Can't Access IPS Webserver

thetick642 · ‎05-19-2006

After I setup a Cisco 4240 IPS, I tried to access the appliance's IDM web portal. Unfortunately it would not connect. I read through all the troubleshooting documents and even read through these forums and none of the proposed solutions worked. The connecting computer and the IPS are on the same LAN, so it's not connection. The following is the output of the show version command:

Cisco Systems Intrusion Detection Sensor, Version 4.1(5)S225

OS Version 2.4.18-5smpbigphys

Platform: IDS-4235

Using 647368704 out of 921522176 bytes of available memory (70% usage)

Using 5.2G out of 15G bytes of available disk space (37% usage)

MainApp 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running

AnalysisEngine 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running

Authentication 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running

Logger 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running

NetworkAccess 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running

TransactionSource 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running

WebServer 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 Running

CLI 2005_Aug_02_10.53 (Release) 2005-08-02T10:25:35-0500

Upgrade History:

* IDS-sig-4.1-5-S222 14:24:47 UTC Wed Mar 22 2006

IDS-sig-4.1-5-S225.rpm.pkg 11:01:08 UTC Tue May 09 2006

Recovery Partition Version 1.2 - 4.1(1)S47

The webserver is running. I did a packet capture when connecting to the IDM and I saw that the browser connects to the server. The browser then tries to setup the SSL connection by sending a Client Hello. The IDM webserver sends back an acknowledgement followed by a TCP reset. So for some odd reason the IDM webserver sends a TCP reset during the SSL connection creation phase. I don't know how to fix that on the IPS.

Any help would be much appreciated.

garyprice · ‎05-19-2006

the interface configured as the (reset) interface should connect to the same network(VLAN etc)as the interface used for monitoring. Sounds like you have the (reset) interface configured on the management interface.....the management interface is the one you used to access with the webBrowser......

gprice

marcabal · ‎05-19-2006

2 main things to check:

1) Are you using the correct web server port and using SSL/TLS?

By default the sensor is configured with SSL/TLS enabled, with the webserver running on port 443.

In the web brower you will use "https://" as the URL. Not the "s" after http. When "https" is used it will use SSL/TLS and connect to the default port 443.

2) Is your web client's IP Address in the Sensor's Access List (use the "setup" command to modify the access-list)

Either the web client's network space, or the client's individual ip address must be in the access-list in order to be allowed to connect to the web-server.

If you are entering just the client's ip address and not the entire subnet then do NOT use the normal netmask, instead use /32 (or 255.255.255.255) to designate it as a single IP.

For example,

Let's say your web client has IP 10.1.1.1 on the 10.1.1.0 network.

You could permit the entire 10.1.1.0 network by putting 10.1.1.0 255.255.255.0 (/24) in the access list.

OR you could permit just the 10.1.1.1 address by putting 10.1.1.1 255.255.255.255 (/32) in the access list.

BUT if you pu 10.1.1.1 255.255.255.0 (/24) in the access list then the sensor gets confused and will not permit you to access the sensor. (Version 4.x gets confused, in version 5.x it gives you an error and won't accept the entry).

Marco

thetick642 · ‎05-22-2006

Thanks Marco for your response. Unfortuantely those two options have been addressed without success.