05-19-2006 11:34 AM - edited 03-10-2019 03:01 AM
After I setup a Cisco 4240 IPS, I tried to access the appliance's IDM web portal. Unfortunately it would not connect. I read through all the troubleshooting documents and even read through these forums and none of the proposed solutions worked. The connecting computer and the IPS are on the same LAN, so it's not connection. The following is the output of the show version command:
Cisco Systems Intrusion Detection Sensor, Version 4.1(5)S225
OS Version 2.4.18-5smpbigphys
Platform: IDS-4235
Using 647368704 out of 921522176 bytes of available memory (70% usage)
Using 5.2G out of 15G bytes of available disk space (37% usage)
MainApp 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running
AnalysisEngine 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running
Authentication 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running
Logger 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running
NetworkAccess 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running
TransactionSource 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running
WebServer 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running
CLI 2005_Aug_02_10.53 (Release) 2005-08-02T10:25:35-0500
Upgrade History:
* IDS-sig-4.1-5-S222 14:24:47 UTC Wed Mar 22 2006
IDS-sig-4.1-5-S225.rpm.pkg 11:01:08 UTC Tue May 09 2006
Recovery Partition Version 1.2 - 4.1(1)S47
The webserver is running. I did a packet capture when connecting to the IDM and I saw that the browser connects to the server. The browser then tries to setup the SSL connection by sending a Client Hello. The IDM webserver sends back an acknowledgement followed by a TCP reset. So for some odd reason the IDM webserver sends a TCP reset during the SSL connection creation phase. I don't know how to fix that on the IPS.
Any help would be much appreciated.
05-19-2006 12:24 PM
the interface configured as the (reset) interface should connect to the same network(VLAN etc)as the interface used for monitoring. Sounds like you have the (reset) interface configured on the management interface.....the management interface is the one you used to access with the webBrowser......
gprice
05-19-2006 01:52 PM
2 main things to check:
1) Are you using the correct web server port and using SSL/TLS?
By default the sensor is configured with SSL/TLS enabled, with the webserver running on port 443.
In the web brower you will use "https://
2) Is your web client's IP Address in the Sensor's Access List (use the "setup" command to modify the access-list)
Either the web client's network space, or the client's individual ip address must be in the access-list in order to be allowed to connect to the web-server.
If you are entering just the client's ip address and not the entire subnet then do NOT use the normal netmask, instead use /32 (or 255.255.255.255) to designate it as a single IP.
For example,
Let's say your web client has IP 10.1.1.1 on the 10.1.1.0 network.
You could permit the entire 10.1.1.0 network by putting 10.1.1.0 255.255.255.0 (/24) in the access list.
OR you could permit just the 10.1.1.1 address by putting 10.1.1.1 255.255.255.255 (/32) in the access list.
BUT if you pu 10.1.1.1 255.255.255.0 (/24) in the access list then the sensor gets confused and will not permit you to access the sensor. (Version 4.x gets confused, in version 5.x it gives you an error and won't accept the entry).
Marco
05-22-2006 10:53 AM
Thanks Marco for your response. Unfortuantely those two options have been addressed without success.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: