Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IDS Blocking

I'm following Doc 44905...

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a00801c0e3c.shtml

And I can't get blocking (hostShun) to work. The alarm pops but the host is still connected and there are no entries in ACL.

So the doc metions doing a "show stat networkaccess" and says to make sure "state" says active -- and my state says "inactive" or "initializing".

My passwords match and I can ping the router. So much for Troubleshooting tips!!!

Any advice?

1 REPLY
Cisco Employee

Re: IDS Blocking

If you are using version 5.0, then follow the steps below. If you are using version 4.1 skip to step 6. Version 5.0 has additional logging capability that version 4.1 doesn't, so the information in 4.1 won't be as detailed.

1) "configure terminal"

2) "service network-access"

3) "show settings"

4) Look for the "log-all-block-events-and-errors" parameter and ensure it is set to "true". If it is set to "false" then change it to "true".

5) Exit all the way back out to exec mode (apply your changes if necessary).

6) Execute "show events" on the sensor CLI.

7) Connect to IDM as user "cisco"

8) Go to Monitoring / Active Host Blocks

9) Click "Add"

10) Add in the IP Address of a non-existent machine (like 1.1.1.1 for example), and click Apply to start shunning that IP.

11) Now go back to the CLI and check the output of "show events" from step 6.

You need to look for any status or error messages from network-acess-controller or nac.

You should at least see a status message for the IP Address you manually added.

Immediately after that you should see an additional status or error message for each device being managed.

If the shun is not properly applied then there should be something in the message telling you why.

(Version 4.x doesn't have as good error reporting. If the above doesn't work try going through IDM and "disabling" shunning and then re"enable" shunning. This should cause the sensor to try and reconnect to the router and will hopefully provide some additional error messages.)

Some common issues:

1) Wrong username/password

2) SSH being used to connect, but the router's SSH key is not yet trusted by the sensor. See the following link on how to add the router's key as a Known Host Key: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/idmguide/dmsetup.htm#wp1077185

3) Router not configured to allow access. To test this create a "service" account on the sensor. Login as the "service" account and then from that sensor account try to connect to the router using the same methods as you configured in the sensor.

4) Wrong interface configuration. For routers you need to ensure that the interface you entered in the sensor configuration matches exactly what is seen on the router when doing a "show conf". Some users have tried abbreviations for the interfaces, and some routers don't like the abbreviations.

94
Views
0
Helpful
1
Replies