AIP-SSM configured with event action "produce alert", but it drop packets

Similar Messages

• AIP-SSM Configuration Maintenance in Active Stdby modes

  So, I'm pretty new to the AIP-SSM but not to ASA's. It appears that very little of the AIP module config gets copied over to the Stdby AIP, nothing other than what appears in the ASA config (ACL's, etc.). So, do all the config elements particular to the module itself have to be manually reproduced on the Stdby module, either by hand entry or config copies moved between the two?

  So in Active/Standby scenarios with AIP-SSM, what is the reasoning for not having a feature for automatically copying over module config changes as with the ASA config?
  If there is no good reason, is it on the AIP-SSM road map to provide this feature?
  This can be a real pain in the arse for complex IPS configs. You have to do everything twice, and right away, so you won't miss anything should the ASA'a flip.

• AIP-SSM configuration assistance

  I have two questions regarding the AIP-SSM.
  1) Does the ACL on AIP-SSM have any type of relations to the ASA ACL?
  2) Our four interfaces are all in use. Is it possible to assign the SSM an IP address in the same subnet as the management interface?
  3) Should then the management interface be used as the gateway for the SSM?
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address 65.x.x.1 255.255.255.0 standby 65.x.x.2
  interface GigabitEthernet0/1
  nameif dmz
  security-level 50
  ip address 172.16.x.1 255.255.255.0 standby 172.16.x.2
  interface GigabitEthernet0/2
  nameif inside
  security-level 100
  ip address 192.168.x.1 255.255.255.0 standby 192.168.x.2
  interface GigabitEthernet0/3
  description LAN/STATE Failover Interface
  interface Management0/0
  speed 100
  duplex full
  nameif management
  security-level 100
  ip address 10.0.x.1 255.255.255.0 standby 10.0.x.2
  management-only

  Here are the answers to your questions-
  1) Does the ACL on AIP-SSM have any type of relations to the ASA ACL?
  Ans) No. ACL on SSM is completely independent of ACLs on ASA.
  2) Our four interfaces are all in use. Is it possible to assign the SSM an IP address in the same subnet as the management interface?
  Ans) Absolutely. You can assign the management port of SSM an IP in the same subnet as your managemnet interface. That way all management traffic will be kept independent of normal DATA traffic.
  3) Should then the management interface be used as the gateway for the SSM?
  Ans) You are right .. :-)
  Hope that helps.
  Regards,
  Vibhor.

• Changing port configuration with Event Manager

  Hello,
  I'm trying to change the configuration of a port when the port goes down with EEM.
  So when an flex connect access-point is disconnected the port becomes an access-port.
  I don't want to use the MAC address.
  Does anyone has experience with this.
  Below is the applet I'm using.
  Thanks in advanced, 
  Michel
  event manager applet CONFIG-ACCESS-PORT
   event neighbor-discovery interface regexp "(FastEthernet[0-9]\/[0-9]+)" cdp delete
   action 100 regexp "(AIR-LAP)" "$_nd_cdp_platform" value
   action 110 if $_regexp_result eq "1"
   action 200 cli command "enable"
   action 210 cli command "config t"
   action 220 cli command "interface $_nd_local_intf_name"
   action 240 cli command "switchport mode access"
   action 250 cli command "switchport access vlan 20"
   action 260 cli command "no switchport trunk encapsulation dot1q"
   action 270 cli command "no switchport trunk native vlan 88"
   action 280 cli command "no switchport trunk allowed vlan 88,100"
   action 290 cli command "spanning-tree portfast"
   action 400 syslog msg "EXECUTED EEM APPLET FOR ACCESS-PORT interface $_nd_local_intf_name"
   action 500 cli command "end"
   action 510 cli command "copy run start"

  Hi Evan,
  For sure! There is a really good example on the configuration guide, and assciated caveats.
  http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/consolidated/b_cg74_CONSOLIDATED_chapter_0100011.html
  Benefits for using LAG is increased bandwidth, and redundancy - especially if you have the two (or more in the case of a 5508 WLC) ports connected to different physical switches, eg a 3750 stack.
  Best,
  Evan

• AIP-SSM configuration / blocking SMTP

  Hi all,
  I need some help regarding a deployment of a IPS module on a ASA. I configured it in transparent mode, with the intention to only monitor the traffic going through the module. Otherwise after aplying the policy and put it in operation, it started blocking SMTP and ICMP traffic. Here follows the configuration applied to it:
  class-map outside-class
  match any
  policy-map outside-policy
  class outside-class
  ips promiscuous fail-open
  service-policy outside-policy interface outside
  Is there anything else I should consider to put this module just monitoring the traffic instead of having it denying any traffic?
  Thanks in Advance

  You may need to create an access-list permitting all traffic, and then apply the access-list to both interfaces in both directions (in and out).
  This will ensure connections can go from the lower security zone to the higher as well as from the higher security zone to the lower.
  You may also need to add icmp permit lines to permit icmp traffic through each interface.

• New business configuration with DBM action control

  Hi,
  We want to update certain additional information for order and split after billing. DBM blocks data updation in DBM order after billing creation and order close.
  How we can achieve same?
  Regards,
  Bobby

  Hi,
  i think you have to ensure that the order does not get closed action/status ORD_CLOSE.
  Kind regards
  Robert

• Issue with applying Event Action filters

  Dear friends,
  A general question on Event Action filters. There is a signature with sig ID 6257.
  The following is the event action filter configuration:
  service event-action-rules rules0
  filters edit DHCP
  signature-id-range 6257
  subsignature-id-range 0
  attacker-address-range 172.20.20.10,172.20.20.11
  actions-to-remove produce-alert
  filter-item-status Enabled
  stop-on-match True
  os-relevance not-relevant
  exit
  Even though a valid DHCP offer is being given by the DHCP server, this alert is getting fired.
  We have even excluded the IP's of the DHCP Servers - 172.20.20.10 and 172.20.20.11 from the Attacker Address range parameter in the signature but still this alert gets fired.
  evIdsAlert: eventId=1204853641442197329 vendor=Cisco severity=low
  originator:
  hostId: IDSM2Core1
  appName: sensorApp
  appInstanceId: 592
  time: April 7, 2008 5:46:48 AM UTC offset=180 timeZone=1
  signature: description=DHCP Client DoS id=6257 version=S316
  subsigId: 0
  sigDetails: Server Offered a Malicious IP Address
  marsCategory: DoS/Host
  interfaceGroup: vs0
  vlan: 200
  participants:
  attacker:
  addr: 172.20.20.10 locality=OUT
  port: 0
  target:
  addr: 10.1.1.78 locality=OUT
  port: 0
  os: idSource=unknown type=unknown relevance=unknown
  summary: 4 final=true initialAlert=1204853641442197267 summaryType=Regular
  alertDetails: Regular Summary: 4 events this interval ;
  riskRatingValue: 25 targetValueRating=medium
  threatRatingValue: 25
  interface: ge0_7
  protocol: udp
  Looking forward to your kind help and advise on this.
  Thanks a lot
  Gautam

  Some things to check:
  1) Is the filter in the active list? Filters can be enabled or disabled, but they can also be active ro inactive. You've only show a part of your configuration so I can't tell if the filter is part of the active list.
  2) Are there actions other than produce-alert for the signature? Or is an event action override adding other actions?
  Produce-alert is not the only action that can cause an alert to be generated. The produce-verbose-alert, request-snmp-trap, log-attacker-packets, log-victim-packet, and log-pair-packets will also cause alerts to be generated. Modify the filter to also remove these actions.
  3) The alert you've shown is a Summary Alert. There may be an issue with Summarization and the Filters. Try modifying the signature to set it to FireAll with no summarization.
  4) If you have multiple filters then check the order of the filters. If the event is matching an earlier filter where the stop-on-match is set to True, then it will not check the event against this filter. Either move this filter up higher in the filter list, or change earlier filters to be "stop-on-match false".
  5) Also check to see if you are running the latest 5.1(7) or 6.0(4) Service pack. If running earlier 5.1 or 6.0 versions you might be hitting a bug that could have already been fixed.
  If none of the above help, then contact the TAC. It could be that you may have foung a bug that the sensor development team is unaware of.
  To help in identifying the problem take a packet capture of the packets from 172.20.20.10 for several minutes around the time when the sensor is generating these alerts.
  This way the team can both check if the signature is firing correctly, and if the filters are working correctly for that signature.

• Transparent mode with AIP-SSM-20

  I currently have an ASA5510 in routed mode with an AIP-SSM-20.
  There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE.  This part should present no issue.
  However, this will remove the IPS device, and I still want to use IPS.
  So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN.  The transparent ASA would be functioning strictly as an IPS appliance.
  Setup would look something like this:
  Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN
  Can the AIP-SSM still perform IPS with the ASA in transparent mode?
  Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?
  I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.
  Regards.

  AFAIR, There is no problem to setup AIP in a transparent firewall.
  "An ASA in transparent mode can run an AIP.  In the event the AIP fails,
  the IPS will fail-open and the ASA will continue to pass traffic.
  However, if an interface or cable fails, then traffic will stop.  You
  would need a failover pair to account for this failure event, which
  means another ASA and matching AIP."
  And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744
  What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.
  http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
  HTH,
  Marcin

• Configuring AIP-SSM modelue

  hi,
  we have AIP-SSM-40 modeule installed on ASA 5540 but it is just physically present.
  Is it possible to configure to this modeule in inline or like IDS mode? It has only one Ethernet interface. Can this interface be treated as sensor interface and mark a copy of all incoming frames on this interface ( by SPA on switches ).
  Please share the experience.
  Thanks in advance.
  Subodh

  Hi Subodh,
  Yes, the AIP-SSM can operate in either inline (IPS) or promiscuous (IDS) mode. I would recommend you start by reviewing the following config guide, which shows you how to configure the ASA to pass traffic to the SSM for inspection:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
  If you have any other specific questions, feel free to post back.
  Hope that helps.
  -Mike

• AIP-SSM 10 & Email Notification

  Hi there,
  How could I configure the IPS module for email notification for certain events !!
  Regards,

  I have created PERL scripts that run on a UNIX server to automate IPS signature updates without VMS/CSM. The second script includes a string search of the AIP SSM 10's Event Log to email the result of the update attempt. You could use that if you know what the Event Log entries look like for which you want email notification. The app is on my website:
  http://www.lhb-consulting.com/pages/apps . Good luck.
  --Lisa

• AIP-SSM module hung

  I have recently confgured my AIP-SSM-20 module in my firewalls (ASA 5540) which are configured in HA(Active/Standby).This implementation i have done on 13th June. It was working fine.
  Now, i have observerd that the AIP-SSM-20 module in the primary firewall had gone to unresponsive state.
  Below is the status of show module and show failover command.
  FW1-5540# sh module
  Mod Card Type                                    Model              Serial No.
    0 ASA 5540 Adaptive Security Appliance         ASA5540            JMX1234L11F
    1 ASA 5500 Series Security Services Module-20  ASA-SSM-20         JAF1341ADPS
  Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
    0 0021.d871.77ab to 0021.d871.77af  2.0          1.0(11)4     8.0(3)6
    1 0023.ebf6.11ce to 0023.ebf6.11ce  1.0          1.0(11)5     6.2(2)E4
  Mod SSM Application Name           Status           SSM Application Version
    1 IPS                            Not Applicable   6.2(2)E4
  Mod Status             Data Plane Status     Compatibility
    0 Up Sys             Not Applicable
    1 Unresponsive       Not Applicable
  FW1-5540# sh failover
  Failover On
  Failover unit Primary
  Failover LAN Interface: FAILOVER GigabitEthernet0/2 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 3 of 250 maximum
  Version: Ours 8.0(3)6, Mate 8.0(3)6
  Last Failover at: 09:06:14 UTC Jun 15 2010
          This host:
                  This host: Primary - Failed
                  Active time: 191436 (sec)
                  slot 0: ASA5540 hw/sw rev (2.0/8.0(3)6) status (Up Sys)
                    Interface DMZ_LAN (10.192.153.13): Normal (Waiting)
                    Interface INTRANET (10.192.154.13): Normal (Waiting)
                    Interface management (0.0.0.0): Link Down (Waiting)
                  slot 1: ASA-SSM-20 hw/sw rev (1.0/6.2(2)E4) status (Unresponsive/Down)
                    IPS, 6.2(2)E4, Not Applicable
          Other host: Secondary - Active
                  Active time: 192692 (sec)
                  slot 0: ASA5540 hw/sw rev (2.0/8.0(3)6) status (Up Sys)
                    Interface DMZ_LAN (10.192.153.5): Unknown (Waiting)
                    Interface INTRANET (10.192.154.5): Unknown (Waiting)
                    Interface management (0.0.0.0): Unknown (Waiting)
                  slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(2)E4) status (Up/Up)
                    IPS, 7.0(2)E4, Up
  Stateful Failover Logical Update Statistics
          Link : Unconfigured.
  I have tried using the
  hw-module module 1 reset
  to reset the IPS module but the status is always unresponsive.
  Its production environment where i cannnot expirement much. Ned help to rectify the problem.

  Hi Scott, 
  I have almost same problem of sbgcsd in my customer. I'm deploying two ASA-5512 in failover configuration. One day, after almost 2 months testing project in a lab, when we install in customer's datacenter the systems presented following errors:
    ciscoasa2(config)# failover
          Detected an Active mate
    ciscoasa2# Mate NOT PRESENT card in slot 1 is different from mine IPS5512
  I tried to discover what was happened with IPS modulo, then I saw error in IPS status: "Unresponsive".
    ciscoasa2# sh module ips
    Mod  Card Type                                    Model              Serial No.
     ips Unknown                                      N/A                FCH1712J7UL
    Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
     ips 7cad.746f.8796 to 7cad.746f.8796  N/A          N/A 
    Mod  SSM Application Name           Status           SSM Application Version
     ips Unknown                        No Image Present Not Applicable  
    Mod  Status             Data Plane Status     Compatibility
     ips Unresponsive       Not Applicable 
    Mod  License Name   License Status  Time Remaining
     ips IPS Module     Disabled        perpetual
  According with Cisco Foruns I tried to "Reloading, Shutting Down, Resetting, and Recovering AIP-SSM" (*) using "hw-module module " command. But unfortunatelly ASA didn't accept this command. See below:
    ciscoasa2# hw-module module 1 reload
               ^
    ERROR: % Invalid input detected at '^' marker
  What happened with this command (hw-module) ? Maybe is a problem in Software version ? When I entered "sh flash" command I saw that didn't exist any software for AIP-SMM module:
    ciscoasa2# sh flash
    --#--  --length--  -----date/time------  path
     11  4096        Sep 12 2013 13:56:54  log
     21  4096        Sep 12 2013 13:57:10  crypto_archive
    100  0           Sep 12 2013 13:57:10  nat_ident_migrate
     22  4096        Sep 12 2013 13:57:10  coredumpinfo
     23  59          Sep 12 2013 13:57:10  coredumpinfo/coredump.cfg
    101  34523136    Sep 12 2013 14:00:14  asa861-2-smp-k8.bin
    102  17851400    Sep 12 2013 14:04:36  asdm-66114.bin
    103  38191104    Apr 24 2014 12:59:58  asa912-smp-k8.bin
    104  6867        Apr 24 2014 13:01:20  startup-config-jcl.txt
    105  24095116    Jun 17 2014 14:54:14  asdm-721.bi
  But another ASA (#1) have image:
  ciscoasa1# sh flash
  --#--  --length--  -----date/time------  path
     11  4096        Sep 10 2013 06:42:56  log
     21  4096        Apr 17 2014 03:13:12  crypto_archive
    123  5276864     Apr 17 2014 03:13:12  crypto_archive/crypto_eng0_arch_1.bin
    110  0           Sep 10 2013 06:43:12  nat_ident_migrate
     22  4096        Sep 10 2013 06:43:12  coredumpinfo
     23  59          Sep 10 2013 06:43:12  coredumpinfo/coredump.cfg
    111  34523136    Sep 10 2013 06:44:24  asa861-2-smp-k8.bin
    112  42637312    Sep 10 2013 06:45:46  IPS-SSP_5512-K9-sys-1.1-a-7.1-4-E4.aip <===
  But I am not sure if this image is really the right image do AIP-SSM in ASA#2. But anyway I copy (through a simple TFTP server) from ASA#1 to ASA#2 , but after this, the same problem ramained ! 
  Because I didn't applied the Failover condition to system. 
  What can I do now ?
  Thank you very much in advance.
  Leonardo_Melo.(CCAI-JCL-Brazil).

• AIP-SSM crash during S389 Signature upgrade

  Our AIP-SSM [version 6.1(2)E3] crashed during a S389 Signature upgrade on Friday. Neither a "session 1" command from its host, an ASA5520, or a "reload" command of the ASA5520 succeeded in bringing back up the AIP-SSM. Fortunately, after the ASA's power was recycled, the AIP-SSM successfully booted, albeit not to S389, but to its previously loaded S383. I established an SR and supplied the "show tech" and "show config," but the Cisco tech replied "nothing stands out" in them and said just run the S389 update again and send the same info if it crashes. I have several problems with that approach: 1) he had replied that several other customers had had the same problem; 2) our current AIP-SSM is a replacement for an RMA'ed one which had choked on the E2 engine upgrade a few months ago; 3) if another S389 upgrade attempt fails, our client's network will be down because our security policy requires the ASA's bypass mode for the AIP-SSM to be "fail-close." My questions to the forum include:
  1) If the "show tech" command is run after an AIP-SSM has rebooted after a previously-attempted S389 upgrade, can it include any information specific to the previously-attempted S389 upgrade? 2) Could the hardware components of the AIP-SSM-10 be inadequate for the combination of the E3 engine plus the cumulative signatures? 3) If the answer to question 2 is "yes" or "possibly," could Cisco modularize the signatures, eg. provide an "only-activated-signatures" (ie smaller) file for customers like us and an "everything" for others? Advice and recommendations heartily requested.

  Based on your show version, you already have E4, what is it that you are trying to do?
  Mike

• ASA failover with 1 AIP SSM in Active/Standby?

  I have a customer with two ASAs; in Active/Standby. They want to purchase one AIP. Will failover (without the AIP functionality) to the Standby work if the AIP is configured for Promiscuous mode? Thanks, Bob

  The only connection to the SSM that can be done internally through the ASA is a "session". This is an internal telnet to the SSM and can be used to access the SSM's CLI.
  This is very usefull when you manage your SSM directly through the CLI.
  However, most customers prefer to use a graphics based tool like IDM, ASDM, or CSM for managing the configuration of the SSM, and prefer to use a graphics based tool like IEV or CS MARS for monitoring of the alerts from the SSM.
  All of these graphics based tools need network access to the SSM through a web port (https on port 443 by default). Access to this port is not allowed internally through the ASA direct to the SSM.
  All web connections must be made to the External Management interface of the SSM.
  If you are not using all 4 of your ASA interfaces you could choose to wire the External SSM interface directly to one of your ASA interfaces, and create a small subnet for the ASA and IPS IP Addresses. So then all external connections to the SSM would be routed into the ASA, then out of the ASA, and into the external port of the SSM.
  That subnet of just the ASA and SSM could be made using a network reserved for local IPs (like a 10, or 172, or 192 network) and then use NAT/PAT for translation on the other network interfaces of the ASA.
  But it does still require that wire connected to the external port of the SSM.

• How to block p2p applications(Bittorent like) with AIP-SSM-10?

  Hi,
  How to block p2p application using AIP-SSM-10 working with ASA5520?AIP is on promiscuous mode.
  Thanks,
  Siva

  There are several signatures that detect p2p, for bit torrent there is 11020.0
  Yahoo triggers: 5539.0, 11200.0, 11212.0, 11217.0 & 11219.0
  etc..
  Some are disabled by default though so please ensure you enable the ones that you need.
  If you want to block these then you will have to use event actions that work in promiscuous setup for example request block connection and tcp reset. Please note that care must be taken when using these event actions.
  For more information about the event actions please refer the link below:
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/idmguide/dmevtrul.htm#wp1069467

• Alert Option for AIP-SSM

  Hi,
  Understand that AIP-SSM doesn't support email alert, may i know what are the alert option that I can configure in order to receive notification when a severity 1 event had been detected?
  regards

  IME is a free tool. IF it supports email alerts you can download that and use it:
  http://www.cisco.com/en/US/products/ps9610/index.html
  Regards
  Farrukh