01-17-2008 08:23 AM - edited 03-10-2019 03:56 AM
Basically, it looks like it's running, but the stats are staying at zero packets processed.
01-17-2008 11:37 AM
Typically the ASA or the IPS configuration has not been done.
A few things to check.
Check your ASA configuration and verify that the ASA has a policy applied that will send packets to the SSM for monitoring.
The ASA does not automatically send all packets to the SSM for monitoring. Instead you have to create a policy specifying the class of traffic you want monitored and apply that policy either globally or to a specific ASA interface.
Check your IPS configuration and ensure that GigabitEthernet0/1 is assigned to virtual sensor vs0.
By default the SSM will not monitor packets that are sent to it. You have to assign Gig0/1 to a virtual sensor (typically vs0) to tell the SSM that you want those packets monitored.
NOTE: This Gig0/1 is the internal backplane interface of the SSM and should not be confused with the Gig0/1 interface of the ASA.
To then check if packets are being sent to the SSM for monitoring you can execute:
1) "show int detail" on the ASA CLI and check the statistics for the Internal-Data0/0 interface. This is the ASA's backplane interface to the SSM and the transmit count should be increasing.
2) "show int" on the SSM CLI and check the statistics of Gig0/1. The receive count should be increasing.
3) "show stat vi" on the SSM CLI and check the packet counts for the virtual sensor
01-30-2008 03:15 PM
First, thank you for an excellent post. I find the AIP/IPS documentation atrocious.
Next, regarding step 3 above, I am showing all zeros on my packet counts. Obviously, I do not have my virtual interface assigned to my Gig0/1 interface. Is this assigned from within the AIP module on the ASA? If so, could you assist with the config? Thanks.
01-30-2008 04:05 PM
Login with the cisco account into your SSM.
Run the setup command.
One of the last questions is to modify your interface and virtual sensor configuration.
Type Yes to modify it.
Then you are asked whether to modify the interface or virtual sensor, and select the option for modifying the virtual sensor.
Then you are asked whether to modify vs0 or create a new virtual sensor, and select the option to modify vs0.
Then it should present you with the option to add Gig0/1 to vs0.
Once you make that change and work your way through the rest of the setup prompts and apply the configuration, then it should start sending packets to your virtual sensor vs0 (assuming the ASA configuration was also correct).
01-31-2008 10:12 AM
Thank you for a clear, concise post.
01-31-2008 01:46 PM
I ran into that problem as well. I had to create a ACL on my ASA and a class-map.
access-list ips permit ip any any <----- access list that matches all IP traffic to the ips
class-map my-ips-class <------------ class of traffic that matches the ips acl.
match access-list IPS
policy-map my-ids-policy
class my-ips-class
ips promiscuous fail-open <------ in the event of a failure of the SSM20 all traffic will bypass it
01-31-2008 01:40 PM
Wow here I was thinking I'm alone in thinking the documentation isn't very useful.
01-31-2008 01:51 PM
I lack only the IPS cert for a CCSP, and I find the Cisco IPS documentation (including the Cisco Press releases on IPS) simply bewildering. Can't someone write a concise (i.e., < 100 pages) explanation on what tasks are needed for a minimum configuration on the ASA AIP module? If one exists, I have not been able to find it.
Back to the school of hard knocks.....
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: