I have a 4240 IPS in inline interface mode between our edge firewall and core switch. This connection is a trunk port with 2 VLANs, lets call them A and B. Everything works 100% fine between VLANs (the firewall is doing the inter-vlan routing) with the exception of SSH/telnet from VLAN A to VLAN B, which is a big problem.
Everything else works fine, including:
Web/443/TFTP from A to B
SSH/Telnet from B to A
SSH/Telnet from A to anywhere else in the world
SSH/Telnet from any other networks to B
I have removed the IPS from the equation, and everything is back to normal, so something has to be up with the IPS.
This is a new deployment...so the sensor is using its default configuration. I don't see anything being blocked. Pretty much the only thing that has been configured are the interfaces. I tried different values in the default VLAN field in the interface configuration menu to no avail, and I don't think it's related to the VLAN configuration since web/https and everything else works fine.
What am I missing here? Any ideas?
There used to some signatures [the normalizer engine] that will drop traffic without alerting. I don't know if they still do it, but check for enabled sigs that use the normalizer engine and don't have an alert action.