07-25-2008 12:55 PM - edited 03-10-2019 04:13 AM
I have a 4240 IPS in inline interface mode between our edge firewall and core switch. This connection is a trunk port with 2 VLANs, lets call them A and B. Everything works 100% fine between VLANs (the firewall is doing the inter-vlan routing) with the exception of SSH/telnet from VLAN A to VLAN B, which is a big problem.
Everything else works fine, including:
Web/443/TFTP from A to B
SSH/Telnet from B to A
SSH/Telnet from A to anywhere else in the world
SSH/Telnet from any other networks to B
I have removed the IPS from the equation, and everything is back to normal, so something has to be up with the IPS.
This is a new deployment...so the sensor is using its default configuration. I don't see anything being blocked. Pretty much the only thing that has been configured are the interfaces. I tried different values in the default VLAN field in the interface configuration menu to no avail, and I don't think it's related to the VLAN configuration since web/https and everything else works fine.
What am I missing here? Any ideas?
Thanks AOT
Solved! Go to Solution.
07-28-2008 09:52 AM
There used to some signatures [the normalizer engine] that will drop traffic without alerting. I don't know if they still do it, but check for enabled sigs that use the normalizer engine and don't have an alert action.
07-26-2008 03:08 AM
Why would you setup trunk ports of 'inline interface mode'? Just use regular access ports. Have a look at this newly released document:
Regards
Farrukh
07-28-2008 08:12 AM
It is a trunk port because there are multiple VLANs at this location, and the firewall is performing inter-VLAN routing. The setup is basically:
Core Switch ---- Inline IPS ---- Firewall (ASA).
I don't see why I should need to re-do LAN...the IPS should just be forwarding traffic (inluding VLAN tagging) through unless its getting blocked by a policy. This is working fine except for the specific telnet/SSH traffic as mentioned.
I am thinking it has to be some kind of bug in the IPS software...from what I can see, I don't see it getting blocked anywhere in the IPS.
07-28-2008 09:52 AM
There used to some signatures [the normalizer engine] that will drop traffic without alerting. I don't know if they still do it, but check for enabled sigs that use the normalizer engine and don't have an alert action.
07-28-2008 11:15 AM
Sure enough, Signature 1330/12 (TCP drop - segment out of order) was the culprit.
You are 100% correct. By default, it, and several of the other signatures using the normalizer engine will drop packets without logging or alerting. Thanks.
07-28-2008 10:54 AM
Well a pretty simple way to check that would be to put the sensor in 'bypass' mode and then try to telnet/ssh.
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide