Re: IDS 4210 Blocking using ACL on a router

b-krigeris · ‎01-23-2002

I am having trouble configuring blocking. I followed all of the parameters on CSPM i.e. router telnet and enable passwords, interface, ip address. When I try to apply blocking, CSPM tells that the block is successful, but when I check

/usr/nr/var/errors.managed file I get the following errors:

Router(config)#

01/23/2002 15:01:25UTC E Connection lost to net device 10.60.4.1

01/23/2002 15:01:28UTC E Established a connection to 10.60.4.1

01/23/2002 15:01:29UTC E Error: Syntax error from invalid input at device [Cisco] IP [10.60.4.1] state [Active]

Text from device:

no ip access-list ext IDS_Ethernet0_in_0

^

% Invalid input detected at '^' marker.

I can't figure out what causes the error.

Thanks

stleary · ‎01-23-2002

What version of IDS are you running? There were

several bugs in earlier versions that could cause

this, which have all been fixed in the latest release.

What seems to be happening is that the sensor

is unable to configure the router for blocking.

The router is not in the correct mode for

configuration when the sensor sends the

'no ip ...' command, which causes a syntax error

and loss of communication with the router. No

hosts can be blocked until this is resolved. A

correctly configured sensor should never cause

syntax errors at the router.

Sean

b-krigeris · ‎01-23-2002

I am running 3.0(3)S13

Thanks,

Boris.

stleary · ‎01-23-2002

The IDS version should be OK.

The best way to proceed would be if you can open a TAC case.

Tell the TAC person to contact me at stleary@cisco.com

Provide the TAC person with these files from your sensor:

/usr/nr/managed.conf

/usr/nr/var/errors.managed.* ( just one error file should be enough)

Also, capture the output of the 'nrvers' command on your sensor and

capture the output of the 'show config' command on the router.

If you can, it would be very helpful if you could capture some snoop output

at your sensor. Here are directions for doing so:

As root on the sensor

snoop -d -o /tmp/packets.snoop

Then as netrangr do an nrstop and an nrstart on the sensor. Wait about

two minutes for the syntax error to occur, and then terminate snoop.

Example:

snoop -d iprb0 -o /tmp/packets.snoop 10.1.1.1 10.1.1.3

-d iprb0 is the IDS-4230 command and control interface

-o /tmp/packets.snoop says to save the binary packets in the

/tmp/packets.snoop file

10.1.1.1 is the sensor ip

10.1.1.3 is the router ip

b-krigeris · ‎01-23-2002

I got it working on a 3620 router. My several failed attemps were on a 1605R router.

Thanks

stleary · ‎01-23-2002

Can you tell me what IOS version is running on the 1605R?

I will see if the problem can be recreated in our lab.

b-krigeris · ‎01-23-2002

Router>sh ver

Cisco Internetwork Operating System Software

IOS (tm) 1600 Software (C1600-Y-M), Version 11.2(18)P, RELEASE SOFTWARE (fc1)

Compiled Mon 12-Apr-99 15:29 by ashah

Image text-base: 0x02005000, data-base: 0x0232C82C

ROM: System Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1)

ROM: 1600 Software (C1600-RBOOT-R), Version 12.0(3)T, RELEASE SOFTWARE (fc1)

Router uptime is 5 days, 23 hours, 41 minutes

System restarted by reload

System image file is "c1600-y-mz.112-18.P", booted via flash

stleary · ‎01-23-2002

The IOS version also looks OK.

Two more possible causes, if you ever try to block from the 1605R in the future:

- Make sure that the shun interface names are spelled correctly, and match

interfaces on the router. However I don't think this was the cause, since it

should result in a different error message.

- Do not enter config mode on the router from a telnet session or terminal server

session while the router is being controlled by the sensor. This has been found

to sometimes cause errors on 1605's in our lab.

If you run into this problem again, please let us know.