Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

blocking login profilles

I think this should be pretty straight forward, but am having am impossible time getting blocking to work. I have an IPS 4240 with software version 6 and have configured many login profiles to try to get my ASA to shun a host triggering a signature using the host block option. Setup is host -> switch -> IPS spanning uplink port -> router -> ASA -> Internet

I've tried manually adding the block on the host and while it appears in the active host blocks monitoring section, the host is still able to reach anywhere on the Internet. I also see an ARC event stating wrong username/password combination. Seems like a simple fix, but I'm fairly sure I'm putting the correct username and password in. I've retrieved the ssh key from the ASA while on the IPS and have tried using telnet also. I've enabled any host on my LAN to telnet to the PIX in effort to troubleshoot, but it's not working either. I'm using Cisco ACS with my ASA, and have tried domain\username and and just plain username, but none work.

Thank you,



Re: blocking login profilles

We've had Shunning between a 5.x sensor and ASA working. To trouble shoot, use Telnet between the sensor and the ASA. Then sniff the traffic using Ethereal/Wireshark. Follow the TCP session to watch the commands between the two, this should show you where things are going wrong.

New Member

Re: blocking login profilles

i've not been able to use the telnet or ssh command from the cli on the sensor, and don't see that option from the gui either. I've tried twic sniffing traffic from the inside interface of my asa during a test attempt to trigger the block and found only acks, and some data containing the message banner, username and password. The username and password looked to both have unusual spaces between them, but I'm not sure if that's just how ethereal displays the contents or not. I'm definately able to telnet to my asa from my desktop using my domain creds and cisco acs. Event Viewer logs from the IPS continue to read

evError: eventId=1177685004019530953 vendor=Cisco severity=error


hostId: HBG-IPS

appName: nac

appInstanceId: 29279

time: May 3, 2007 12:52:02 PM UTC offset=-240 timeZone=UTC

errorMessage: ERROR: Wrong username/password for net device [] name=errSystemError

update - i don't know why, but it is working now with local credentials even though my asa is setup to use cisco ACS.

CreatePlease to create content