have a 5545X with 5545-IPS module. It is up, updateing signatures but there are no packets checked on it. On the sensor side I'm confused that hardware/software version is shown as N/A. ASA config:

access-list test extended permit ip interface outside any

class-map test-class

match access-list test

policy-map global_policy

class test-class

  ips promiscuous fail-open sensor vs0

service-policy global_policy global

all show statistics commands (engine, host, etc) on IPS show 0 in packets so it seems like traffic is not passed to IPS from ASA. Global policy output

on ASA shows the same:

Global policy:

Service-policy: global_policy

Class-map: test-class

IPS: card status UP, license status Enabled, mode promiscuous fail-open, sensor vs0

  packet input 0, packet output 0, drop 0, reset-drop 0

What can prevent global-policy to do it job?

Thank s

5 REPLIES 5
sawgupta
Beginner

On the IPS side, is the PortChannel assigned to vs0 ?

service analysis-engine

virtual-sensor vs0

physical-interface PortChannel0/0

exit

exit

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

Hi Sawan,

It is assigned. I have no idea why nothing is matched with my policy, and even access-list shows 0 packet counts.

regards,

Volodymyr

You could use following sample config on ASA:

class-map all-traffic-class

match access-list all-traffic

policy-map pro-fail-open

class all-traffic-class

  ips promiscuous fail-open

  set connection advanced-options tmap

service-policy pro-fail-open global

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

Hi,

Can you show access-list all-traffic?

Thanks

Seem like you cannot use interface names in the config and networks should be specified.

Create
Recognize Your Peers
Content for Community-Ad