IPS 4240 6.1(1)E2 failing the shun command to a 7.2(4) PIX

Unanswered Question
Jun 23rd, 2008

Command per the event store: "no shut (outside)" failing at keyword outside, which within the CLI, doesn't work. Keyword outside not within the command.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rhermes Tue, 06/24/2008 - 14:03

There are a few possible causes to your problem. One may be the PIX username may not have permission to issue a shun.

To really see what is happening between the sensor and the PIX, have the sensor log into the PIX via telnet. Use Ethereal/Wireshark to capture the session on the wire and then use the "rebuild session" feature in Ethereal/Wireshark. This will show you exactly where things are going wrong.

dmchugh Tue, 06/24/2008 - 14:18

Actually found the answer by testing. Turns out, when I upgraded the IPS, there was an existing SHUN on the PIX. Once it was ugraded, it could not remove it and I believe that was the source of the errors. Only a hypothesis, but at this point, there may have been some change in method for posting and removing shuns. I removed the existing shun manually and all is now well.

rhermes Wed, 06/25/2008 - 08:34

When you use a sensor to issue shuns on a firewall, the sensor thinks it "owns" all the shuns on the firewall, reguardless of how they were orginally entered (manually or by an IDS). When a sensor reboots (or the shun proces restarts) the sensor will attempt to clear all existing shuns on the firewall. This has caused some problems when there have been manauly entered shuns on the firewall. If you use more than one sensor, its important to make one the Master Block Sensor to prevent shun contention.

stleary Wed, 06/25/2008 - 09:42

This is a known bug: CSCsq22506

Until it is fixed, the workaround is:

clear all the shuns on PIX/firewall/FWSM before sensor connect/reconnect to the device.

Actions

This Discussion