How do you tell if an ASA-SSM-20 is actually running and filtering traffic?

Unanswered Question
marcabal Thu, 01/17/2008 - 11:37
User Badges:
  • Cisco Employee,

Typically the ASA or the IPS configuration has not been done.

A few things to check.

Check your ASA configuration and verify that the ASA has a policy applied that will send packets to the SSM for monitoring.

The ASA does not automatically send all packets to the SSM for monitoring. Instead you have to create a policy specifying the class of traffic you want monitored and apply that policy either globally or to a specific ASA interface.

Check your IPS configuration and ensure that GigabitEthernet0/1 is assigned to virtual sensor vs0.

By default the SSM will not monitor packets that are sent to it. You have to assign Gig0/1 to a virtual sensor (typically vs0) to tell the SSM that you want those packets monitored.

NOTE: This Gig0/1 is the internal backplane interface of the SSM and should not be confused with the Gig0/1 interface of the ASA.

To then check if packets are being sent to the SSM for monitoring you can execute:

1) "show int detail" on the ASA CLI and check the statistics for the Internal-Data0/0 interface. This is the ASA's backplane interface to the SSM and the transmit count should be increasing.

2) "show int" on the SSM CLI and check the statistics of Gig0/1. The receive count should be increasing.

3) "show stat vi" on the SSM CLI and check the packet counts for the virtual sensor

pdriscoll Wed, 01/30/2008 - 15:15
User Badges:

First, thank you for an excellent post. I find the AIP/IPS documentation atrocious.

Next, regarding step 3 above, I am showing all zeros on my packet counts. Obviously, I do not have my virtual interface assigned to my Gig0/1 interface. Is this assigned from within the AIP module on the ASA? If so, could you assist with the config? Thanks.

marcabal Wed, 01/30/2008 - 16:05
User Badges:
  • Cisco Employee,

Login with the cisco account into your SSM.

Run the setup command.

One of the last questions is to modify your interface and virtual sensor configuration.

Type Yes to modify it.

Then you are asked whether to modify the interface or virtual sensor, and select the option for modifying the virtual sensor.

Then you are asked whether to modify vs0 or create a new virtual sensor, and select the option to modify vs0.

Then it should present you with the option to add Gig0/1 to vs0.

Once you make that change and work your way through the rest of the setup prompts and apply the configuration, then it should start sending packets to your virtual sensor vs0 (assuming the ASA configuration was also correct).

rolandshum Thu, 01/31/2008 - 13:46
User Badges:

I ran into that problem as well. I had to create a ACL on my ASA and a class-map.

access-list ips permit ip any any <----- access list that matches all IP traffic to the ips

class-map my-ips-class <------------ class of traffic that matches the ips acl.

match access-list IPS

policy-map my-ids-policy

class my-ips-class

ips promiscuous fail-open <------ in the event of a failure of the SSM20 all traffic will bypass it

rolandshum Thu, 01/31/2008 - 13:40
User Badges:

Wow here I was thinking I'm alone in thinking the documentation isn't very useful.

pdriscoll Thu, 01/31/2008 - 13:51
User Badges:

I lack only the IPS cert for a CCSP, and I find the Cisco IPS documentation (including the Cisco Press releases on IPS) simply bewildering. Can't someone write a concise (i.e., < 100 pages) explanation on what tasks are needed for a minimum configuration on the ASA AIP module? If one exists, I have not been able to find it.

Back to the school of hard knocks.....


This Discussion