AIP mode different in Cisco Security Manager versus ASA

Unanswered Question
Sep 24th, 2009

Hello,


AIP module (6.1(2)E3) being managed via CSM (3.3.0) shows as Promiscuous under Summary/Mode in Interfaces view.


On the ASA (5510, 7.2(4) ), when directing traffic to the AIP module we specified Inline mode.


Why is the CSM reading Promisucous?


In case it is a factor, the this is a ASA active/passive HA pair, each with its own AIP module.


Thank you for your insight.

Patrick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
marcabal Thu, 09/24/2009 - 10:19

There used to be a similar bug in IDM.

The sensor itself does not declare an interface as promiscuous.

SO CSM has to intepret the configuration to determine if the interface is promiscuous.


On an Appliance an Interface is InLine only if it is configured as part of an InLine Interface Pair, or has InLine Vlan Pairs assigned.

So CSM makes the assumption that if it is not part of an InLine Interface Pair and does not have InLine Vlan Pairs created, but is active and being monitored by a virtual sensor then it must be Promiscuous.


And the above is True for Appliances.


What the CSM developers may not have realized is that this is NOT true for Modules.

For most modules like the AIP-SSMs, the sensor is configured to monitor the interface, but there is nothing in the module configuration itself that tells you whether it is inline or promiscuous.

That knowledge is only within the configuration of the ASA chassis itself.


CSM is simply incorrectly using the rules for Appliances against the SSMs.


This was corrected in IDM by always just marking the SSM port as "monitored" if I remember right and not trying to specify whether it is promiscuous or inline.


CSM would likely have to make the same change, and just then just tell the user they need to check ASA configuration to determine whether or not the ASA is configured to send packets to the SSM promiscuously or inline.


Marco


Actions

This Discussion