We upgraded all our ASA's last weekend to 8.2.3. The IPS modules were left on the version of code they were using when the ASA's were on 18.104.22.168.
Since the upgrade, I am seeing something on the IPS sensors that doesnt make sense. When looking at the real time monitor, I am only seeing internal traffic addresses showing up in the attacker column and outside ip addresses showing up on the victim column in IPS ME.
Here is the config lines from the ASA as it concerns the IPS Module -
access-list ips extended permit ip any any
match access-list ips
ips inline fail-open sensor vs0
As I understand it, how you control what traffic the IPS Sensor sees is controlled at the ASA, not the IPS module.
The ASA is operating normally and I can see the traffic I would expect to on the inside and outside interfaces. I am starting to suspect a bug in the new ASA code but wanted to see if anyone else had seen this before I called TAC.