Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
900
Views
0
Helpful
2
Replies

Simple access to ASA SSM

bikespace
Level 1
Level 1

‎02-01-2012 01:14 PM - edited ‎03-10-2019 05:36 AM

Hi All,

This doesn't seem like rocket science, but I'm a little stuck at the moment.

I have four ASA 5520's with AIP-SSM modules recently installed. Two of them went through the simple setup process, browsed to the IP address, happy days all working and available from SSH/browser.

The other two seem to have a problem. Done the setup process to bare minimum, but no answer to SSH or https.

I don't suppose you particularly need the config, but it's pasted below.

I've used the packet capture CLI and can see the https request and apparently an ACK going back out. So it seems to me that it's hitting the web server.

To add to that, I can ping the laptop I'm using from the IPS, I can trace through to remote sites, everything seems to be working except nothing showing up on the browser.

Any other gotchas I've missed, it's driving me mad now, a seemingly simple setup that already works on two other boxes :-)

Capture here:

13:41:22.480995 IP l04096.net.local.53517 > IPS-01-P.443: S 1652511892:1652511892(0) win 8192 <mss 1260,nop,nop,sackOK>

13:41:22.481034 IP IPS-01-P.443 > l04096.net.local.53517: S 1100273020:1100273020(0) ack 1652511893 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>

13:41:22.659153 IP IPS-01-P.443 > l04096.net.local.53517: S 1100273020:1100273020(0) ack 1652511893 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>

Not sure why it sends two identical replies in quick succession? Looking at that capture I would have guessed they were maybe some kind of ACK, but wireshark shows they're SYN's (definitely no ACK set). I'm expecting to see SYN-SYNACK-ACK, but I'm seeing SYN-SYN-SYN.

I've now confirmed that wireshark at my laptop receives these two packets, but the browse session still fails. Nothing more happens.

Any ideas chaps?

Is there an absolute reset of these modules? I'm never convinced that hw-mod mod 1 reset is doing everything?

Thanks,

Gaz

IPS-01-P# sh conf

! ------------------------------      

! Current configuration last modified Wed Feb 01 12:34:44 2012

! ------------------------------

! Version 7.0(6)

! Host:                                        

!     Realm Keys          key1.0               

! Signature Definition:                        

!     Signature Update    S549.0   2011-02-17  

! ------------------------------

service interface

exit

! ------------------------------

service authentication

exit

! ------------------------------

service event-action-rules rules0

exit

! ------------------------------

service host

network-settings

host-ip 10.26.99.115/28,10.26.99.126

host-name OS-F-CR-IPS-01-P

telnet-option enabled

access-list 10.26.0.0/16

dns-primary-server enabled

address 10.26.100.78

exit

dns-secondary-server disabled

dns-tertiary-server disabled

exit

time-zone-settings

offset 0

standard-time-zone-name UTC

exit

summertime-option disabled

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

exit

! ------------------------------

service signature-definition sig0

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

exit

! ------------------------------

service anomaly-detection ad0

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service health-monitor

exit

! ------------------------------

service global-correlation

exit

! ------------------------------

service aaa

exit

! ------------------------------

service analysis-engine

exit

OS-F-CR-IPS-01-P#

Labels:
0 Helpful
2 Replies 2

rhermes
Level 7
Level 7

‎02-01-2012 02:42 PM

Is this the same configuration (besides the sensor's IP address) as the working modules?

If not, can you paste a working config into this module (and change the sensor's IP of course)?

You have telnet enabled, have you tried telnetting to your sensor?

Are you connecting to the sensor from a host in the 10.26.0.0/16 network?

- Bob

0 Helpful

bikespace
Level 1
Level 1
In response to rhermes

‎02-02-2012 02:21 PM

Hi Bob,

Yep, absolutely identical. Tried telnet, SSH, and web, both from the laptop and from a directly connected device, and yep, all hosts are within the 10.26.0.0 network.

It's really strange. All four firewalls have been configured identically, at the same time, as part of a rollout project.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card