IPS 4240 & Interface Up\Down In Bypass-Mode Auto

Hi. this is a strange one. We have a C7200R (FastEthernet) on one side and a C3500 (FastEthernet) on the other with an IPS4240 in the middle. When changing the IPS unit from "bypass-mode on" to auto the interface on the C7200 router goes down, ie no link activity. We have tried several combinations of interface speeds\duplex. The systems would normally be in speed auto\duplex auto but we have tried 100\full forced as well. When in "bypass-mode on" the all systems work fine in auto\auto negotiating 100\full. Any ideas. Thanks Alex

I have a similar problem:
ASA 5510 - E0/0 - Connects to E0/1 on C2800 - when we set it to FULL/100 the connection fails - when the interfaces are set to AUTO everything is fine. Any suggestions? Thanks

Similar Messages

IPS 4240 -email arlert configuration and Which mode

hi
My topology
1)
Internet-router(2ISP terminated in Single Router-two different Firewall-(ASA5510 and PIX 515e)-->inside interface connected in IPS4240--->From IPS to L33750 Switch.
Is right place to put IPS4240 and tell me IPS in which mode(inline or Promiscous).
2) I am able to see log in IPS 4240, i want to configure IPS alert to my mail id , where i need to start the configuration.? pl advise
thanks
Karthik

Email alert configuration is not supported in IPS/IDS.
I think you can configure in promiscuous mode as Customers requiring promiscuous mode (non-inline) deployments are encouraged to migrate to the Cisco IPS 4240 Sensor, which supports up to 250 Mbps of IPS throughput.
The below URL helps to configure IPS 4240 in promiscuous mode:
http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliInter.html#wp1033699

Management Interaface IPS 4240

The management interface of IPS 4240 is disabled by default can anyone tell me how to enable this interface.
I hv just done the basic setup and not able to access the IPS through Web browser

management interfaces are disabled by default and they always are
on the cisco ips run
setup and once you setup an Ip for the ips you will be able to connect to the web interface
here is a example of how a command-control should look like
ex:
name: FastEthernet0/1
media-type: tx
description:
admin-state: disabled
duplex: full default: auto
speed: auto
alt-tcp-reset-interface
none
subinterface-type
none
command-control: FastEthernet0/1
bypass-mode: auto
interface-notifications
missed-percentage-threshold: 0 percent
notification-interval: 30 seconds
idle-interface-delay: 30 seconds
as you see they are "protected" so you cannot change the state from disable to enable

IPS 4240 fail open

Hi All,
I have a single unit of IPS 4240. I want to know if my sensor or the unit itself fails/shutdowns, is there any option where in my traffic will be passed so that there is no downtime.
Thanks
Pratik

You can configure the sensor when it's inline mode with inline-bypass mode "auto" so when the unit fails, it will just pass through the traffic without inspecting it, however, if the sensor is completely shutdown, then no, traffic will be dropped when it's in inline mode.
Here is more information on inline bypass mode:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_interfaces.html#wp1047079
However, if it's in promiscious mode, then you don't have to worry about it as the packet is not inline and will not cause interruption.
Hope that helps.

IPS 4240.. and hardware bypass

Hi everyone.. please kindly help. We are using 4240 as a IDS at the moment and are looking to enable the IPS capability in near future.   However we only have one IPS on our site. For resiliancy we have 2 entry/exit points with 1 asa at each entry point as a firewall.
My concern is that if we enable IPS capabilites in inline mode and IPS falls over due to hw problem we will end up with primary link failure. Is there some sort of module available for 4240 to enable the hardware bypass?   Thanks Regards.

Thank you Bob... I think you are refering to this document. http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_interfaces.html#wp1047718 I read it and I think I am now clear about the issue of 2 separate vlans.. However I still have some confusion about my own setup.
Currently there is one vlan - Vlan 100 between ASA and our internal router. If I place the IPS with inline interface pair configured between ASA and our internal router, I am not sure if I need any special configuration with reagrds to vlans.. As far as I can see I will have vlan 100 between ASA and IPS and vlan 100 again between IPS and internal router. But I have a feeling that my assumption is incorrect and when IPS receives the packets on one interface from the internal router, it will not forward it out of the paired interface as IPS may not understand the Vlan tag.   Unfortunately I am not in position to try this on a live IPS device as our IPS is already in a production environment but being used as an IDS.
Would I be better off adding a switch to the mix between the internal router and the ASA and then follow the "inline vlan pair" route?. Bit similar to diagram below.

TCP RESET - CISCO IPS 4240 in IDS Mode - Block Teamviewer

I would like to block teamviewer in my network. we are using CISCO IPS 4240 in IDS Mode. I found that there are signatures for teamviewer in latest Signatures.
We have only configured promiscuous interface, I read that we can issue TCP resets thru promiscuous interface as well (recommended is dedicated tcp reset interface).
However in my case, I found that Signatures for teamviewer is not getting fired even after getting successful teamviewer connections.
I am a beginner is IPS, Any inputs will be valuable for me.

We're talking about sigs 15002-0, -1, -2 here. They are by default shipped disabled and retired, so you'll want to enable and activate them.
For these, the signature settings are not hidden and what they look for is pretty clearly documented in the sig description.
-0 looks for some specific DNS requests on TeamViewer's startup. TCP resets will have no effect on this.
-1 looks for specific traffic to tcp port 5938 which would indicate Teamviewer's direct-connection method
-2 looks for traffic indicating use over http when teamviewer is configured to use a proxy
TCP resets are a best effort response, they aren't going to be a 100% effective stop

Unable to load IPS 4240 IOS from Rom Mode

Hi Experts,
Kindl asist me in load the IPS IOS on the IPS 4240 from rommon mode.
Note: I can only access the IPS via rommon only becuase the existing ios is cuppted and formatted.
The rommon output is give bellow:
rommon #2> set
ROMMON Variable Settings:
ADDRESS=192.168.2.16
SERVER=192.168.2.58
GATEWAY=192.168.2.1
PORT=Management0/0
VLAN=untagged
IMAGE=C:\IOS\Tftpd32\IPS-4240-k9-sys-1.1-a-6.1-1-E2.img
CONFIG=
LINKTIMEOUT=20
PKTTIMEOUT=4
RETRY=20
rommon #14> ping 192.168.2.16
Sending 20, 100-byte ICMP Echoes to 192.168.2.16, timeout is 4 seconds:
Success rate is 0 percent (0/20)
rommon #15> ping 192.168.2.58
Sending 20, 100-byte ICMP Echoes to 192.168.2.58, timeout is 4 seconds:
Success rate is 95 percent (19/20)
rommon #0> ping 192.168.2.1
Sending 20, 100-byte ICMP Echoes to 192.168.2.1, timeout is 4 seconds:
Success rate is 100 percent (20/20)
rommon #1> ping 192.168.2.16
Sending 20, 100-byte ICMP Echoes to 192.168.2.16, timeout is 4 seconds:
Success rate is 0 percent (0/20)
rommon #2>
The major problem is that i cannot ping the ips interface address 192.168.2.16) while i can ping all the others.
Thanks in anticipation!
Regards

Hi,
From the error message the file was not found on the tftp server.
I see that you have:
IMAGE=C:\IOS\Tftpd32\IPS-4240-k9-sys-1.1-a-6.1-1-E2.img
I am guessing that this should be:
IMAGE=IPS-4240-k9-sys-1.1-a-6.1-1-E2.img
as the tftp daemon on your machine probably is using C:\IOS\Tftpd32\ as the 'root' directory of the files it is serving.
You can check this in the settings of the tftp daemon.
Best regards, Peter

IDS-4210 picks up what IPS-4240 misses, strange duplex/interface problems

I just installed a IPS-4240 inline on our primary internet inbound connection. I decided to leave the 4210 in place for a week or two while I tuned the signatures. It is receiving a span of the same traffic that the 4240 is receiving.
I noticed today that the 4210 is picking up sig 3250 and the 4240 is no. The first thing I checked to make sure that the 4240 has this signature enabled, and it is. Anyone have any thoughts? BTW, All sensors are on the same version 5.1.1 and running s211 and managed through VMS.
I would also like to mention that I had issues on the 4240 and its interfaces. Management only runs at half duplex and the interfaces that connect to our PIX. I ended up having to put a switch between the 4240 and the Pix 515e to solve the duplex issues.
Anyone have any thoughts on this part

I had the same duplex problem with my 4240 sensor connecting to my PIX. The only way I could get it to work without errors is to set both the sensor and the PIX interfaces to auto/auto. I worked with Cisco on this problem. No resolution, just the workaround. As far as sig 3250, IPS and IDS signatures may be a little different. I assume you span from the inside and run your in-line outside your firewall? If this is the case, then the 4240 sensor may see different traffic than the 4210.

IPS 4240 Design Question

I have two IPS 4240s that may be placed between our internal network and our extranet firewall. The firewall set is your standard ASA-5520 active/failover pair connected to two switches.
Q1 - If I am not worried about atomic attacks, is there any other benefit to having the IPS inline over promiscuous?
Q2 - Whether inline or promiscuous, is it necessary to connect the single IPS to both switches in order to receive packets when an ASA failover occurs? If so, is it done physically or via RSPAN?
Q3 - If the IPS fails and it is configured inline, do the interfaces fail open (traffic continues to pass) or closed (traffic is dropped)? I could not find that on Cisco's site.
Thanks!

A1 - There are a few things that in-line mode can clean up by deafult, but that can also bite you. Check out some of the other forum posts on having ssh dropped without alerts. Since you have reduntant 4240s the realibility of the IPS sensors in-line shouldn't affect you as much. Just don't update them at the same time.
A2 - Only the signatures that need state will be effected by a failover. Hopefully failovers do not happen frequently enough for missing a few potential hits to be an issue. If you are really performing good analysis and tuning out your false positives, then you might want to connect both sensors to both switches.
A3 - You can configure the 4240s to fail-open (pass the traffic thru the sensor when it fails) or fail-closed (do not pass traffic during sensor failure). Since you have dual firewalls, switches and sensors, you can fail closed and force the traffic thru the running sensor and firewall. If one sensor is standby, you may want to make him fail open, so that you can still pass traffic in the event both sensors are down.

IPS 4240 ATTACK DETAILS

Dear All,
The following is the attack detaisl i received from the customer. Before contact cisco i posted here for your answers.
Date= 2007/02/16
Time= 22:44:13 Arab Standard Time
SIGID= 5081:0
5326:0
SIGNAME= WWW WinNT cmd.exe Access
Root.exe access
Victime= 192.168.100.1
AttackerAddress= 214.139.200.1
Please how can i solve this issue .
swamy

Edward,
Thanks for your info. I will contact the customer and dscuss those things.
Also i want to know the following on IPS in-line
setup.
1.IPS Connected behind the firewall pix 525 in in-line mode. Interface pair was created and 2 interfaces are made members of the pair. I assigned the pair to the engine.Here i did not do anything tuning on signatue configuration. All the sig are enabled as default. As soon as the ips placed in the network in in-line it stop thenetwork to go out when i put in bypass mode then working. PLease could you give the basic config to make the IPS working in in-line mode. Inside the network is the one with 3 networks (192.168.100.0, 101.0, 102.0)
ips inside interface sits in 192.168.100.0 network then other 2 networs are in 2 vlans of the core switch 4507R.IPS outside interface in line with pix firewall failover pair. Firewal pair outside connect to the internet router 3825 to the internet using ADSL.
I want to know how to choose the sigs those are only required for the internal networks also.
Waiting for your reply
Thanks in advance
swamy

SNMP monitoring of Bypass mode on a 4255

Hi,
I am trying to monitor if the IPS is in bypass mode or not through SNMP.
Does anyone know which OID I should be looking at?
Thanks

.1.3.6.1.4.1.9.9.138.1.1.2.1.3.0.0 = STRING: "Indicates that the specified network interface has lost link."
.1.3.6.1.4.1.9.9.138.1.1.2.1.3.0.1 = STRING: "Indicates that the specified network interface has established link."
.1.3.6.1.4.1.9.9.138.1.1.2.1.3.0.2 = STRING: "Indicates that packet traffic has started on the specified network interface."
.1.3.6.1.4.1.9.9.138.1.1.2.1.3.0.3 = STRING: "Indicates that packet traffic has stopped on the specified network interface."
.1.3.6.1.4.1.9.9.138.1.1.2.1.3.0.4 = STRING: "Indicates that the percentage of missed packets on the specified interface has exceeded the configured threshold."
.1.3.6.1.4.1.9.9.138.1.1.2.1.3.0.5 = STRING: "Indicates that the inline data bypass has started."
.1.3.6.1.4.1.9.9.138.1.1.2.1.3.0.6 = STRING: "Indicates that the inline data bypass has stopped."
There seems to be some mibs releated to this, but i'm guessing these are SNMP traps that can be sent. I haven't tested this, but might be worth a shot to setup SNMP traps and manually start bypass to see if you get them.

IPS 4240 software 6.2(3)E4

Hello!
I have a sensor IPS-4240 which holds IPS software 6.2(3)E4. Right now we havn't got a license.
With the device wh have almost 100% cpu usage all the time:
show statistics host
General Statistics
   Last Change To Host Config (UTC) = 27-Dec-2010 14:51:19
   Command Control Port Device = Management0/0
Network Statistics
Memory Usage
   usedBytes = 1426128896
   freeBytes = 558419968
   totalBytes = 1984548864
Summertime Statistics
   start = 02:00:00 UTC Sun Mar 27 2011
   end = 03:00:00 UTC Sun Oct 30 2011
CPU Statistics
   Usage over last 5 seconds = 100
   Usage over last minute = 100
   Usage over last 5 minutes = 100
Memory Statistics
   Memory usage (bytes) = 1426128896
   Memory free (bytes) = 558419968
From service accont I see that only one process eats CPU - mainApp.
I even created addition virtual sensor vs1 where I have disabled all signatures. It gave me no result.
Situation can be changed for a while after the sensor's reboot, but not for long time.
show interfaces doesn't show a lot of input traffic too.
Event log contains only following warnings:
evError: eventId=1293461883161643337 severity=warning vendor=Cisco
originator:
    hostId: XXXXXX
    appName: notification
    appInstanceId: 409
time: 2011/01/19 15:22:56 2011/01/19 21:22:56 GMT+06:00
errorMessage: name=errWarning - the subscription lost data [IdsEventStore::readSubscription()]
What can be a problem? How can I reduce CPU usage?
With hope to resolve the issue

It would be difficult to pin point what the exact issue is with the high CPU just by the information provided in the post. It seems that the mainApp is causing the high CPU, however, it is worth investigating further. I would suggest that you log a Cisco TAC case so further investigation can be performed.
Alternatively, you can try to upgrade the software to the latest version of 7.0.4(E4) which has engine improvement.

Cisco IPS 4240 stops file downloads at 90%

Hi everybody. I have a Cisco IPS 4240 with version 7.0.4 installed and upgraded to the last signature. But since it was installed i have the issue with some file downloads because the IPS stops the file at 90-99% of download percentage (in some cases, not all), The ips is inline in front of firewall, some partner say me that i have to change the mode to promiscuous for the solution of the issue, but i think that if the IPS was designed for work inline, i dont have to change anything and maybe some expert of the forum have the correct answer. Or this issue have solution with configuration changes.
Sorry by my write english.... I try to find some signature that causes the issue but if i disabled the sensor, the issue occurs. The firewall is not the problem because if i connect a laptop in front of the firewall and behind of IPS the issue occurs too. Well i have now some months trying of find a solution. In the page of Cisco not find some similar.... [:-(
Pd. An example of files that stop when downloads is Apple Itunes... or Microsoft Patch, or Vmware software by example.
Thanks for your response are greatly appreciated.

Thnaks for your help this is the last packets before freeze the download:
The size of the download with problems is random, sometimes ocurrs with small size downloads sometimes ocurrs with large downloads. The download of the example have 47 MB, I think that the traffic is dropped and the tcp conn timeout. Do you see some anomalies in this traffic portion?.
14:55:20.536119 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.536122 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.536420 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.536718 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.536820 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.537123 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.537125 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.537517 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.537520 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.537522 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.537821 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.537823 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.538116 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.538118 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.538415 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.538418 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.544207 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.544307 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.638362 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.638365 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.638463 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.638562 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.638862 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.638864 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.638866 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.639164 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.639166 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.639560 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.639562 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.639564 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.639960 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.640260 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.640263 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.640568 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.641958 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.641960 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.642158 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.742304 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.742603 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.742605 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.742607 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.742903 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.743202 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.743302 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.743601 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.745000 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.745100 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.845347 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.845548 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.845550 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.845647 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.845845 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.846245 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.846247 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.846544 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.849040 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48010926 win 65335
14:55:20.849439 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48012386 win 65335
14:55:20.948787 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48015306 win 65335
14:55:20.948789 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48018226 win 65335
14:55:20.952982 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48021146 win 65335
14:55:20.953679 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48024066 win 65335
14:55:21.055723 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48029906 win 65335
14:55:21.055725 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48032826 win 65335
14:55:21.055930 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48035746 win 65178
14:55:21.058919 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48037206 win 65335
14:55:21.068809 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48040126 win 65335
14:55:21.068812 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48043046 win 65335
14:55:21.069006 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48045966 win 65335
14:55:21.070103 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48048886 win 65335
14:55:21.158967 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48051806 win 65335
14:55:21.159265 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48054726 win 65335
14:55:21.159465 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48057646 win 65335
14:55:21.159864 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48060566 win 65335
14:55:21.159867 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48063486 win 64605
14:55:21.162162 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48066406 win 63875
14:55:21.162260 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48066406 win 65335
14:55:21.172245 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48069326 win 65335
14:55:21.172248 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48072246 win 65335
14:55:21.172545 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48075166 win 65335
14:55:21.172645 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48078086 win 64605
14:55:21.172744 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48078086 win 65335
14:55:21.172844 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48081006 win 65335
14:55:21.173144 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48083926 win 64605
14:55:21.185225 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48083926 win 65335
14:55:21.572333 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48116046 win 65335
14:55:21.585313 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
14:55:21.585315 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
14:55:21.585414 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
14:55:21.585417 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
14:55:21.585512 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
14:55:21.677172 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
14:55:21.688654 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
14:55:21.688657 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48158386 win 65335
14:55:21.688757 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48158386 win 65335
14:55:21.780613 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335
14:55:21.883755 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335
14:55:21.986998 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335
14:55:22.090639 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335

New to IPS 4240 - What else can I use to manage it?

I have just purchased a Cisco IPS 4240 and have it up and running. Have been using the IEV to view IPS information and that works ok. The VMS 2.2 that came included with the IPS will not work with the current Cisco works (LMS 2.5) installation that we have.
My question is, is there any other tool besides the IEV and the VMS 2.2 that I can use to mange/monitor my IPS? the IEV seems so limited.
I have downloaded the newer VMS from the Cisco site and am planning to test that this comming week, but wanted to know ahead of time if I needed to waste my time with this tool or not.
Thanks!

The latest CSMARS release is promising and honestly the netforensics solution offered by Cisco probably wouldn't be a good fit for the op, but I think Cisco needs to rething pushing the MARS in leui of everything else. As a previous customer of netforensics, and now a user of CSMARS...there are definitely many things that netforensics does better than CSMARS.
My biggest beef with CSMARS is the seemingly casual way in which it treats time and "raw messages". IMHO, these should be sacred to any SIM. I can elaborate, but for the sake of brevity I'll just give a couple examples:
The signature name reported in the "raw message" that MARS makes available is not always correct. Also, custom signature events report as "unknown" in the "raw message". Clearly this is not a "raw message" by any reasonable interpretation...MARS is writing bits that never existed in the original message.
the event contextual information is very often truncated. If you rely on this a great deal, the MARS probably isn't for you. There's also no interface for decoding it, requiring a cut-and-paste into your favorite decoder.
Believe me, I could go on. On the bright side, the MARS is showing promise...I was able to cross off my list quite a few issues after the latest upgrade.
Matt

IPS 4270 with 6509 VSS in Promiscous mode

Dear all,
I am trying to figure out how to configure 2x IPS 4270 in promiscous mode with Cisco 6509 VSS:
I have attached the LLD core datacenter design including the IPS physical placement in my network.
The following points are my concerns in this design:
Shall I connect each of the IPS 4270's into VSS Chassis A and B, or I keep each IPS connected to different Chassis? (considering the SPAN port configuration on VSS and if I could encounted Asymmetric routing issue or not).
Can I use Etherchannel in either case (keep in mind it's promiscous mode), that means the destination interface on the VSS will be an Etherchannel interface, but does the Cisco IPS 4270 support Etherchannel while in promiscous mode?
I really appreciate your input on this matter guys.
Cheers
Mohammed Khair

Hi,
1.You can Connect the each IPS into Chasis A and B That is Not aproblem .But While Configuring the RSPAN Monitor From A to B and B to A should monitor the both vlans ( i mean RSAPN A and B also vice versa in your config then it will give both out put even connectivity between IPs and chasisi one fails also)
2.IPS Supports the Etherchannel while in promiscous mode as well.

IPS 4240 & Interface Up\Down In Bypass-Mode Auto

Similar Messages

Maybe you are looking for