IPS 4240 fail open

Hi All,
I have a single unit of IPS 4240. I want to know if my sensor or the unit itself fails/shutdowns, is there any option where in my traffic will be passed so that there is no downtime.
Thanks
Pratik

You can configure the sensor when it's inline mode with inline-bypass mode "auto" so when the unit fails, it will just pass through the traffic without inspecting it, however, if the sensor is completely shutdown, then no, traffic will be dropped when it's in inline mode.
Here is more information on inline bypass mode:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_interfaces.html#wp1047079
However, if it's in promiscious mode, then you don't have to worry about it as the packet is not inline and will not cause interruption.
Hope that helps.

Similar Messages

  • 3rd party IPS fail open device

    HI all,
    I am looking out for a 3rd party hardware device for IPS 4240 hardware fail open in case if my IPS unit has any hardware problems.
    Please suggest me on different model no/make for any 3rd party devices.
    Thanks
    pratik

    Hi Pratik,
    I am not aware of any.
    However,  Cisco IPS 4260 and IPS 4270-20 support the 4-port GigabitEthernet card (part number IPS-4GE-BP-INT=) with hardware bypass.
    This 4GE bypass interface card supports hardware bypass.
    http://tools.cisco.com/squish/878Dd
    Regards,
    Sid Chandrachud
    Cisco TAC - Security Team

  • IPS configuration promiscus mode(fail-open) assistance/troubleshooting

    Hi all ,
    I have 2 ASA configured in active/standby failover mode. I want to configure IPS in promiscus mode with fail-open configuration.
    i have not connected IPS with any pc through magmt port.
    I can access IPS through ASA(5520) using session 1 and able to do basic configuration using setup.
    after configuring when i try to login through ASA ASDM(IPS tab on home page of ASA ASDM) it ask for ip(managment or other ip).. I am trying to access the IPS with ip(192.168.3.74) configured in IPS using initial setup (192.168.3.74/27, 192.168.3.65) and also added access-list allowing 192.168.3.0/24.
    ASA inside ip subnet:192.168.3.64/27
    ASA DMZ ip subnet: 192.168.1.0/24
    let me know if i need to assign IPS ip from dmz range or inside range?
    Do i need to setup same IP for IPS in both ASA module?
    Let me know if i can connect to IPS from ASA ASDM using some ip(192.168.3.74) configured through setup on 443 port.?
    What access-list i should add in IPS or ASA if required?
    While setting up IPS 1st time using setup command i am not able to see the unused/monitored interface(g0/1) so that i could add both interface, which should show as per cisco doc. what may be the reason?
    IPS 6.0
    ASA(5520) 7.24
    ASDM 5.24
    Regards
    Amardeep

    You need to configure the interface properly and plug it in the network.
    The second interface is displayed different in the AIP-SSM, as  this is a logal/internal connection to the ASA.
    Regards
    Farrukh

  • IPS 4240 Design Question

    I have two IPS 4240s that may be placed between our internal network and our extranet firewall. The firewall set is your standard ASA-5520 active/failover pair connected to two switches.
    Q1 - If I am not worried about atomic attacks, is there any other benefit to having the IPS inline over promiscuous?
    Q2 - Whether inline or promiscuous, is it necessary to connect the single IPS to both switches in order to receive packets when an ASA failover occurs? If so, is it done physically or via RSPAN?
    Q3 - If the IPS fails and it is configured inline, do the interfaces fail open (traffic continues to pass) or closed (traffic is dropped)? I could not find that on Cisco's site.
    Thanks!

    A1 - There are a few things that in-line mode can clean up by deafult, but that can also bite you. Check out some of the other forum posts on having ssh dropped without alerts. Since you have reduntant 4240s the realibility of the IPS sensors in-line shouldn't affect you as much. Just don't update them at the same time.
    A2 - Only the signatures that need state will be effected by a failover. Hopefully failovers do not happen frequently enough for missing a few potential hits to be an issue. If you are really performing good analysis and tuning out your false positives, then you might want to connect both sensors to both switches.
    A3 - You can configure the 4240s to fail-open (pass the traffic thru the sensor when it fails) or fail-closed (do not pass traffic during sensor failure). Since you have dual firewalls, switches and sensors, you can fail closed and force the traffic thru the running sensor and firewall. If one sensor is standby, you may want to make him fail open, so that you can still pass traffic in the event both sensors are down.

  • IPS 4240 problem

    Hi All,
    we've installed IPS 4240 since 6 months ago and everything worked fine. Then I noticed time in IPS was not correct, then in the IDM, I've changed summer time to 60 minutes offset to get the right time from NTP. then reboot the IPS, since that time users inside the network are not able to connect to internet, and basically traffic from inside to outside is blocked. But traffic from outside to inside is fine and outside users are able to hit to the web server in DMZ zone.
    any idea would be very appreciated.
    thanks
    Alex

    Changing your time offset should not cause this type of problem. Check for any non-running processes with a "sh ver", reboot your sensor and check the system log for some signs of trouble or blocking with "sh events past 01:00".
    Open a TAC case to get additional help.

  • ISE Fail OPEN configuration/testing

    Greetings,
    We will be performing a live test of ISE Fail Open on our production system tomorrow night. When the policy nodes are all unavailable we want the switches to allow open access to all devices on all interfaces.
    I have done some testing of this on an individual test switch by routing packets to the ISE policy nodes to null 0 to emulate a failure. It appears to be working well, but was hoping for more input from the community before my Live test tomorrow night.
    First, I believe these to be the only commands needed to make this work correctly. Does anyone have any comment on this configuration? Am I missing anything? Do these timers seem OK? I'm wondering if the deadtime should be greater in case the nodes or the network connection are flapping?
    Global Config:
    radius-server dead-criteria time 5 tries 3
    radius-server deadtime 5
    dot1x critical eapol
    Interface Config:
    authentication event server dead action reinitialize vlan <normal data vlan>
    authentication event server dead action authorize voice
    authentication event server alive action reinitialize
    Next, this is the behavior I am seeing after the policy nodes go down. Is this as it should be?
    1. Absolutely nothing happens until an interface undergoes (re)authentication. All ports remain in current authentication/authorization state.
    2. If an interface undergoes (re)authentication, the switch tries to reach one of the configured policy nodes. After 5 seconds there is a message the first node is dead. In another 5 seconds there is a mesage that the second node is dead.
    3. After another ~20 seconds, the interface that was attempting (re)authentication goes into Critical Authorization:
    TEST#sh auth sess int f1
                Interface:  FastEthernet1
              MAC Address:  1234.5678.90ab
               IP Address:  Unknown
                User-Name:  UserName
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-host
         Oper control dir:  in
            Authorized By:  Critical Auth
              Vlan Policy:  2
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A0A010B0000013D093F17CC
          Acct Session ID:  0x0000072B
                   Handle:  0x5A00013E
    Runnable methods list:
           Method   State
           dot1x    Authc Failed
           mab      Not run
    Critical Authorization is in effect for domain(s) DATA
    TEST#
    All other interfaces remain in current mode, nothing on them changes so long as they don't attempt to (re)authenticate.
    4. If another interface attempts to (re)authenticate, it goes into critical state immediately w/o trying to contact the dead policy nodes.
    5. The switch will try every so often (every 5 minutes?) to reach the policy nodes. If one of them is up, all interfaces that were in critical state immediately transition to normal authc/authz modes. Normal timers apply, dot1x endpoints come up almost immediately, mab clients lose connectivity until dot1x times out.
    To emulate a global fail for the organization, I plan to stop the ISE services on both of my policy nodes.
    Thanks for any comments/insights/input.

    We appreciate the detailed scenario description, the question itself was very informative.
    I used
    authentication event server dead action authorize
                                           critical VLAN=accessVLAN
    instead of
    authentication event server dead action reinitialize vlan

  • Ports and IPs to be open/permitted in firewall to download and work in creative cloud

    What is the complete list of ports and IP addresses to be open/permited in our enterprise firewall in order to let internal PCs download and work with creative cloud applications?

    Our firewall only supports IP configuration (not URL). Do you have IP list?
    From: Rajshree [email protected]
    Sent: miércoles, 06 de noviembre de 2013 17:23
    To: Simon, Mariano
    Subject: Ports and IPs to be open/permitted in firewall to download and work in creative cloud
    Re: Ports and IPs to be open/permitted in firewall to download and work in creative cloud
    created by Rajshree <http://forums.adobe.com/people/Rajshree>  in Adobe Creative Cloud - View the full discussion <http://forums.adobe.com/message/5819892#5819892

  • TCP RESET - CISCO IPS 4240 in IDS Mode - Block Teamviewer

    I would like to block teamviewer in my network. we are using CISCO IPS 4240 in IDS Mode. I found that there are signatures for teamviewer in latest Signatures.
    We have only configured promiscuous interface, I read that we can issue TCP resets thru promiscuous interface as well (recommended is dedicated tcp reset interface).
    However in my case, I found that Signatures for teamviewer is not getting fired even after getting successful teamviewer connections.
    I am a beginner is IPS, Any inputs will be valuable for me.

    We're talking about sigs 15002-0, -1, -2 here. They are by default shipped disabled and retired, so you'll want to enable and activate them.
    For these, the signature settings are not hidden and what they look for is pretty clearly documented in the sig description.
    -0 looks for some specific DNS requests on TeamViewer's startup. TCP resets will have no effect on this.
    -1 looks for specific traffic to tcp port 5938 which would indicate Teamviewer's direct-connection method
    -2 looks for traffic indicating use over http when teamviewer is configured to use a proxy
    TCP resets are a best effort response, they aren't going to be a 100% effective stop

  • IPS 4240 software 6.2(3)E4

    Hello!
    I have a sensor IPS-4240 which holds IPS software 6.2(3)E4. Right now we havn't got a license.
    With the device wh have almost 100% cpu usage all the time:
    show statistics host
    General Statistics
       Last Change To Host Config (UTC) = 27-Dec-2010 14:51:19
       Command Control Port Device = Management0/0
    Network Statistics
    Memory Usage
       usedBytes = 1426128896
       freeBytes = 558419968
       totalBytes = 1984548864
    Summertime Statistics
       start = 02:00:00 UTC Sun Mar 27 2011
       end = 03:00:00 UTC Sun Oct 30 2011
    CPU Statistics
       Usage over last 5 seconds = 100
       Usage over last minute = 100
       Usage over last 5 minutes = 100
    Memory Statistics
       Memory usage (bytes) = 1426128896
       Memory free (bytes) = 558419968
    From service accont I see that only one process eats CPU - mainApp.
    I even created addition virtual sensor vs1 where I have disabled all signatures. It gave me no result.
    Situation can be changed for a while after the sensor's reboot, but not for long time.
    show interfaces doesn't show a lot of input traffic too.
    Event log contains only following warnings:
    evError: eventId=1293461883161643337 severity=warning vendor=Cisco
      originator:
        hostId: XXXXXX
        appName: notification
        appInstanceId: 409
      time: 2011/01/19 15:22:56 2011/01/19 21:22:56 GMT+06:00
      errorMessage: name=errWarning - the subscription lost data [IdsEventStore::readSubscription()]
    What can be a problem? How can I reduce CPU usage?
    With hope to resolve the issue

    It would be difficult to pin point what the exact issue is with the high CPU just by the information provided in the post. It seems that the mainApp is causing the high CPU, however, it is worth investigating further. I would suggest that you log a Cisco TAC case so further investigation can be performed.
    Alternatively, you can try to upgrade the software to the latest version of 7.0.4(E4) which has engine improvement.

  • Cisco IPS 4240 stops file downloads at 90%

    Hi everybody. I have a Cisco IPS 4240 with version 7.0.4 installed and upgraded to the last signature. But since it was installed i have the issue with some file downloads because the IPS stops the file at 90-99% of download percentage (in some cases, not all), The ips is inline in front of firewall, some partner say me that i have to change the mode to promiscuous for the solution of the issue, but i think that if the IPS was designed for work inline, i dont have to change anything and maybe some expert of the forum have the correct answer.  Or this issue have solution with configuration changes.
    Sorry by my write english.... I try to find some signature that causes the issue but if i disabled the sensor, the issue occurs. The firewall is not the problem because if i connect a laptop in front of the firewall and behind of IPS the issue occurs too. Well i have now some months trying of find a solution. In the page of Cisco not find some similar.... [:-(
    Pd. An example of files that stop when downloads is Apple Itunes... or Microsoft Patch, or Vmware software by example.
    Thanks for your response are greatly appreciated.

    Thnaks for your help this is the last packets before freeze the download:
    The size of the download with problems is random, sometimes ocurrs with small size downloads sometimes ocurrs with large downloads. The download of the example have 47 MB, I think that the traffic is dropped and the tcp conn timeout. Do you see some anomalies in this traffic portion?.
    14:55:20.536119 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.536122 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.536420 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.536718 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.536820 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537123 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537125 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537517 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537520 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537522 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537821 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537823 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.538116 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.538118 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.538415 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.538418 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.544207 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.544307 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638362 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638365 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638463 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638562 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638862 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638864 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638866 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639164 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639166 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639560 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639562 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639564 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639960 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.640260 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.640263 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.640568 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.641958 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.641960 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.642158 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742304 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742603 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742605 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742607 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742903 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.743202 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.743302 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.743601 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.745000 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.745100 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845347 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845548 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845550 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845647 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845845 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.846245 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.846247 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.846544 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.849040 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48010926 win 65335
    14:55:20.849439 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48012386 win 65335
    14:55:20.948787 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48015306 win 65335
    14:55:20.948789 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48018226 win 65335
    14:55:20.952982 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48021146 win 65335
    14:55:20.953679 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48024066 win 65335
    14:55:21.055723 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48029906 win 65335
    14:55:21.055725 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48032826 win 65335
    14:55:21.055930 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48035746 win 65178
    14:55:21.058919 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48037206 win 65335
    14:55:21.068809 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48040126 win 65335
    14:55:21.068812 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48043046 win 65335
    14:55:21.069006 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48045966 win 65335
    14:55:21.070103 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48048886 win 65335
    14:55:21.158967 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48051806 win 65335
    14:55:21.159265 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48054726 win 65335
    14:55:21.159465 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48057646 win 65335
    14:55:21.159864 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48060566 win 65335
    14:55:21.159867 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48063486 win 64605
    14:55:21.162162 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48066406 win 63875
    14:55:21.162260 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48066406 win 65335
    14:55:21.172245 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48069326 win 65335
    14:55:21.172248 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48072246 win 65335
    14:55:21.172545 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48075166 win 65335
    14:55:21.172645 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48078086 win 64605
    14:55:21.172744 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48078086 win 65335
    14:55:21.172844 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48081006 win 65335
    14:55:21.173144 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48083926 win 64605
    14:55:21.185225 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48083926 win 65335
    14:55:21.572333 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48116046 win 65335
    14:55:21.585313 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.585315 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.585414 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.585417 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.585512 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.677172 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.688654 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.688657 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48158386 win 65335
    14:55:21.688757 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48158386 win 65335
    14:55:21.780613 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335
    14:55:21.883755 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335
    14:55:21.986998 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335
    14:55:22.090639 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335

  • Need Information about IPS 4240

    Hello,
    Could you please give me information about IPS 4240:
    Number of sessions
    Number of signature
    Number of protocol
    Thank you very much

    Refer to the following urls for moreinfo on using IPS 4240:
    http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliSgDef.html

  • %HA_EM-3-LOG: NAC-RADIUS-FAIL-OPEN-DEAD: All RADIUS servers are dead changing the nac-enforcement ACL to permit all

    We just implemented ISE 802.1x in couple of our  Cisco 4507 switches  and we are seeing the following error in the log.
    %HA_EM-3-LOG: NAC-RADIUS-FAIL-OPEN-DEAD: All RADIUS servers are dead changing the nac-enforcement ACL to permit all
    I paste it in the Cisco error message decoder and came back with not found.
    Thanks...

    Jimmy,
    Srory for the late reply but it turned out to be we needed to add the missing auth data vlan command on the switch. After that the error went away.
    Thanks for you input I do appreciate it.
    Jack.

  • NAS/NAM fail open/fail close modes

    I need a quick small help, its not documented any place so I need a clarification.
    I need this in terms of authentication through AD
    1. If my NAS goes down/unreachable what will happen? But nam is up?
    2. If my NAM goes down/unreachable and NAS is up what will happen?
    3. If both NAS and NAM are both down?
    If you can help me out on this point. I cant find any configuration guide stating fail open or fail closed modes of NAM and NAS

    We appreciate the detailed scenario description, the question itself was very informative.
    I used
    authentication event server dead action authorize
                                           critical VLAN=accessVLAN
    instead of
    authentication event server dead action reinitialize vlan

  • Critical VLAN/"fail open" support when ISE PSN is unavailable

    This thread regards ISE operation (and options) where a policy node becomes unavailable - so, in the case of either a single standalone ISE appliance (no HA), or more often a PSN becoming unavailable due to a WAN failure to a remote branch. The intended design for the deployment in question would involve using downloadable ACLs (dACLs) to provide differentiated access, specifically:
    - A default ACL would be configured on 802.1x switchports would allow "limited" access (possibly Internet-only, but TBD).
    - Successful 802.1x authentication would require 1) validation of a corporate certificate on the endpoint, and 2) successful AD login. This would provision a dACL providing full access.
    ISE provides the option to configure Inaccessible Authentication Bypass to support RADIUS unavailability when 802.1x is configured on switch ports, but I'm needing to confirm how this works when using dACLs instead of VLANs for differentiated access. Specifically, if IAB is configured so that 802.1x ports (maybe all of them if all ports at the branch need to be functional) get placed into a "critical VLAN", will this override the default ACL on the port, which would no longer be applicable to the new VLAN anyway?
    Simply put - we need to configure the deployment so that all endpoints fail open and have full access in the event of ISE/RADIUS becoming unavailable. (There'll be no local RADIUS and/or AD server in the event of WAN failure.) This will need to work although the 802.1x authentication/authorization will be using dACLs to determine access.
    Thank you

    I have a similar set up i.e. Pre-auth ACL applied on each port which is overwritten by a 'permit ip any any' DACL from the ISE server if a device successfully authenticates.
    My understanding is that if the ISE PSN nodes become unavailable then if a Critical Vlan has been configured then devices will be placed into that vlan, however, the pre-auth ACL will still apply. Hence, if the pre-auth ACL only allows limited network connectivity, then in the event of all the ISE PSN nodes being unreachable then the device will only get the connectivity you allow via the pre-auth ACL.
    This is obviously quite undesirable and so when I raised this with TAC they suggested that I add an EEM script to each switch so that if the ISE PSN nodes become unavailable then the EEM script will kick in and add a "1 permit ip any any' at the top of the pre-auth ACL.

  • ISE NAD RADIUS Fail Open

    Good afternoon,
    NAC offers ip admission command for fail open on a router.  Is there an equivalent command for access switches pointing to a RADIUS server?
    Situation:
    Access switches have two RADIUS servers configured, one pointing to Load Balancer at Site A (with 6 PSNs behind) and the second RADIUS pointing at the LB at Site B (6 PSNs behind).  If neither Site Load Balancers are reachable, how could we have the access switch fail-open and apply a ACL which would give access only to the Internet to the staff? 
    Thanks.
    Cath.

    Cath,
    You can actually leverage the command "authentication event dead action authorize vlan id" and dump the users on a vlan that will grant them access while the radius servers are unreachable.
    http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/15.0_2_se/configuration/guide/sw8021x.html#wp1194433
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

Maybe you are looking for

  • Can`t move image in pse 11 for correction

    I made a lot of photos during trip, all loaded on Mac. Same I need correction in Adobe Photoshop  element 11( already in computer) and several can`t loaded in Adobe 11.  When I click to open in Adobe 11 Pop up note "Could not complete your request be

  • Pre-made pages in iWeb like the ones in homepage

    Before I got iWeb I used homepage a lot. There seems to me a lot more premade pages in homepage like baby announcements, resume pages, educational focused pages.... are these types of things available in iWeb? All I see for any theme is the same 8 pr

  • Drag and Drop Layout with items attached to Page 0 Region Bug

    Hi, I have a region on P0 (P0_REGION) and multiple page items (not on page 0) are associated to the region. When I go to "Drag and Drop" the page items I see all the Page Items for the given page and all the Page Items that are linked to a P0 Region.

  • Planning for 11.5.10 Oracle E-Business Suite Consolidated Update 2 (CU2)

    Hello All, I have instance with version 11.5.10 I want to apply CU2 I am referring document 316366.1 for above. I found many patches are there. So my question can I apply 2 patches everyday after 5.00 p.m. ?? So user can continue their work during wo

  • How to transfer Notes from iPad 1 to the New iPad (3)

    Been using iPad 1 and have 221 Notes in the All Notes Account. The Gmail Account shows 6 Notes. The On My iPad Account shows 215. Just got the New iPad today. Could not transfer all the Notes over to the new device. No problems with  Contacts and Cal