Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
2
Helpful
5
Replies

4240 blocking some traffic between local VLANs

Go to solution
pdesch
Level 1
Level 1

‎07-25-2008 12:55 PM - edited ‎03-10-2019 04:13 AM

I have a 4240 IPS in inline interface mode between our edge firewall and core switch. This connection is a trunk port with 2 VLANs, lets call them A and B. Everything works 100% fine between VLANs (the firewall is doing the inter-vlan routing) with the exception of SSH/telnet from VLAN A to VLAN B, which is a big problem.

Everything else works fine, including:

Web/443/TFTP from A to B

SSH/Telnet from B to A

SSH/Telnet from A to anywhere else in the world

SSH/Telnet from any other networks to B

I have removed the IPS from the equation, and everything is back to normal, so something has to be up with the IPS.

This is a new deployment...so the sensor is using its default configuration. I don't see anything being blocked. Pretty much the only thing that has been configured are the interfaces. I tried different values in the default VLAN field in the interface configuration menu to no avail, and I don't think it's related to the VLAN configuration since web/https and everything else works fine.

What am I missing here? Any ideas?

Thanks AOT

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mhellman
Level 7
Level 7
In response to pdesch

‎07-28-2008 09:52 AM

There used to some signatures [the normalizer engine] that will drop traffic without alerting. I don't know if they still do it, but check for enabled sigs that use the normalizer engine and don't have an alert action.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎07-26-2008 03:08 AM

Why would you setup trunk ports of 'inline interface mode'? Just use regular access ports. Have a look at this newly released document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a00809c37cb.shtml

Regards

Farrukh

Go to solution
pdesch
Level 1
Level 1
In response to Farrukh Haroon

‎07-28-2008 08:12 AM

It is a trunk port because there are multiple VLANs at this location, and the firewall is performing inter-VLAN routing. The setup is basically:

Core Switch ---- Inline IPS ---- Firewall (ASA).

I don't see why I should need to re-do LAN...the IPS should just be forwarding traffic (inluding VLAN tagging) through unless its getting blocked by a policy. This is working fine except for the specific telnet/SSH traffic as mentioned.

I am thinking it has to be some kind of bug in the IPS software...from what I can see, I don't see it getting blocked anywhere in the IPS.

0 Helpful

Go to solution
mhellman
Level 7
Level 7
In response to pdesch

‎07-28-2008 09:52 AM

There used to some signatures [the normalizer engine] that will drop traffic without alerting. I don't know if they still do it, but check for enabled sigs that use the normalizer engine and don't have an alert action.

0 Helpful

Go to solution
pdesch
Level 1
Level 1
In response to mhellman

‎07-28-2008 11:15 AM

Sure enough, Signature 1330/12 (TCP drop - segment out of order) was the culprit.

You are 100% correct. By default, it, and several of the other signatures using the normalizer engine will drop packets without logging or alerting. Thanks.

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to pdesch

‎07-28-2008 10:54 AM

Well a pretty simple way to check that would be to put the sensor in 'bypass' mode and then try to telnet/ssh.

Regards

Farrukh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card