Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

4240 blocking some traffic between local VLANs

I have a 4240 IPS in inline interface mode between our edge firewall and core switch. This connection is a trunk port with 2 VLANs, lets call them A and B. Everything works 100% fine between VLANs (the firewall is doing the inter-vlan routing) with the exception of SSH/telnet from VLAN A to VLAN B, which is a big problem.

Everything else works fine, including:

Web/443/TFTP from A to B

SSH/Telnet from B to A

SSH/Telnet from A to anywhere else in the world

SSH/Telnet from any other networks to B

I have removed the IPS from the equation, and everything is back to normal, so something has to be up with the IPS.

This is a new deployment...so the sensor is using its default configuration. I don't see anything being blocked. Pretty much the only thing that has been configured are the interfaces. I tried different values in the default VLAN field in the interface configuration menu to no avail, and I don't think it's related to the VLAN configuration since web/https and everything else works fine.

What am I missing here? Any ideas?

Thanks AOT

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: 4240 blocking some traffic between local VLANs

There used to some signatures [the normalizer engine] that will drop traffic without alerting. I don't know if they still do it, but check for enabled sigs that use the normalizer engine and don't have an alert action.

5 REPLIES

Re: 4240 blocking some traffic between local VLANs

Why would you setup trunk ports of 'inline interface mode'? Just use regular access ports. Have a look at this newly released document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a00809c37cb.shtml

Regards

Farrukh

New Member

Re: 4240 blocking some traffic between local VLANs

It is a trunk port because there are multiple VLANs at this location, and the firewall is performing inter-VLAN routing. The setup is basically:

Core Switch ---- Inline IPS ---- Firewall (ASA).

I don't see why I should need to re-do LAN...the IPS should just be forwarding traffic (inluding VLAN tagging) through unless its getting blocked by a policy. This is working fine except for the specific telnet/SSH traffic as mentioned.

I am thinking it has to be some kind of bug in the IPS software...from what I can see, I don't see it getting blocked anywhere in the IPS.

Gold

Re: 4240 blocking some traffic between local VLANs

There used to some signatures [the normalizer engine] that will drop traffic without alerting. I don't know if they still do it, but check for enabled sigs that use the normalizer engine and don't have an alert action.

New Member

Re: 4240 blocking some traffic between local VLANs

Sure enough, Signature 1330/12 (TCP drop - segment out of order) was the culprit.

You are 100% correct. By default, it, and several of the other signatures using the normalizer engine will drop packets without logging or alerting. Thanks.

Re: 4240 blocking some traffic between local VLANs

Well a pretty simple way to check that would be to put the sensor in 'bypass' mode and then try to telnet/ssh.

Regards

Farrukh

158
Views
2
Helpful
5
Replies