Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Can't enable Inline mode on AIP-SSM

I'm trying to get my SSM module to run in inline mode with an ASA5520. Under the service policy configuration inline mode is selected, however on the IPS the backplane interface says Promisicuous.

Am I missing something obvious?

Edit:

The specific config lines all look ok:

class-map outside-class

match any

policy-map outside-policy

description IPS

class outside-class

ips inline fail-open

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Can't enable Inline mode on AIP-SSM

You are seeing a bug in IDM.

IDM is incorrectly assuming the interface is Promiscuous and shows promiscuous.

The sensor itself treats it as just a monitored interface rather than inline or promiscuous. Each packet will have a header attached by the ASA that determines whether or not the packet should be monitored inline or promiscuous.

This is being fixed in IDM so it just calls it a backplane interface instead of incorrectly assuming it is a promiscuous interface.

5 REPLIES
Cisco Employee

Re: Can't enable Inline mode on AIP-SSM

You are seeing a bug in IDM.

IDM is incorrectly assuming the interface is Promiscuous and shows promiscuous.

The sensor itself treats it as just a monitored interface rather than inline or promiscuous. Each packet will have a header attached by the ASA that determines whether or not the packet should be monitored inline or promiscuous.

This is being fixed in IDM so it just calls it a backplane interface instead of incorrectly assuming it is a promiscuous interface.

Community Member

Re: Can't enable Inline mode on AIP-SSM

Ah, thank you. I had started to wonder this morning if it was something like this.

Community Member

Re: Can't enable Inline mode on AIP-SSM

Any idea of when this problem will be fixed? I started to notice that the interface was showing promiscuous mode and not inline even though I was 99.9% sure I had it configured correctly. Some clients wonder if it's working right even though I know it should be.

Cisco Employee

Re: Can't enable Inline mode on AIP-SSM

I think this was already fixed as part of the 6.0(1) release.

It was just a cosmetic issue in IDM.

The fix was to prevent IDM from assuming it was a Promiscuous interface, and was just a cosmetic change in IDM. No real functional change since the sensor was already working correctly.

A similar issue also existed in ASDM, but I am not sure when that one was addressed.

If you are still seeing it called Promiscuous and are running IPS 6.0(1) or higher, then let me know and I will look into this further. Please include the specific screens and situation where it is being seen in 6.0.

Community Member

Re: Can't enable Inline mode on AIP-SSM

I just put IPS 6.0(2) on the ASA that has an AIP module in it. This changed how the ASDM and IDM shows the interface that's being monitored. It shows it as a backplane interface, which is better then promiscuous.

Thanks for your help.

160
Views
5
Helpful
5
Replies
CreatePlease to create content