4240 blocking some traffic between local VLANs

Answered Question
Jul 25th, 2008

I have a 4240 IPS in inline interface mode between our edge firewall and core switch. This connection is a trunk port with 2 VLANs, lets call them A and B. Everything works 100% fine between VLANs (the firewall is doing the inter-vlan routing) with the exception of SSH/telnet from VLAN A to VLAN B, which is a big problem.

Everything else works fine, including:

Web/443/TFTP from A to B

SSH/Telnet from B to A

SSH/Telnet from A to anywhere else in the world

SSH/Telnet from any other networks to B

I have removed the IPS from the equation, and everything is back to normal, so something has to be up with the IPS.

This is a new deployment...so the sensor is using its default configuration. I don't see anything being blocked. Pretty much the only thing that has been configured are the interfaces. I tried different values in the default VLAN field in the interface configuration menu to no avail, and I don't think it's related to the VLAN configuration since web/https and everything else works fine.

What am I missing here? Any ideas?

Thanks AOT

I have this problem too.
0 votes
Correct Answer by mhellman about 8 years 4 months ago

There used to some signatures [the normalizer engine] that will drop traffic without alerting. I don't know if they still do it, but check for enabled sigs that use the normalizer engine and don't have an alert action.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
pdesch Mon, 07/28/2008 - 08:12

It is a trunk port because there are multiple VLANs at this location, and the firewall is performing inter-VLAN routing. The setup is basically:

Core Switch ---- Inline IPS ---- Firewall (ASA).

I don't see why I should need to re-do LAN...the IPS should just be forwarding traffic (inluding VLAN tagging) through unless its getting blocked by a policy. This is working fine except for the specific telnet/SSH traffic as mentioned.

I am thinking it has to be some kind of bug in the IPS software...from what I can see, I don't see it getting blocked anywhere in the IPS.

Correct Answer
mhellman Mon, 07/28/2008 - 09:52

There used to some signatures [the normalizer engine] that will drop traffic without alerting. I don't know if they still do it, but check for enabled sigs that use the normalizer engine and don't have an alert action.

pdesch Mon, 07/28/2008 - 11:15

Sure enough, Signature 1330/12 (TCP drop - segment out of order) was the culprit.

You are 100% correct. By default, it, and several of the other signatures using the normalizer engine will drop packets without logging or alerting. Thanks.

Farrukh Haroon Mon, 07/28/2008 - 10:54

Well a pretty simple way to check that would be to put the sensor in 'bypass' mode and then try to telnet/ssh.

Regards

Farrukh

Actions

This Discussion