IPS stopping TACACS packets

Answered Question
May 11th, 2007
User Badges:
  • Silver, 250 points or more

Hi All,


This is my scenario, Switch--FirstIntPair--PIXInside--PIXOutside--SecondIntPair--Hub--Internetrouter.


I have two interface pairs(please don't ask me why). One between core switch and pix inside interface and another between pix outside and internet router.


Now when i am trying to do telnet to my internet router(i have TACACS running) it doesn't allow me. Now if i use a local user name password it logs in. Investigating further I found out that on a debug TACACS i see the tacacs packets are getting timed out. Now when i did a bypass inspection on my IPS everything works fine. When i enable the inspection again it stops working. There are no event logs for this at all no signature firing up nothing. Can anyone tell me whats going on. Any help highly appreciated.


-Hoogen

Correct Answer by marcabal about 10 years 2 months ago

What software version of IPS are you running?


I am not very knowledgeable about TACACS.

If it uses a TCP connection, then the following information may help.


If you are running 5.1, then the Normalizer may be denying packets if the TACACS packets have to go through both interface pairs.

The Normalizer gets confused when the same packet is being seen twice, especially when a firewall may be modifying the packet. The Normalizer can get confused trying to track the tcp sequence numbers.

We do not recommend monitoring 2 interface pairs in 5.1 if some of the same traffic has to flow through both pairs.


If you are running 6.0, then what type of sensor do you have?

If the sensor supports virtualization, then create a new virtual sensor and move one of your interface pairs to the other virtual sensor.


If the 6.0 sensor does not support virtualization (like the IDS-4215), then there is a new option in 6.0 "inline-TCP-session-tracking-mode". Set this option to "interface-and-vlan". This way the sensor will track traffic on each interface pair independantly in order to prevent most normalizer issues.

I am not sure if the information above will help solve your particular problem or not.


Some other things to check if it does not.

The TACACS traffic may be triggering a signature.

Execute "show events" on your sensor CLI and execute your TACACS connection to see if any signatures are being triggered that may have a deny action.


You might even try setting up an event action override for the produce-alert event action for risk rating range 1-100 and trying the "show events" again. There are a few signatures that don't create alerts by default (intentionally), but will create alerts with the event-action override. You can see if maybe one of these is being triggered.

(Remember to turn off the produce-alert event action override when you are done diagnosing. Many of the signatures that don't produce an alert by default can be very noisy as they monitor for normal traffic, and are juts peices/components of a Meta Signature that is looking for the actual attack itself)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
marcabal Fri, 05/11/2007 - 06:53
User Badges:
  • Cisco Employee,

What software version of IPS are you running?


I am not very knowledgeable about TACACS.

If it uses a TCP connection, then the following information may help.


If you are running 5.1, then the Normalizer may be denying packets if the TACACS packets have to go through both interface pairs.

The Normalizer gets confused when the same packet is being seen twice, especially when a firewall may be modifying the packet. The Normalizer can get confused trying to track the tcp sequence numbers.

We do not recommend monitoring 2 interface pairs in 5.1 if some of the same traffic has to flow through both pairs.


If you are running 6.0, then what type of sensor do you have?

If the sensor supports virtualization, then create a new virtual sensor and move one of your interface pairs to the other virtual sensor.


If the 6.0 sensor does not support virtualization (like the IDS-4215), then there is a new option in 6.0 "inline-TCP-session-tracking-mode". Set this option to "interface-and-vlan". This way the sensor will track traffic on each interface pair independantly in order to prevent most normalizer issues.

I am not sure if the information above will help solve your particular problem or not.


Some other things to check if it does not.

The TACACS traffic may be triggering a signature.

Execute "show events" on your sensor CLI and execute your TACACS connection to see if any signatures are being triggered that may have a deny action.


You might even try setting up an event action override for the produce-alert event action for risk rating range 1-100 and trying the "show events" again. There are a few signatures that don't create alerts by default (intentionally), but will create alerts with the event-action override. You can see if maybe one of these is being triggered.

(Remember to turn off the produce-alert event action override when you are done diagnosing. Many of the signatures that don't produce an alert by default can be very noisy as they monitor for normal traffic, and are juts peices/components of a Meta Signature that is looking for the actual attack itself)

hoogen_82 Fri, 05/11/2007 - 08:04
User Badges:
  • Silver, 250 points or more

Hi Thanx a lot. I am running 5.1 and followed your instructions everything works fine now. I think i am planning an upgrade to 6.0 in a day or two and will follow your instrutcions i have 4255 so i shouldn't have a problem. Just worried though that my VMS would be a problem when i do upgrade to 6.0.


-Hoogen

marcabal Fri, 05/11/2007 - 08:42
User Badges:
  • Cisco Employee,

VMS has 2 components that deal with IPS.

The Security Monitor utility can continue to be used to monitor IPS 6.0 events (though it will not show the new 6.0 alert fields, it will only show the fields that were available in 5.1)

The IPS Management Center utility will not work for configuring IPS 6.0.



CSM 3.1 (Cisco Security Monitor) is the latest evolution of the security management products, and can manage both the older 5.1 sensors and the newer 6.0 sensors.


BUT know that CSM 3.1 can only configure the sensor and can not monitor the sensor.

Some users have chosen to leave their SecMon installation in place and continue to monitor IPS 6.0 sensors with it.

And install CSM 3.1 on a new system.


My recommendation would be to upgrade to CSM 3.1 (or install on a new system), and get CSM 3.1 working with your current 5.1 sensors. And only when you are comfortable with CSM 3.1 working would you take the next step and upgrade the sensors to IPS 6.0.

This will reduce your risk of upgrading as only one product would be upgraded at a time.


Also understand that Cisco is committed to supporting 5.1 signature updates for at least another year, and likely a year and a half. So you do have some time.


hoogen_82 Fri, 05/11/2007 - 20:49
User Badges:
  • Silver, 250 points or more

Really appreciate your recommedation. What i have is a VMS basic, now if i do a fresh install of CSM 3.1 (Before April 2 i have ordered the CSM free upgrade but they sent me the CSM 3.0 for 3.1 i have downloaded the entire stuff from the Cisco Secure software). Now i was worried about the licensing part, how would the licensing work, i just need to manage a single IPS device.


In one of the statements, you have mentioned CSM would only configure the sensor and not monitor, does this mean that when i upgrade to CSM 3.1 i would not be able to get reports and monitor IPS running 5.1E1.


Thanx

-Hoogen

attmidsteam Sat, 05/12/2007 - 08:33
User Badges:
  • Silver, 250 points or more

If you are managing a single IPS device, then I would suggest doing it via the interface provided on the sensor, as CSM will not provide the functionality you appear to need and use via SecMon.


CSM -- store configurations, alter configurations, deploy and manage configurations


SecMon -- monitor and build reports


Hope this helps!

hoogen_82 Sat, 05/12/2007 - 11:03
User Badges:
  • Silver, 250 points or more

Sorry for not understanding your answer. But i guess you are right I need the Security Monitor to monitor and build reports. Could you give me the link where I could download it, and the configuration manual which would help me monitor my IPS.


So does my security monitor, monitor IPS 6.0 too?


I am okay with configuring it through the management interface.


Thanx

Hoogen

Actions

This Discussion