- Silver, 250 points or more
This is my scenario, Switch--FirstIntPair--PIXInside--PIXOutside--SecondIntPair--Hub--Internetrouter.
I have two interface pairs(please don't ask me why). One between core switch and pix inside interface and another between pix outside and internet router.
Now when i am trying to do telnet to my internet router(i have TACACS running) it doesn't allow me. Now if i use a local user name password it logs in. Investigating further I found out that on a debug TACACS i see the tacacs packets are getting timed out. Now when i did a bypass inspection on my IPS everything works fine. When i enable the inspection again it stops working. There are no event logs for this at all no signature firing up nothing. Can anyone tell me whats going on. Any help highly appreciated.
What software version of IPS are you running?
I am not very knowledgeable about TACACS.
If it uses a TCP connection, then the following information may help.
If you are running 5.1, then the Normalizer may be denying packets if the TACACS packets have to go through both interface pairs.
The Normalizer gets confused when the same packet is being seen twice, especially when a firewall may be modifying the packet. The Normalizer can get confused trying to track the tcp sequence numbers.
We do not recommend monitoring 2 interface pairs in 5.1 if some of the same traffic has to flow through both pairs.
If you are running 6.0, then what type of sensor do you have?
If the sensor supports virtualization, then create a new virtual sensor and move one of your interface pairs to the other virtual sensor.
If the 6.0 sensor does not support virtualization (like the IDS-4215), then there is a new option in 6.0 "inline-TCP-session-tracking-mode". Set this option to "interface-and-vlan". This way the sensor will track traffic on each interface pair independantly in order to prevent most normalizer issues.
I am not sure if the information above will help solve your particular problem or not.
Some other things to check if it does not.
The TACACS traffic may be triggering a signature.
Execute "show events" on your sensor CLI and execute your TACACS connection to see if any signatures are being triggered that may have a deny action.
You might even try setting up an event action override for the produce-alert event action for risk rating range 1-100 and trying the "show events" again. There are a few signatures that don't create alerts by default (intentionally), but will create alerts with the event-action override. You can see if maybe one of these is being triggered.
(Remember to turn off the produce-alert event action override when you are done diagnosing. Many of the signatures that don't produce an alert by default can be very noisy as they monitor for normal traffic, and are juts peices/components of a Meta Signature that is looking for the actual attack itself)