Solved: Re: Question about ASA5510 with AIP10

skytosky · ‎10-05-2005

I've installed ASA5510 with AIP10 at our client site. But I have 2 problems.

Firstly, I can't see any traffic from giga0/1(backplane interface) of AIP10.

Should I configure related configuration at ASA5510? I already configured related configuration at AIP10 about Virtual sensor group and sensing interface. Unfortunately I can't not any traffic.

When I entered "show int gi0/1" at AIP 10, It displayed any traffic account number is zero.

Secondly, AIP10 can't do auto signature update from out ftp server. When I inspected packet through ethereal tool, I know that AIP10 disconnected session from ftp server after ftp command "LIST" is submitted to ftp server. Maybe I think that AIP10 didn't submit "Get sig.pkg" after it submit "LIST".

What should I do? Is it AIP's hardware problem? Let me knwo about the above.

Regards,

marcabal · ‎10-06-2005

Do get traffic monitored requires both configuration on the ASA and the SSM.

It sounds like you've done the SSM configuration.

Now you need the corresponding ASA configuration.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/cliguide/clissm.htm#wp1033926

This is most easily done by adding "ips" configuration lines into your existing policy-map on the ASA itself.

Once the ASA is configured then the packet counts on the gig0/1 interface of the SSM should start increasing.

As for the FTP Server issues with auto upgrade:

The first thing to do is use the "upgrade" command in the CLI to do a manual upgrade from the FTP server. This will ensure the username/password and directory settings are all correct for what you are trying.

Once the manual works, then use the same settings for auto update.

If auto update is not working, then check to ensure that Unix style listing of the directory is being used. The auto update does not work when Windows style listing of the directory output is used. This is generally configurable on most windows FTP servers.

Also check the output of "show events" while the sensor is checking the ftp server. The sensor will report it's findings. If it says that no updates were found, then verify that you have a newer update on the ftp server, and ALSO verify that the name of the update is exactly as it appears on CCO. Some users have inadvertantly changed the names or their ftp client changed the filenames. The biggest issues we've seen is that capital letters are made lower case.

View solution in original post

marcabal · ‎10-06-2005

Do get traffic monitored requires both configuration on the ASA and the SSM.

It sounds like you've done the SSM configuration.

Now you need the corresponding ASA configuration.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/cliguide/clissm.htm#wp1033926

This is most easily done by adding "ips" configuration lines into your existing policy-map on the ASA itself.

Once the ASA is configured then the packet counts on the gig0/1 interface of the SSM should start increasing.

As for the FTP Server issues with auto upgrade:

The first thing to do is use the "upgrade" command in the CLI to do a manual upgrade from the FTP server. This will ensure the username/password and directory settings are all correct for what you are trying.

Once the manual works, then use the same settings for auto update.

If auto update is not working, then check to ensure that Unix style listing of the directory is being used. The auto update does not work when Windows style listing of the directory output is used. This is generally configurable on most windows FTP servers.

Also check the output of "show events" while the sensor is checking the ftp server. The sensor will report it's findings. If it says that no updates were found, then verify that you have a newer update on the ftp server, and ALSO verify that the name of the update is exactly as it appears on CCO. Some users have inadvertantly changed the names or their ftp client changed the filenames. The biggest issues we've seen is that capital letters are made lower case.

skytosky · ‎10-06-2005

Thank you for your best answer.

According to your advices, I resolved the first problem. But, I didn't resolve the 2nd problem.

I verified that the listing style of our ftp server was UNIX but auto update failed.

When I used Serv-U FTP and MS FTP Service, I had same result that is failure. What should I do?

marcabal · ‎10-07-2005

Did you check "show events" to see what the output events were generated?

You can also try capturing the packets between the sensor and ftp server. You can look to see if any erros are detected and if the filenames in the listing are appearing exactly as they are listed on CCO.

Also ensure that the prompts for the ftp server have not been changed. Some customers modify the prompts for the ftp server, or have the ftp server return some initial information about security on initial connection. Sometimes these modifications can confuse the sensor.

If none of the above help in determining the problem, then contact the TAC. You will need to provide them the information from above as well as a "show tech" output from the sensor.

You could post the output to this forum, but I woudl not recommend it. Your capture data will have information you won't want posted on a public forum.

trusnock · ‎12-17-2005

Step 4 in the ASA config link you provided is perplexing me. The access-list "IPS" says to permit ip any any. Step 4 applies this ACL direclty to an interface with an access-group command. Wouldn't that permit all traffic, opening the ASA up wide?

My understanding was that the class-map is what links the access-list to the policy-map, and the service-policy, in turn, links the policy-map to the interface. What, then, is the reason for the access-group command? Am I misunderstanding something?

-Tom Rusnock

Acadia Systems, Inc.