here is my sh config output:

username admin

exit

router-devices 205.170.225.249

communication ssh-3des

profile-name mainrouter

block-interfaces FastEthernet0/0 in

pre-acl-name Pre-Block

post-acl-name Post-Block

exit

response-capabilities block

exit

try connecting with telnet instead of 3-des. Sometimes ARC gets confused with 3-des connect problems and reports an incorrect error. If telnet will work, then we can work on getting the 3-des working. Speaking of 3-des, you did log into the cli, conf t and ssh host 205.170.225.249 command right? That is necessary to get the key so ARC can connect to the router

Ok I have changed the communication from 3-des to telnet. Do you know of an internal test that I can do to make sure the error msg. has been fixed?

Also, I did create a key for the 3-des.

Thanks for the help.

In IDM under the monitoring tab, there is a place to add manual blocks. If you monitor with the cli as you add the block with IDM, you should see the action takes place. You can also look on the router and see if ARC built and attached an acl to the interface. Since you specified a pre/post acl, the one ARC created should look like:

sensor ip address

contents of pre-acl

active blocks

contents of post acl

Make sure your post acl has "permit ip any any" as the last line.

when I tried to add a manual block, in the event log through the IDM I still receive the error msg. "Unable to execute a net block on because no blocking interfaces are configured"

"Unable to execute a net block because blocking is not configured"

Which interfaces are they talking about the IDS interface or the router interfaces?

Thanks

Let's back up. Let's try this at it's most basic. First, does your router support ip access-list extended command ? 2. What version software are you running on the sensor? 3. Try removing the pre and post acls from the sensor config using idm (leave them on the router). 4. Is this the only device you are connecting to? (There are other issues that sometimes occur if you are managing a pix and a router.)

1. the router does support Ip access-list extended.

2. software version - 6.0(1)

3. I have removed the pre and post acls through the idm, kept them on the router.

4.This is the only device .

Thanks for your help

Any change in stats messages? Can you post your full show stat net output? If is not working, the next thing we need to try is a packet capture of the traffic between the sensor and the router so I can figure out where things are breaking down.

ids# show stat net

Current Configuration

LogAllBlockEventsAndSensors = true

EnableNvramWrite = false

EnableAclLogging = true

AllowSensorBlock = false

BlockMaxEntries = 250

MaxDeviceInterfaces = 250

NetDevice

Type = Cisco

IP = 205.170.225.249

NATAddr = 0.0.0.0

Communications = telnet

ResponseCapabilities = block

BlockInterface

InterfaceName = FastEthernet0/0

InterfaceDirection = in

State

BlockEnable = true

NetDevice

IP = 205.170.225.249

AclSupport = uses Named ACLs

Version = 0

State = Inactive

I never noticed this before, it says the state is Inactive. How do you change it to actvie.

It will be inactive until we get the interface issue resolved. Can you send me a packet capture of the arc traffic?

have 2 cli sessions open.

in the first session:

conf t

serv net

gen

block-enable false

exit

exit

save changes yes (this stops arc)

now start the packet capture in the other window:

packet capture snaplen 1600 expr host 205.170.225.249

this will start capturing traffic going to the router you are trying to manage. Now start arc back up in the other window.

conf t

serv net

gen

block-enable true

exit

exit

yes ( will start it back up ).

Wait for a couple minutes, then do a ctrl c on the packet capture.

use the copy the command to send the packet capture file to a remote machine.

email me the file (jlively@cisco.com)

Thanks for your help, this issue has been solved. I found out that telnet was disabled on the router. Also had to open the ports on the firewall. I am now able to block.

Thanks for all of your help.

ids# show stat net

Current Configuration

LogAllBlockEventsAndSensors = true

EnableNvramWrite = false

EnableAclLogging = true

AllowSensorBlock = false

BlockMaxEntries = 250

MaxDeviceInterfaces = 250

NetDevice

Type = Cisco

IP = 205.170.225.249

NATAddr = 0.0.0.0

Communications = ssh-3des

ResponseCapabilities = block

BlockInterface

InterfaceName = FastEthernet0/0

InterfaceDirection = in

InterfacePreBlock = Pre-Block

InterfacePostBlock = Post-Block