Re: AIP mode different in Cisco Security Manager versus ASA
There used to be a similar bug in IDM.
The sensor itself does not declare an interface as promiscuous.
SO CSM has to intepret the configuration to determine if the interface is promiscuous.
On an Appliance an Interface is InLine only if it is configured as part of an InLine Interface Pair, or has InLine Vlan Pairs assigned.
So CSM makes the assumption that if it is not part of an InLine Interface Pair and does not have InLine Vlan Pairs created, but is active and being monitored by a virtual sensor then it must be Promiscuous.
And the above is True for Appliances.
What the CSM developers may not have realized is that this is NOT true for Modules.
For most modules like the AIP-SSMs, the sensor is configured to monitor the interface, but there is nothing in the module configuration itself that tells you whether it is inline or promiscuous.
That knowledge is only within the configuration of the ASA chassis itself.
CSM is simply incorrectly using the rules for Appliances against the SSMs.
This was corrected in IDM by always just marking the SSM port as "monitored" if I remember right and not trying to specify whether it is promiscuous or inline.
CSM would likely have to make the same change, and just then just tell the user they need to check ASA configuration to determine whether or not the ASA is configured to send packets to the SSM promiscuously or inline.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...