blocking login profilles

Unanswered Question
May 2nd, 2007

I think this should be pretty straight forward, but am having am impossible time getting blocking to work. I have an IPS 4240 with software version 6 and have configured many login profiles to try to get my ASA to shun a host triggering a signature using the host block option. Setup is host -> switch -> IPS spanning uplink port -> router -> ASA -> Internet

I've tried manually adding the block on the host and while it appears in the active host blocks monitoring section, the host is still able to reach anywhere on the Internet. I also see an ARC event stating wrong username/password combination. Seems like a simple fix, but I'm fairly sure I'm putting the correct username and password in. I've retrieved the ssh key from the ASA while on the IPS and have tried using telnet also. I've enabled any host on my LAN to telnet to the PIX in effort to troubleshoot, but it's not working either. I'm using Cisco ACS with my ASA, and have tried domain\username and [email protected] and just plain username, but none work.

Thank you,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rhermes Wed, 05/02/2007 - 14:52

We've had Shunning between a 5.x sensor and ASA working. To trouble shoot, use Telnet between the sensor and the ASA. Then sniff the traffic using Ethereal/Wireshark. Follow the TCP session to watch the commands between the two, this should show you where things are going wrong.

WILLIAM STEGMAN Thu, 05/03/2007 - 05:09

i've not been able to use the telnet or ssh command from the cli on the sensor, and don't see that option from the gui either. I've tried twic sniffing traffic from the inside interface of my asa during a test attempt to trigger the block and found only acks, and some data containing the message banner, username and password. The username and password looked to both have unusual spaces between them, but I'm not sure if that's just how ethereal displays the contents or not. I'm definately able to telnet to my asa from my desktop using my domain creds and cisco acs. Event Viewer logs from the IPS continue to read

evError: eventId=1177685004019530953 vendor=Cisco severity=error


hostId: HBG-IPS

appName: nac

appInstanceId: 29279

time: May 3, 2007 12:52:02 PM UTC offset=-240 timeZone=UTC

errorMessage: ERROR: Wrong username/password for net device [] name=errSystemError

update - i don't know why, but it is working now with local credentials even though my asa is setup to use cisco ACS.


This Discussion