ASA 5510 with SSM-10 ARC

Unanswered Question
May 21st, 2012

Hello there,

I am configuring remote host blocking on SSM-10 within ASA to make shun on certain signatures. SSM-10 resides on the same ASA on which it should perform shun action. But unfortunately it doesn't work. ASA version ins 8.4(3) and IPS version is 7.0(7)E4.

Here is error messages I get on IPS:

  errorMessage: ErrSystemError PIX [1.1.1.1] version major and minor values were not matched  name=errUnclassified 

  errorMessage: Firewall [1.1.1.1] is unable to add a block for [2.2.2.2] due to an error.  name=errSystemError 

1.1.1.1 is ASA ip address, and 2.2.2.2 is attacker which triggered signature with shun action.

I even tried to use telnet between ASA and IPS to communicate but same result.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
mkodali Mon, 05/21/2012 - 17:08

It maybe helpful to provide the output for the following commands to debug this issue in more detail :

sensor# show statistics network-access

and

sensor# show event error

Run the second command preferably at the same time when SSM sends the shun message to the ASA.

thanks

Madhu

Todd Pula Tue, 05/22/2012 - 14:48

Do you have the SSM configured in promiscuous or inline mode?  The blocking/ARC config is only relevant for promiscuous configurations. If you have the sensor configured for inline in the service policy on the ASA, then the SSM can directly deny offending traffic.  I have seen instances of this error before when you are attempting to configure blocking for an inline sensor.

Actions

Login or Register to take actions

This Discussion

Posted May 21, 2012 at 3:00 PM
Stats:
Replies:2 Avg. Rating:
Views:618 Votes:0
Shares:0
Tags: asa, 5510, ips, asa_5510, arc
+

Related Content

Discussions Leaderboard

Rank Username Points
1 816
2 668
3 603
4 526
5 367
Rank Username Points
5
5
5
5
5