02-01-2012 01:14 PM - edited 03-10-2019 05:36 AM
Hi All,
This doesn't seem like rocket science, but I'm a little stuck at the moment.
I have four ASA 5520's with AIP-SSM modules recently installed. Two of them went through the simple setup process, browsed to the IP address, happy days all working and available from SSH/browser.
The other two seem to have a problem. Done the setup process to bare minimum, but no answer to SSH or https.
I don't suppose you particularly need the config, but it's pasted below.
I've used the packet capture CLI and can see the https request and apparently an ACK going back out. So it seems to me that it's hitting the web server.
To add to that, I can ping the laptop I'm using from the IPS, I can trace through to remote sites, everything seems to be working except nothing showing up on the browser.
Any other gotchas I've missed, it's driving me mad now, a seemingly simple setup that already works on two other boxes :-)
Capture here:
13:41:22.480995 IP l04096.net.local.53517 > IPS-01-P.443: S 1652511892:1652511892(0) win 8192 <mss 1260,nop,nop,sackOK>
13:41:22.481034 IP IPS-01-P.443 > l04096.net.local.53517: S 1100273020:1100273020(0) ack 1652511893 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
13:41:22.659153 IP IPS-01-P.443 > l04096.net.local.53517: S 1100273020:1100273020(0) ack 1652511893 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
Not sure why it sends two identical replies in quick succession? Looking at that capture I would have guessed they were maybe some kind of ACK, but wireshark shows they're SYN's (definitely no ACK set). I'm expecting to see SYN-SYNACK-ACK, but I'm seeing SYN-SYN-SYN.
I've now confirmed that wireshark at my laptop receives these two packets, but the browse session still fails. Nothing more happens.
Any ideas chaps?
Is there an absolute reset of these modules? I'm never convinced that hw-mod mod 1 reset is doing everything?
Thanks,
Gaz
IPS-01-P# sh conf
! ------------------------------
! Current configuration last modified Wed Feb 01 12:34:44 2012
! ------------------------------
! Version 7.0(6)
! Host:
! Realm Keys key1.0
! Signature Definition:
! Signature Update S549.0 2011-02-17
! ------------------------------
service interface
exit
! ------------------------------
service authentication
exit
! ------------------------------
service event-action-rules rules0
exit
! ------------------------------
service host
network-settings
host-ip 10.26.99.115/28,10.26.99.126
host-name OS-F-CR-IPS-01-P
telnet-option enabled
access-list 10.26.0.0/16
dns-primary-server enabled
address 10.26.100.78
exit
dns-secondary-server disabled
dns-tertiary-server disabled
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
summertime-option disabled
exit
! ------------------------------
service logger
exit
! ------------------------------
service network-access
exit
! ------------------------------
service notification
exit
! ------------------------------
service signature-definition sig0
exit
! ------------------------------
service ssh-known-hosts
exit
! ------------------------------
service trusted-certificates
exit
! ------------------------------
service web-server
exit
! ------------------------------
service anomaly-detection ad0
exit
! ------------------------------
service external-product-interface
exit
! ------------------------------
service health-monitor
exit
! ------------------------------
service global-correlation
exit
! ------------------------------
service aaa
exit
! ------------------------------
service analysis-engine
exit
OS-F-CR-IPS-01-P#
02-01-2012 02:42 PM
Is this the same configuration (besides the sensor's IP address) as the working modules?
If not, can you paste a working config into this module (and change the sensor's IP of course)?
You have telnet enabled, have you tried telnetting to your sensor?
Are you connecting to the sensor from a host in the 10.26.0.0/16 network?
- Bob
02-02-2012 02:21 PM
Hi Bob,
Yep, absolutely identical. Tried telnet, SSH, and web, both from the laptop and from a directly connected device, and yep, all hosts are within the 10.26.0.0 network.
It's really strange. All four firewalls have been configured identically, at the same time, as part of a rollout project.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide