Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
511
Views
5
Helpful
5
Replies

Can't enable Inline mode on AIP-SSM

Go to solution
jason.scott
Level 1
Level 1

‎04-20-2007 03:01 AM - edited ‎03-10-2019 03:34 AM

I'm trying to get my SSM module to run in inline mode with an ASA5520. Under the service policy configuration inline mode is selected, however on the IPS the backplane interface says Promisicuous.

Am I missing something obvious?

Edit:

The specific config lines all look ok:

class-map outside-class

match any

policy-map outside-policy

description IPS

class outside-class

ips inline fail-open

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎04-20-2007 08:44 AM

You are seeing a bug in IDM.

IDM is incorrectly assuming the interface is Promiscuous and shows promiscuous.

The sensor itself treats it as just a monitored interface rather than inline or promiscuous. Each packet will have a header attached by the ASA that determines whether or not the packet should be monitored inline or promiscuous.

This is being fixed in IDM so it just calls it a backplane interface instead of incorrectly assuming it is a promiscuous interface.

View solution in original post

5 Replies 5

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎04-20-2007 08:44 AM

You are seeing a bug in IDM.

IDM is incorrectly assuming the interface is Promiscuous and shows promiscuous.

The sensor itself treats it as just a monitored interface rather than inline or promiscuous. Each packet will have a header attached by the ASA that determines whether or not the packet should be monitored inline or promiscuous.

This is being fixed in IDM so it just calls it a backplane interface instead of incorrectly assuming it is a promiscuous interface.

Go to solution
jason.scott
Level 1
Level 1
In response to marcabal

‎04-23-2007 01:55 AM

Ah, thank you. I had started to wonder this morning if it was something like this.

0 Helpful

Go to solution
deyster94
Level 5
Level 5
In response to marcabal

‎05-09-2007 07:39 AM

Any idea of when this problem will be fixed? I started to notice that the interface was showing promiscuous mode and not inline even though I was 99.9% sure I had it configured correctly. Some clients wonder if it's working right even though I know it should be.

0 Helpful

Go to solution
marcabal
Cisco Employee
Cisco Employee
In response to deyster94

‎05-09-2007 07:49 AM

I think this was already fixed as part of the 6.0(1) release.

It was just a cosmetic issue in IDM.

The fix was to prevent IDM from assuming it was a Promiscuous interface, and was just a cosmetic change in IDM. No real functional change since the sensor was already working correctly.

A similar issue also existed in ASDM, but I am not sure when that one was addressed.

If you are still seeing it called Promiscuous and are running IPS 6.0(1) or higher, then let me know and I will look into this further. Please include the specific screens and situation where it is being seen in 6.0.

0 Helpful

Go to solution
deyster94
Level 5
Level 5
In response to marcabal

‎05-09-2007 08:19 AM

I just put IPS 6.0(2) on the ASA that has an AIP module in it. This changed how the ASDM and IDM shows the interface that's being monitored. It shows it as a backplane interface, which is better then promiscuous.

Thanks for your help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card