Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

AIP mode different in Cisco Security Manager versus ASA

Hello,

AIP module (6.1(2)E3) being managed via CSM (3.3.0) shows as Promiscuous under Summary/Mode in Interfaces view.

On the ASA (5510, 7.2(4) ), when directing traffic to the AIP module we specified Inline mode.

Why is the CSM reading Promisucous?

In case it is a factor, the this is a ASA active/passive HA pair, each with its own AIP module.

Thank you for your insight.

Patrick

1 REPLY
Cisco Employee

Re: AIP mode different in Cisco Security Manager versus ASA

There used to be a similar bug in IDM.

The sensor itself does not declare an interface as promiscuous.

SO CSM has to intepret the configuration to determine if the interface is promiscuous.

On an Appliance an Interface is InLine only if it is configured as part of an InLine Interface Pair, or has InLine Vlan Pairs assigned.

So CSM makes the assumption that if it is not part of an InLine Interface Pair and does not have InLine Vlan Pairs created, but is active and being monitored by a virtual sensor then it must be Promiscuous.

And the above is True for Appliances.

What the CSM developers may not have realized is that this is NOT true for Modules.

For most modules like the AIP-SSMs, the sensor is configured to monitor the interface, but there is nothing in the module configuration itself that tells you whether it is inline or promiscuous.

That knowledge is only within the configuration of the ASA chassis itself.

CSM is simply incorrectly using the rules for Appliances against the SSMs.

This was corrected in IDM by always just marking the SSM port as "monitored" if I remember right and not trying to specify whether it is promiscuous or inline.

CSM would likely have to make the same change, and just then just tell the user they need to check ASA configuration to determine whether or not the ASA is configured to send packets to the SSM promiscuously or inline.

Marco

159
Views
0
Helpful
1
Replies
CreatePlease to create content