Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

4215 5.x & blocking

I have a 4215 that I have setup inline. In addition, I have given it the ability to use a PIX to block hosts. When the sensor tries to login to the PIX, it triggers the "multiple rapid ssh connections" signature and adds the sensors IP address to the "Denied Attackers" list. This happens even though the checkbox for "allow the sensor ip address to be blockes" is unchecked AND the IP address of the sensor is in the "Never block" list.

The sensor is running the latest 5.0(4) and the latest signature.

Do I ALSO have to create an event filter for this?

Cisco Employee

Re: 4215 5.x & blocking

Does the login to the PIX fail due to some other reason (SSH keys not transferred offline, incorrect login credentials, etc). The only reason the IPS would try and login multiple times is if the login fails, so if you fix that that should resolve the problem.

On the sensor run the following command to ensure that the PIX's public key is added and trusted to the IPS:

conf term

ssh host-key

You should see the fingerprint displayed, then as long as you have set up the login credentials correctly on the sensor then it should be able to login fine (and only once).

New Member

Re: 4215 5.x & blocking

I've discovered through experimentation that blocking has nothing to do with the inline dropping of packets. So even if you put something on the "never block" list, you also have to create exceptions to the signatures which drop packets inline...

This is some frustrating and cumbersome equipment they have developed... I'll be looking at MARS next week, maybe that will change my mind... But we're probably not allowed to complain here.