03-20-2007 07:30 AM - edited 03-10-2019 03:31 AM
I have setup my IDS to manage a router. I have gone through the steps to configure this router through the IDM. I have setup the login profiles, blocking device, and both pre-block and post block ACL. But I get an error on the IDM when looking through the events when it tries to complete a block. The error msg. is " Unable to execute a host block timeout - no blocking interfaces are configured"
I am not sure why I am getting this error msg. I think I have gone through all of the cofiguration steps correctly.
Thanks for any info.
Solved! Go to Solution.
03-20-2007 07:54 AM
After you added the pre/post acl names, and the blocking interfae name under the Router Blocking Decive Interface tab, did you apply the settings. In the cli, you can either do a show conf or a show stat net (see below) to verify.
qsensor-xxx# sh stat net
Current Configuration
LogAllBlockEventsAndSensors = true
EnableNvramWrite = false
EnableAclLogging = false
AllowSensorBlock = false
BlockMaxEntries = 250
MaxDeviceInterfaces = 250
NetDevice
Type = Cisco
IP = 1.2.3.4
NATAddr = 0.0.0.0
Communications = telnet
ResponseCapabilities = block
BlockInterface
InterfaceName = ethernet1
InterfaceDirection = in
InterfacePreBlock = pre_acl_name
InterfacePostBlock = post_acl_name
03-20-2007 07:36 AM
Hi,
In your 'sh config' output from CLI, does it list the 'block-interfaces
Here is the sample example.
user-profiles cisco
enable-password cisco
password cisco
username cisco
exit
router-devices 192.168.1.1
communication telnet
profile-name cisco
block-interfaces fastethernet0/0 in
exit
response-capabilities block
exit
Thank you.
Edward
03-20-2007 08:06 AM
here is my sh config output:
username admin
exit
router-devices 205.170.225.249
communication ssh-3des
profile-name mainrouter
block-interfaces FastEthernet0/0 in
pre-acl-name Pre-Block
post-acl-name Post-Block
exit
response-capabilities block
exit
03-20-2007 09:08 AM
try connecting with telnet instead of 3-des. Sometimes ARC gets confused with 3-des connect problems and reports an incorrect error. If telnet will work, then we can work on getting the 3-des working. Speaking of 3-des, you did log into the cli, conf t and ssh host 205.170.225.249 command right? That is necessary to get the key so ARC can connect to the router
03-20-2007 10:16 AM
Ok I have changed the communication from 3-des to telnet. Do you know of an internal test that I can do to make sure the error msg. has been fixed?
Also, I did create a key for the 3-des.
Thanks for the help.
03-20-2007 11:04 AM
In IDM under the monitoring tab, there is a place to add manual blocks. If you monitor with the cli as you add the block with IDM, you should see the action takes place. You can also look on the router and see if ARC built and attached an acl to the interface. Since you specified a pre/post acl, the one ARC created should look like:
sensor ip address
contents of pre-acl
active blocks
contents of post acl
Make sure your post acl has "permit ip any any" as the last line.
03-20-2007 12:31 PM
when I tried to add a manual block, in the event log through the IDM I still receive the error msg. "Unable to execute a net block
"Unable to execute a net block
Which interfaces are they talking about the IDS interface or the router interfaces?
Thanks
03-20-2007 01:47 PM
Let's back up. Let's try this at it's most basic. First, does your router support ip access-list extended command ? 2. What version software are you running on the sensor? 3. Try removing the pre and post acls from the sensor config using idm (leave them on the router). 4. Is this the only device you are connecting to? (There are other issues that sometimes occur if you are managing a pix and a router.)
03-20-2007 03:34 PM
1. the router does support Ip access-list extended.
2. software version - 6.0(1)
3. I have removed the pre and post acls through the idm, kept them on the router.
4.This is the only device .
Thanks for your help
03-21-2007 01:03 PM
Any change in stats messages? Can you post your full show stat net output? If is not working, the next thing we need to try is a packet capture of the traffic between the sensor and the router so I can figure out where things are breaking down.
03-21-2007 03:12 PM
ids# show stat net
Current Configuration
LogAllBlockEventsAndSensors = true
EnableNvramWrite = false
EnableAclLogging = true
AllowSensorBlock = false
BlockMaxEntries = 250
MaxDeviceInterfaces = 250
NetDevice
Type = Cisco
IP = 205.170.225.249
NATAddr = 0.0.0.0
Communications = telnet
ResponseCapabilities = block
BlockInterface
InterfaceName = FastEthernet0/0
InterfaceDirection = in
State
BlockEnable = true
NetDevice
IP = 205.170.225.249
AclSupport = uses Named ACLs
Version = 0
State = Inactive
I never noticed this before, it says the state is Inactive. How do you change it to actvie.
03-22-2007 07:36 AM
It will be inactive until we get the interface issue resolved. Can you send me a packet capture of the arc traffic?
have 2 cli sessions open.
in the first session:
conf t
serv net
gen
block-enable false
exit
exit
save changes yes (this stops arc)
now start the packet capture in the other window:
packet capture
this will start capturing traffic going to the router you are trying to manage. Now start arc back up in the other window.
conf t
serv net
gen
block-enable true
exit
exit
yes ( will start it back up ).
Wait for a couple minutes, then do a ctrl c on the packet capture.
use the copy the command to send the packet capture file to a remote machine.
email me the file (jlively@cisco.com)
03-22-2007 10:57 AM
Thanks for your help, this issue has been solved. I found out that telnet was disabled on the router. Also had to open the ports on the firewall. I am now able to block.
Thanks for all of your help.
03-20-2007 07:54 AM
After you added the pre/post acl names, and the blocking interfae name under the Router Blocking Decive Interface tab, did you apply the settings. In the cli, you can either do a show conf or a show stat net (see below) to verify.
qsensor-xxx# sh stat net
Current Configuration
LogAllBlockEventsAndSensors = true
EnableNvramWrite = false
EnableAclLogging = false
AllowSensorBlock = false
BlockMaxEntries = 250
MaxDeviceInterfaces = 250
NetDevice
Type = Cisco
IP = 1.2.3.4
NATAddr = 0.0.0.0
Communications = telnet
ResponseCapabilities = block
BlockInterface
InterfaceName = ethernet1
InterfaceDirection = in
InterfacePreBlock = pre_acl_name
InterfacePostBlock = post_acl_name
03-20-2007 08:09 AM
ids# show stat net
Current Configuration
LogAllBlockEventsAndSensors = true
EnableNvramWrite = false
EnableAclLogging = true
AllowSensorBlock = false
BlockMaxEntries = 250
MaxDeviceInterfaces = 250
NetDevice
Type = Cisco
IP = 205.170.225.249
NATAddr = 0.0.0.0
Communications = ssh-3des
ResponseCapabilities = block
BlockInterface
InterfaceName = FastEthernet0/0
InterfaceDirection = in
InterfacePreBlock = Pre-Block
InterfacePostBlock = Post-Block
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide