AIP SSM-10 - How to Verify Traffic is being passed for inspection?

Answered Question
Jun 11th, 2009

Hi There,

I have set up an AIP-SSM on our ASA5510 for the first time, following this excellent guide, http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml.

The difference between the environment used in the doco and ours are the specs of our ASA and module, which are the following, IOS version 8.0(4), ASDM version is 6.1(3), the SSM application version is 6.0(5)E2.

I have followed all the steps to enable connectivity to the module from ASDM, created the access list to allow all ip traffic to be passed to the module for inspection the class map and policy map indicating the mode promiscous, fail-open. The service policy is applied globally.

The problem i face is that when i try to verify as stated on the guide with the command show events alert on the module CLI i do not get any output, so i'm not sure if traffic is being passed to the module. Can someone plese help me clarifying this?

Regards,

Esteban

I have this problem too.
0 votes
Correct Answer by marcabal about 7 years 5 months ago

Execute "show conf" on your AIP SSM CLI. Verify that the GigabitEthernet0/1 backplane interface of the SSM has been assigned to virtual sensor vs0.

If it has not, then run "setup" and near the end of the setup wizard there will be an option to edit the interface and virtual sensor configuration. Use this option to modify the configuration for virtual sensor vs0 and in the interface.

You can also run "show stat virtual-sensor vs0" to see the counts of packets being analyzed by vs0.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
marcabal Thu, 06/11/2009 - 20:45

Execute "show conf" on your AIP SSM CLI. Verify that the GigabitEthernet0/1 backplane interface of the SSM has been assigned to virtual sensor vs0.

If it has not, then run "setup" and near the end of the setup wizard there will be an option to edit the interface and virtual sensor configuration. Use this option to modify the configuration for virtual sensor vs0 and in the interface.

You can also run "show stat virtual-sensor vs0" to see the counts of packets being analyzed by vs0.

abinjola Thu, 06/11/2009 - 23:04

In addition to what marco suggested also use the following command to see packet sent and received to the MODULE

show service-policy

egua5261 Sun, 06/14/2009 - 19:06

Guys,

Thanks a million to both of you. Great help.

Now that i can see the traffic going to the module, i'm wondering the best to test the module. Is there any tool that will allow me to test this IPS module?

Regards,

Esteban

abinjola Sun, 06/14/2009 - 20:58

well you may either run a test using traffic gen. simulators like Nmap or nesus

Alternatively you may either enable icmp signature 2051/2 and ping through the module, you will see alert generating for this thus confirming IPS functionality

Actions

This Discussion