AIP-SSM, it is not sensing the traffic

Similar Messages

• New 13" Macbook Pro trying to connect to a Panasonic VIERA TC-L42U30 as second monitor. I've used multiple hdmi-thunderbolt/mini displayport adapters and multiple hdmi cables and still no success. The Macbook does not sense the second monitor (TV). Help?!

  I've been a Mac since 2008, so I know my way around the system pretty well. This issue, however, has me stumped. I had an iMac until now and only now am I experiencing some difficulty with my new MacBook Pro. The model I have is the newest 13" Macbook Pro model and I'm trying to connect a Panasonic VIERA TC-L42U30 42" HDTV as a second monitor via the Thunderbolt port.
  It worked the first two times and hasn't worked since, after 10-15 attempts with different configurations, turning things on n off, restarting the mac, unplugging the cables, adapters, TV, resetting the P RAM, etc... I've used multiple hdmi-thunderbolt/mini displayport adapters and multiple hdmi cables and still no success. No matter what I do, the Macbook does not sense the TV as a second monitor anymore.
  I took the MacBook Pro to the Apple Store, and their "genius" there had it working fine with a DVI connection to a regular monitor. The Panasonic TV I have has HDMI connections and one VGA connection which does not support HD, but no DVI option. I want an HD connection to mirror or extend my MacBook Pro screen. At the Apple Store, they didn't have a Thunderbolt/Mini DisplayPort to HDMI adapter, so he could not try that out for me.
  Anyone else have this configuration or another similar one with a Panasonic HDTV?
  Ideas? Suggestions? Anything?! Help!!
  P.S. I'm running Mountain Lion, if that wasn't already obvious. Everything is up to date in my App Store as well.
  Thanks!

  Hi There,
  I have had the exact same issue but with a projector.
  The issue lies with Mountian Lion 10.8.2.
  I tried many a combination with no luck to get HDMI working.
  Took my mac into the apple store and came to the conclusion it was the software, so I asked them to install 10.8 onto it (this is destructive so a backup is a must)
  Bought my macbook home and voila, now displaying through my projector.
  There is a small graphics update after 10.8.1 which seems to be the cause.
  Hope this helps.
  Thanks.

• Rservers initiated traffic not sourcing the traffic as VIP in Ace 4710

  One of the feature of our application is that our Application Server initiate text message to our devices sourcing from UDP 1120 and device need to see the message come from a specific pubic IP (2.2.2.2) with UDP port 1120 and reply back with the same Public IP (2.2.2.2) with UDP port 1120.The problem is we can make that happen if we have only one server in our ACE Serverfarm when we do a SNAT the real servers with the VIP address (10.1.246.32) but it does not work when we have more than one server in the Serverfarm. Since we have 2 servers, i cannot nat the real servers with the VIP address, if I do a PAT, obviously it is changing the source port of the request.
  Note: This setup is working fine with the Cisco Content Switch module running on chasis 6509. When I sniff the traffic initiated from the server coming the CSM load balancer, it is sourcing the traffic as the VIP and the source port remains the same by default but this is not the case with ACE 4710
  Traffic flow as follows
  ===============
  ACE 4710                                                       FWSM (Firewall static NAT)                    Device ( configured with 2.2.2.2:1120 (udp) to snd/rcv msg)
                                               VIP
  Rserver 1   - 10.1.104.80       10.1.246.32           10.1.246.32  < - > 2.2.2.2                              1.1.1.1
  Rserver 2   - 10.1.104.81c
  ---------------------------------------------------------->           ------------------------------->                      - traffic flow from server to the device when we send msg
  Configs:
  ======
  rserver host server1
    ip address 10.1.104.80
    inservice
  rserver host server2
    ip address 10.1.104.81
    inservice
  serverfarm host SFARM
    failaction purge
    probe ICMP
    rserver server1
      inservice
    rserver server2
      inservice
  access-list TEST-1120 line 8 extended permit udp host 10.1.104.80 eq 1120 any
  access-list TEST-1120 line 16 extended permit udp host 10.1.104.81 eq 1120 any
  parameter-map type connection UDP_TIMEOUT
    set timeout inactivity 3600
  sticky ip-netmask 255.255.255.255 address source STKY-SFARM
    serverfarm SFARM
    timeout 180
    replicate sticky
  class-map match-all CLS-SFARM
    2 match virtual-address 10.1.246.32 udp eq 1120
  class-map match-all SERVERNAT
    2 match access-list TEST-1120
  policy-map type loadbalance first-match POL-SFARM
    class class-default
      sticky-serverfarm STKY-SFARM
  policy-map multi-match POL-LB
  class CLS-SFARM
      loadbalance vip inservice
      loadbalance policy POL-SFARM
      loadbalance vip icmp-reply active
      connection advanced-options UDP_TIMEOUT
  class SERVERNAT
     nat dynamic 1 vlan 244
  int vlan 244
  ip address 10.1.246.2 255.255.255.0
  service-policy input POL-LB
  nat-pool 1 10.1.246.32 10.1.246.32 netmask 255.255.255.255
    mac-sticky enable
    no icmp-guard
  no shut
  interface vlan 2506
  ip address 10.1.104.2 255.255.255.0
  service-policy input POL-LB
    mac-sticky enable
    no icmp-guard
  no shut

  I see in CSS, they are able to nat the source ip address with VIP and port-mapping diabled. How do I implement
  portmap disable in ACE 4710
  Disabling Port Mapping
  By default, the CSS NATs source IP addresses and PATs source ports for a configured source group. If you configure the portmap disablecommand in a source group, the CSS performs NAT on the source IP addresses but does not perform PAT on the source ports of UDP traffic that matches on that source group.
  For UDP applications with high-numbered assigned ports (for example, SIP and WAP), we recommend that you preserve those port numbers by configuring destination services in source groups instead of using the portmap disable command. Destination services cause the CSS to NAT the client source ports, but not the destination ports. For information about configuring destination services,

• WMI event watcher in ssis package not sensing the file continiously when we placed the file in Network drive location or UNC Location

  Hi,
  I am using SSDT 2012.
  WMI event watcher is not picking the file , when I place the file in Network drive location or UNC Location.
  I have mapped the network drive to UNC location. 
  Issue only comes when I run the package through job.(it will not pic the file) and I crossed check, I have all the permissions to the folder. if I run or execute the package through IDE, file will be picked and moved to destination.
  Am I missing any configuration ?  can anyone please advice.
  Thanks,
  Anvith

  So the WMI query is on the mapped drive and not on the UNC?
  And the user that runs the job (SQL Server Agent Service Account or the proxy) has rights to read that mapped drive?
  Are you using the default account or a proxy in the jobstep? And does it work if you create a credential and proxy for your own account?
  Please mark the post as answered if it answers your question | My SSIS Blog:
  http://microsoft-ssis.blogspot.com |
  Twitter

• ACE not passing the traffic to the server.

  Hi Experts,
  Could you please help me on this issue:-
  The users are not able to access the palm application passing through the ACE module. The clients gets to the citrik server and from ther it goes to palm application. Now both external and internal users are not able to accpess the palm aapplication.
  Troubelshooting doen:-
  1) Connecting to the palm server by exluding the ACE it works.
  2) Servers are reachable from ACE module
  3) It was working fine before, but not now. There was no changes been made on ACE but still the issue.
  4) Checked the Palm context that seems to be okay. But still not able to get though.
  Any help would be great.
  Thanks
  Sum.

  Sniffer trace in front of ace and backend.
  Capture a failure.
  Before and after the connection failure also get the following command
  'show service-policy detail'
  See if you have connection hits.
  Gilles.

• CSM to update IPS AIP -SSM

  Hi all,
  I need some help. I am configuring my CSM 3.1 to apply update on my IPS AIP-SSM.
  I went to the apply IPS Tab and choose to update from cisco.com. But it is always like processing for a long time.
  I tried to enter my username and password for the sensors or the CCO account but still no improvement. Does anyone knows how to configure this. I tried reading the user guide there is no examples.
  Thanks

  The IPS-engine-E2-req-5.1-7.pkg Engine Update file is just to upgrade an existing 5.1(7)E1 sensor to 5.1(7)E2.
  It only changes the "engine" features of the sensor that are necessary for installing signature updates requiring E2. It does not change other files on the sensor.
  The IPS-K9-5.1-8-E2.pkg Service Pack file is for upgrading the entire image to the next service pack level as well as upgrading the "engine" features. So you get all of the latest bug fixes.
  So which to use?
  If you are running 5.1(7)E1 then you will eventually want to get to 5.1(8)E2. But the upgrade to 5.1(8)E2 WILL require a reboot and so if running in an inline mode it should only be done during a scheduled network downtime. For most networks this could be a week or even a month before the downtime can be scheduled to do this type of upgrade. So the IPS-engine-E2-5.1-7.pkg file is a short term solution to get you to the E2 level required for signature updates, until you can schedule the upgrade to 5.1(8)E2.
  The IPS-engine... file will NOT reboot the sensor. It will temporarilly stop analysis and if Software ByPass is set to auto then traffic will be allowed to pass through the sensor unanalyzed while the engine update takes place. Because the traffic will continue to flow with Software ByPass most companies will allow an Engine update to be installed without having to schedule network downtime.
  Of course, the above discussion was really only applicable when E2 was the latest Engine release. Now that E3 is out, the discussion really becomes how to get to E3.
  There is Not an IPS-engine-E3-req-5.1-7.pkg engine update file.
  So you must get to 5.1(8)E3 if you want to keep getting recent signature updates.
  So then it just depends on your current IPS version.
  If you are running 5.1(7)E2 or earlier version then you must schedule a downtime and install the IPS-K9-5.1-8-E3.pkg file in order to install the latest E3 required signature updates.
  If you are running 5.1(8)E2 already, then you need to install the IPS-engine-E3-req-5.1-8.pkg file because the only thing needing to be upgraded is the Engine level to E3.
  General Rules of Thumb:
  Always ensure you are at the latest Service Pack level for the major/minor version train you are using. (5.1(8) in this case)
  If you are running the latest Service Pack then you will be able to simply install an Engine Update when the next Engine Update comes out without having to schedule downtime.
  If you are not at the latest Service Pack level then you will want to schedule a network downtime to do that upgrade within 60 days of the Service Pack being released.
  If an Engine Update comes out before you get a chance to upgrade to the next Service Pack, then install the Engine Update for the prior Service Pack (that you should at least be at) as a temporary measure to keep getting signature updates. And schedule a Service Pack upgrade as soon as possible.
  Why 60 days?
  If a new Engine Update is released within 60 of a Service Pack release, then the Engine Update will be released for both the latest Service Pack AND the one prior. But if the new Engine Update is longer than 60 days after the latest Service Pack, then an Engine Update will be created only for the latest Service Pack and not for the prior. This is why E3 was only released for 5.1(8). E3 was released more than 60 days after 5.1(8) so there was not an E3 for the prior 5.1(7).
  So you see that an Engine Update for a prior Service Pack should be considered a temporary measure until you can get the next Service Pack installed.
  If you wait too long another Engine Update might come out, and you might be forced into an immediate network downtime to get to the latest Service Pack.
  As for do you HAVE to install IPS-engine-E2-req-5.1-7.pkg before installing IPS-K9-5.1-8-E2.pkg (or more importantly IPS-K9-5.1-8-E3.pkg).
  The answer is NO.
  You can go directly from any 5.0 or 5.1 version directly to IPS-K9-5.1-8-E3.pkg.

• Sync configs between AIP-SSMs

  We have a pair of ASA 5520s in active/stanby mode. This part of the situation works great, configurations are always synced to the standby, nothing is lost. Planned failover has worked every time without users even noticing.
  We have an AIP-SSM-20 in each.
  The challenge arises as it seems there is still no easy and automatic way to sync the configuration of the SSMs together.
  Due to all the false positives, we need to perform configurations on the AIP-SSMs. Is there a method I am overlooking, how do you do it?
  Thanks.

  Thanks for your reply. I've gotten back on this subject....
  Does this run as a service, like it is running all the time and needs to be installed on a system which is always up, or does this run as an application only as needed.
  Based on the requirements, I can not tell. It can run on desktop OSes or Server OSes.
  "Hard Drive
  • 100 GB
  Memory (RAM)
  • 2 GB
  Supported Operating Systems
  • Windows Vista Business and Ultimate (32-bit only)
  • Windows XP Professional (32-bit only)
  • Windows 2003 server
  Note: Cisco IPS Manager Express supports only the 32-bit U.S. English version of Windows."
  100GB for an application, seems rather hefty to me. Is this for real?
  Thanks

• Configuring SNMP Trap receiver on AIP-SSM sensor

  I receive the following error message from my ASA5520 firewall when attempting to forward SNMP traps from my AIP-SSM20 sensor to a server on my Inside interface that is configured to receive SNMP traps:
  ASA-4-418001: Through-the-device packet to/from management-only network is denied: udp src management: 10.3.21.2/32768 dst Inside: PPC0ES/162
  Can I reconfigure the management IP address of the AIP-SSM sensor to connect to the Inside interface instead of the management vlan or does my SNMP server have to reside on the management vlan with the sensor?

  Hi Subodh,
  Yes, the AIP-SSM can operate in either inline (IPS) or promiscuous (IDS) mode. I would recommend you start by reviewing the following config guide, which shows you how to configure the ASA to pass traffic to the SSM for inspection:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
  If you have any other specific questions, feel free to post back.
  Hope that helps.
  -Mike

• Changing time on AIP SSM 10 module.

  How can i change the sensors time manually on my AIP-SSM-10 module installed in the ASA 5520 device .. ??
  i tried the clock set command but apparently its not supported on AIP-SSM-10 module.
  the ASA has the correnct time but the IPS does not...
  any ideas ??
  thanks..
  zaid

  You can find the complete configuration guide for the AIP-SSM-10 in the URL posted below. The configuration of the time-settings is explained in the following chapter: 'Initial Tasks > Configuring Time'.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df9a.html#wp1035238
  Please rate if the post is usefull!
  Regards,
  Michael

• Transparent mode with AIP-SSM-20

  I currently have an ASA5510 in routed mode with an AIP-SSM-20.
  There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE.  This part should present no issue.
  However, this will remove the IPS device, and I still want to use IPS.
  So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN.  The transparent ASA would be functioning strictly as an IPS appliance.
  Setup would look something like this:
  Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN
  Can the AIP-SSM still perform IPS with the ASA in transparent mode?
  Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?
  I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.
  Regards.

  AFAIR, There is no problem to setup AIP in a transparent firewall.
  "An ASA in transparent mode can run an AIP.  In the event the AIP fails,
  the IPS will fail-open and the ASA will continue to pass traffic.
  However, if an interface or cable fails, then traffic will stop.  You
  would need a failover pair to account for this failure event, which
  means another ASA and matching AIP."
  And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744
  What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.
  http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
  HTH,
  Marcin

• AIP-SSM crash during S389 Signature upgrade

  Our AIP-SSM [version 6.1(2)E3] crashed during a S389 Signature upgrade on Friday. Neither a "session 1" command from its host, an ASA5520, or a "reload" command of the ASA5520 succeeded in bringing back up the AIP-SSM. Fortunately, after the ASA's power was recycled, the AIP-SSM successfully booted, albeit not to S389, but to its previously loaded S383. I established an SR and supplied the "show tech" and "show config," but the Cisco tech replied "nothing stands out" in them and said just run the S389 update again and send the same info if it crashes. I have several problems with that approach: 1) he had replied that several other customers had had the same problem; 2) our current AIP-SSM is a replacement for an RMA'ed one which had choked on the E2 engine upgrade a few months ago; 3) if another S389 upgrade attempt fails, our client's network will be down because our security policy requires the ASA's bypass mode for the AIP-SSM to be "fail-close." My questions to the forum include:
  1) If the "show tech" command is run after an AIP-SSM has rebooted after a previously-attempted S389 upgrade, can it include any information specific to the previously-attempted S389 upgrade? 2) Could the hardware components of the AIP-SSM-10 be inadequate for the combination of the E3 engine plus the cumulative signatures? 3) If the answer to question 2 is "yes" or "possibly," could Cisco modularize the signatures, eg. provide an "only-activated-signatures" (ie smaller) file for customers like us and an "everything" for others? Advice and recommendations heartily requested.

  Based on your show version, you already have E4, what is it that you are trying to do?
  Mike

• Resetting password in AIP-SSM-20

  Dear all
  please advice me, how to resetting password in ASA5520-AIP-SSM-20.
  Note:according to cisco PDF, i carried out, but still required username/password.
  Pls. let me know what is the default username/password for AIP-SSM-20
  Thanks & regards

  Cisco Default:
  login: cisco
  password: cisco

• How ASA forwarding traffic to AIP-SSM

  Hi All,
  Can someone help how ASA device forwarding traffic to AIP-SSM? I'm not taking abt Configuration part like Class-map, policy-map and service policy....want to understand the traffic flow from ASA once traffic matched with ACL to AIP-SSM.
  From one of Cisoc document, understood that the module using a Cisco Propietary protocol for communicating with ASA appliance.
  ================================================================================================================
  FYR from Cisco Website:
  Q. How does the Cisco ASA AIP-SSM plug into and communicate with the appliance?
  A. The Cisco ASA AIP-SSM plugs directly into the SSM slot in the Cisco ASA appliance's chassis. This provides a direct connection to the appliance's backplane. Once the module is installed, a proprietary protocol runs over the bus and controls data flow and messaging between the module and appliance.
  ================================================================================================================
  Regards,
  S.Vinoth

  Hey ,
  as you mentioned above , it uses a cisco Probietary protocol for that communication , there are two interfaces , control channel and data channnel , data channel is where the traffic being forwarded , the backplane is the connection between the ASA and the IPS interface .
  Hope that this helps .
  Mohammad.

• AIP-SSM How to Verify Traffic is being passed for inspection?

  "show conf" command on my AIP SSM CLI. gigabitEthernet0/1 backplane interface of the SSM has not been assigned to virtual sensor vs0.but
  Through this command show service-policy
  traffic is recevied by IPS Module.why this,
  Kindly guide me

  Thanks,i got it.
  Cinet-IPS1# show statistics virtual-sensor
  Virtual Sensor Statistics
  Statistics for Virtual Sensor vs0
  Name of current Signature-Defintion instance = sig0
  Name of current Event-Action-Rules instance = rules0
  List of interfaces monitored by this virtual sensor = GigabitEthernet0/1 subinterface 0
  General Statistics for this Virtual Sensor
  Number of seconds since a reset of the statistics = 434653
  SensorApp Memory Use Percentage = 33
  Processing Load Percentage = 1
  Total packets processed since reset = 1722
  Total IP packets processed since reset = 1722
  Total IPv4 packets processed since reset = 1722
  Total IPv6 packets processed since reset = 0
  Total IPv6 AH packets processed since reset = 0
  Total IPv6 ESP packets processed since reset = 0
  Total IPv6 Fragment packets processed since reset = 0
  Total IPv6 Routing Header packets processed since reset = 0
  Total IPv6 ICMP packets processed since reset = 0
  Total packets that were not IP processed since reset = 0
  Total TCP packets processed since reset = 1466
  Total UDP packets processed since reset = 0
  Total ICMP packets processed since reset = 256
  Total packets that were not TCP, UDP, or ICMP processed since reset = 0
  Total ARP packets processed since reset = 0

• Will the AIP-SSM for the ASA stop this?

  I have a client emailed me today that someone did a script injection attack on one of their web servers. It ran a backdoor Trojan virus on their web server. I know the AIP-SSM will stop the Trojan, but will it stop someone from doing the script injection attack. If so, is it documented and can you point me to the document.
  Thanks.
  Dan

  Hi,
  If you know exactly which of the various script injection attacks was used you can simply look it up here:
  http://tools.cisco.com/security/center/home.x
  If you don't know exactly which one then it's slightly harded to know whether it would have been stopped, but searching on "script injection" or similar should narrow down the candidates and give you an idea on whether it would have been stopped or not.
  Remember that an IPS isn't perfect, but it *will* significantly lower your risk if setup and maintained properly.
  HTH
  Andrew.