cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
733
Views
0
Helpful
4
Replies

Rules for VPN UP/DOWN

BallyITservices
Level 1
Level 1

Hi everybody,

I created the following rules in my Cisco Mars in order to test it, and I tried a lot of variables, but they doesn't work as I expected.

____

DOWN VPN:
Time range: 2 minutes

Email: to me

Offset: 1
Source IP: 192.168.0.1
Destination IP: xxx.xxx.xxx.xxx
Service Name: ANY
Event: IPSec SA between tunnel end points has been deleted
Device: ASA5505-TESTMARS
Reported User: None
IPS Risk Rating: ANY
IPS Threat Rating: ANY
Keyword: ANY
Severity: ANY
Count: 1

FOLLOWED BY

Offset: 2
Source IP: 192.168.0.1
Destination IP: xxx.xxx.xxx.xxx
Service Name: ANY
Event: != IPSec SA has been created
Device: ASA5505-TESTMARS
Reported User: None
IPS Risk Rating: ANY
IPS Threat Rating: ANY
Keyword: ANY
Severity: ANY
Count: 1


UP VPN:
Time range: 2 minutes

Email: to me

Offset: 1
Source IP: 192.168.0.1
Destination IP: xxx.xxx.xxx.xxx
Service Name: ANY
Event: != IPSec SA between tunnel end points has been deleted
Device: ASA5505-TESTMARS
Reported User: None
IPS Risk Rating: ANY
IPS Threat Rating: ANY
Keyword: ANY
Severity: ANY
Count: 1

FOLLOWED BY

Offset: 2
Source IP: 192.168.0.1
Destination IP: xxx.xxx.xxx.xxx
Service Name: ANY
Event: IPSec SA has been created
Device: ASA5505-TESTMARS
Reported User: None
IPS Risk Rating: ANY
IPS Threat Rating: ANY
Keyword: ANY
Severity: ANY
Count: 1

____

I wanted the rules to be fired only if into the time range set they both are satisfied, but being each rule composed by a "!=" and a "=" event, they are fired as soon the event "=" is satisfied.

The problem is that during the night I receive a lot of spam from the Mars because the VPN channels that during that period aren't used they recreate the SA every 30 minutes. This is a process that lasts less than 15 seconds and I don't want to be informed about this because isn't critical, if the down lasts more than 2 minutes then I start considering it critical.

How can I bypass this problem???

Hope someone will help me.

Thanks in advance.

Best regards.

1 Accepted Solution

Accepted Solutions

Hi Fabio Longa,

Its sound bad, but no way

Because time which you configured in User rule check all conditions during this time.

No way to configure SOME time to one condition FOLLOWED BY SOME time in next condition.

Please check that:

I thin must be syslog message from Router or Firewall which mean that are some problems with 2nd phase of IPSec.

For 1st phase i often see of such kind messages.

Thats all.

P.S. May be i mistaking

View solution in original post

4 Replies 4

Mykola Srebnyuk
Level 1
Level 1

Hi,

you didnt say about what rule was always triggered? Up or Down?

Keep in mind that:

Using

Equal (==) and Not Equal (!=) buttons to bring highlighted items from the field into the field have another meaning.  Not Equal (!=)  means than triggered any other EVENT except YOU highlighted.

I think so, may be i mistaking

Hi unkindone, and thanks for the reply.

Rules UP and DOWN are both fired when the channel goes up or down, isn't that the problem, the problem is when they are fired because it seems that the way I thought these rules isn't correct. It happens that in each rule the event marked with "!=" is not calculated from the mars, and probably is for the reason you told: the first event different than the one marked with != is considered into the count of that offset, so the rule is fired.

What I would like to obtain is that the system waits the minutes I set into the time range in order to check whether the event != happened or not.

Is there a way to achieve this?

Regards!!!

Hi Fabio Longa,

Its sound bad, but no way

Because time which you configured in User rule check all conditions during this time.

No way to configure SOME time to one condition FOLLOWED BY SOME time in next condition.

Please check that:

I thin must be syslog message from Router or Firewall which mean that are some problems with 2nd phase of IPSec.

For 1st phase i often see of such kind messages.

Thats all.

P.S. May be i mistaking

Ok thanks a lot anyway!!!

Best regards.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: