ASA SSM 10 IPS blocking roaming profiles

Unanswered Question
Sep 3rd, 2009

I have a client with the Cisco ASA SSM 10 module that is blocking roaming profiles from loading correctly. The issue goes away when the IPS is disabled. After I re-enable the IPS, it stops working and I see the following message in the log file:

4 Sep 03 2009 15:30:11 420003 172.16.X.XX 1102 SERVER 139 IPS requested to reset TCP connection from STUDENT-II-VLAN:172.16.X.XX/1102 to inside:SERVER/139

Followed by:

6 Sep 03 2009 15:30:11 302014 172.16.X.XX 1102 SERVER 139 Teardown TCP connection 3870 for STUDENT-II-VLAN:172.16.X.XX/1102 to inside:SERVER/139 duration 0:00:05 bytes 4339900 Flow reset by IPS

I thought this may have to do with SMB, so I disabled some of the SMB signatures, but that didn't work. It happens for this server on port 139 and 445. Any ideas on what signature it may be would be great.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
rhermes Thu, 09/03/2009 - 12:15

Jump on the IPS sensor and check the IPS log. It should have a signature event that caused teh TCP Reset to occur. The event will tell you what signature and subsig you need to disable.

IPS CLI - "show event alert past 01:00"


This Discussion