Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Blocking error msg.

I have setup my IDS to manage a router. I have gone through the steps to configure this router through the IDM. I have setup the login profiles, blocking device, and both pre-block and post block ACL. But I get an error on the IDM when looking through the events when it tries to complete a block. The error msg. is " Unable to execute a host block timeout - no blocking interfaces are configured"

I am not sure why I am getting this error msg. I think I have gone through all of the cofiguration steps correctly.

Thanks for any info.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Blocking error msg.

After you added the pre/post acl names, and the blocking interfae name under the Router Blocking Decive Interface tab, did you apply the settings. In the cli, you can either do a show conf or a show stat net (see below) to verify.

qsensor-xxx# sh stat net

Current Configuration

LogAllBlockEventsAndSensors = true

EnableNvramWrite = false

EnableAclLogging = false

AllowSensorBlock = false

BlockMaxEntries = 250

MaxDeviceInterfaces = 250

NetDevice

Type = Cisco

IP = 1.2.3.4

NATAddr = 0.0.0.0

Communications = telnet

ResponseCapabilities = block

BlockInterface

InterfaceName = ethernet1

InterfaceDirection = in

InterfacePreBlock = pre_acl_name

InterfacePostBlock = post_acl_name

14 REPLIES
Cisco Employee

Re: Blocking error msg.

Hi,

In your 'sh config' output from CLI, does it list the 'block-interfaces in'?

Here is the sample example.

user-profiles cisco

enable-password cisco

password cisco

username cisco

exit

router-devices 192.168.1.1

communication telnet

profile-name cisco

block-interfaces fastethernet0/0 in

exit

response-capabilities block

exit

Thank you.

Edward

Community Member

Re: Blocking error msg.

here is my sh config output:

username admin

exit

router-devices 205.170.225.249

communication ssh-3des

profile-name mainrouter

block-interfaces FastEthernet0/0 in

pre-acl-name Pre-Block

post-acl-name Post-Block

exit

response-capabilities block

exit

Cisco Employee

Re: Blocking error msg.

try connecting with telnet instead of 3-des. Sometimes ARC gets confused with 3-des connect problems and reports an incorrect error. If telnet will work, then we can work on getting the 3-des working. Speaking of 3-des, you did log into the cli, conf t and ssh host 205.170.225.249 command right? That is necessary to get the key so ARC can connect to the router

Community Member

Re: Blocking error msg.

Ok I have changed the communication from 3-des to telnet. Do you know of an internal test that I can do to make sure the error msg. has been fixed?

Also, I did create a key for the 3-des.

Thanks for the help.

Cisco Employee

Re: Blocking error msg.

In IDM under the monitoring tab, there is a place to add manual blocks. If you monitor with the cli as you add the block with IDM, you should see the action takes place. You can also look on the router and see if ARC built and attached an acl to the interface. Since you specified a pre/post acl, the one ARC created should look like:

sensor ip address

contents of pre-acl

active blocks

contents of post acl

Make sure your post acl has "permit ip any any" as the last line.

Community Member

Re: Blocking error msg.

when I tried to add a manual block, in the event log through the IDM I still receive the error msg. "Unable to execute a net block on because no blocking interfaces are configured"

"Unable to execute a net block because blocking is not configured"

Which interfaces are they talking about the IDS interface or the router interfaces?

Thanks

Cisco Employee

Re: Blocking error msg.

Let's back up. Let's try this at it's most basic. First, does your router support ip access-list extended command ? 2. What version software are you running on the sensor? 3. Try removing the pre and post acls from the sensor config using idm (leave them on the router). 4. Is this the only device you are connecting to? (There are other issues that sometimes occur if you are managing a pix and a router.)

Community Member

Re: Blocking error msg.

1. the router does support Ip access-list extended.

2. software version - 6.0(1)

3. I have removed the pre and post acls through the idm, kept them on the router.

4.This is the only device .

Thanks for your help

Cisco Employee

Re: Blocking error msg.

Any change in stats messages? Can you post your full show stat net output? If is not working, the next thing we need to try is a packet capture of the traffic between the sensor and the router so I can figure out where things are breaking down.

Community Member

Re: Blocking error msg.

ids# show stat net

Current Configuration

LogAllBlockEventsAndSensors = true

EnableNvramWrite = false

EnableAclLogging = true

AllowSensorBlock = false

BlockMaxEntries = 250

MaxDeviceInterfaces = 250

NetDevice

Type = Cisco

IP = 205.170.225.249

NATAddr = 0.0.0.0

Communications = telnet

ResponseCapabilities = block

BlockInterface

InterfaceName = FastEthernet0/0

InterfaceDirection = in

State

BlockEnable = true

NetDevice

IP = 205.170.225.249

AclSupport = uses Named ACLs

Version = 0

State = Inactive

I never noticed this before, it says the state is Inactive. How do you change it to actvie.

Cisco Employee

Re: Blocking error msg.

It will be inactive until we get the interface issue resolved. Can you send me a packet capture of the arc traffic?

have 2 cli sessions open.

in the first session:

conf t

serv net

gen

block-enable false

exit

exit

save changes yes (this stops arc)

now start the packet capture in the other window:

packet capture snaplen 1600 expr host 205.170.225.249

this will start capturing traffic going to the router you are trying to manage. Now start arc back up in the other window.

conf t

serv net

gen

block-enable true

exit

exit

yes ( will start it back up ).

Wait for a couple minutes, then do a ctrl c on the packet capture.

use the copy the command to send the packet capture file to a remote machine.

email me the file (jlively@cisco.com)

Community Member

Re: Blocking error msg.

Thanks for your help, this issue has been solved. I found out that telnet was disabled on the router. Also had to open the ports on the firewall. I am now able to block.

Thanks for all of your help.

Cisco Employee

Re: Blocking error msg.

After you added the pre/post acl names, and the blocking interfae name under the Router Blocking Decive Interface tab, did you apply the settings. In the cli, you can either do a show conf or a show stat net (see below) to verify.

qsensor-xxx# sh stat net

Current Configuration

LogAllBlockEventsAndSensors = true

EnableNvramWrite = false

EnableAclLogging = false

AllowSensorBlock = false

BlockMaxEntries = 250

MaxDeviceInterfaces = 250

NetDevice

Type = Cisco

IP = 1.2.3.4

NATAddr = 0.0.0.0

Communications = telnet

ResponseCapabilities = block

BlockInterface

InterfaceName = ethernet1

InterfaceDirection = in

InterfacePreBlock = pre_acl_name

InterfacePostBlock = post_acl_name

Community Member

Re: Blocking error msg.

ids# show stat net

Current Configuration

LogAllBlockEventsAndSensors = true

EnableNvramWrite = false

EnableAclLogging = true

AllowSensorBlock = false

BlockMaxEntries = 250

MaxDeviceInterfaces = 250

NetDevice

Type = Cisco

IP = 205.170.225.249

NATAddr = 0.0.0.0

Communications = ssh-3des

ResponseCapabilities = block

BlockInterface

InterfaceName = FastEthernet0/0

InterfaceDirection = in

InterfacePreBlock = Pre-Block

InterfacePostBlock = Post-Block

579
Views
24
Helpful
14
Replies
CreatePlease to create content