Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Bronze

IDSM EtherChannel Question

In the config guide for the IDSM, it states:

To make sure that the same traffic is assigned to the two data ports on each IDSM-2, you must assign the

same EtherChannel index to both data ports on each of the IDSM-2s even though they are in different

EtherChannel groups.

Can anyone tell me how to change the EtherChannel index? I have successfully assigned the data ports to a port channel, but I cannot figure out how to change the EtherChannel index.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: IDSM EtherChannel Question

I would recommend to re-initialize both IDSM in SW2 from scratch and then try. OR As a test you can let go of etherchannel and configure only ONE of them to test things out. I would also recommend to keep the spanning tree settings to the default and not change the cost etc.

Regards

Farrukh

25 REPLIES

Re: IDSM EtherChannel Question

The 'note' mentioned in the configuration guide is a little misleading. By index they mean interface index of the data port (1 or 2). At least this is my understanding.

e.g.

intrusion-detection module 4 data-port 1 channel-group 5

intrusion-detection module 4 data-port 2 channel-group 6

intrusion-detection module 5 data-port 1 channel-group 5

intrusion-detection module 5 data-port 2 channel-group 6

They are just telling us not to worry about the 'two' data ports of the IDSM-2 being in TWO different etherchannel groups. We have to make sure that 'first data port' on both IDSM-2 is assigned to the same group and the second data port (data-port 2) is assigned to the same group and not mix it around like this:

intrusion-detection module 4 data-port 1 channel-group 6

intrusion-detection module 4 data-port 2 channel-group 5

intrusion-detection module 5 data-port 1 channel-group 5

intrusion-detection module 5 data-port 2 channel-group 6

Please rate if helpful.

Regards

Farrukh

Bronze

Re: IDSM EtherChannel Question

That makes more sense, and that is how I have it configured. Strangely, one set of IDSM modules is working, and the other is not. Oh well, I guess I need to take it down another path. Thanks for your help.

Re: IDSM EtherChannel Question

If you could post your related configuration and topology, maybe me or someone might be able to help.

Regards

Farrukh

Bronze

Re: IDSM EtherChannel Question

Ok, sorry about the delay in posting configs. Here we go.

SW1 contains IDSM units 1 and 2, and is working fine.

SW2 contains IDSM units 3 and 4, and is not working.

Both switches are running Adv Enterprise 12.2(33)SXH.

All IDSM are running 6.1(1)E2.

SW1 is peering with an ME6524 over the VLANS I am trying to inspect, and the peering works fine. SW2 is peering with an ME6524 over the VLANS I am trying to inspect, and the peering keeps going up and down. CDP shows the neighbor just fine. Here is the output from the console.

SW2#

Oct 27 07:52:43.693: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.254.253.13 (Vlan255) is up: new adjacency

SW2#

Oct 27 07:54:03.204: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.254.253.13 (Vlan255) is down: Interface Goodbye received

SW2#

Oct 27 07:54:07.484: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.254.253.13 (Vlan255) is up: new adjacency

Re: IDSM EtherChannel Question

Are regular pings working THROUGH this IDSM? (you should employ simple testing before troubleshooting why eigrp is not forming adjacencies).

Is it possible to post the configuration of the IDSM and the 'show run | inc instrusion' of the host switch.

Regards

Farrukh

Bronze

Re: IDSM EtherChannel Question

Pings are not working through the IDSM on switch number 2. They do work on switch 1. I posted the configs of all 4 IDSM units and "sh run | i intru" in the attached zip file in my previous post. I can repost if it is not working for you.

Re: IDSM EtherChannel Question

I saw your configurations, seem OK. Can you tell me your setup in more details?

X >>> VLAN 255 IPS >> VLAN 256 >> Y

what is X and Y? what are the IPs? Are the corresponding switchports set to the correct VLAN? Can you see MACs through the IPS (layer 2)? e.g. doing a 'show arp'

Regards

Farrukh

Bronze

Re: IDSM EtherChannel Question

Ok. The ME6524 has interface vlan256. It is 10.254.253.13/30. It has an access port in vlan 256 plugged in to g7/43 on SW2. G7/43 is an access port in vlan 256. SW2 has an SVI in interface vlan 255.

The setup is pretty much the same on SW1. It has an SVI on vlan 254. SW1 G7/43 is an access port in vlan 253. An ME6524 is plugged in to that port on SW1, and it has an SVI on vlan 253 with an access port on vlan 253 plugged in to SW1.

The ARP table for SW1 shows itself and the ME6524. The ARP table for SW2 shows itself and 'Incomplete' for the ME6524.

When I do a "packet display" on the IPS unit module 3 in SW2, I see the 6509 ARPs go out looking for the ME6524, but no returns. I am seeing the ARPs on both interfaces in module 3. In module 4, I see both the ME6524 and the 6509 sending EIGRP packets to 224.0.0.10, no matter which interface I sniff.

Re: IDSM EtherChannel Question

I would recommend to re-initialize both IDSM in SW2 from scratch and then try. OR As a test you can let go of etherchannel and configure only ONE of them to test things out. I would also recommend to keep the spanning tree settings to the default and not change the cost etc.

Regards

Farrukh

Bronze

Re: IDSM EtherChannel Question

I completely blew away the configs and reconfigured, and it is working now. Not sure what it was, because I just copied and pasted the configs back in! Anyway, thanks for your help happs.

Re: IDSM EtherChannel Question

I'm glad its working now :). And thanks to Microsoft for teaching us the 'restart and fix' technique :).

Regards

Farrukh

Bronze

Re: IDSM EtherChannel Question

Well, it looks like I spoke too soon. Once I took the IDSMs out of bypass mode, they will not pass TACACS traffic. Other traffic will pass, but I cannot get my switches to talk to the ACS box. I can ping, SSH, RDP, etc but no TACACS. Any ideas?

Re: IDSM EtherChannel Question

The TACACS stops working once the IPS stops inspecting or when it is in bypass mode?

There are some TCP normalizaion signatures that have a 'Deny' action by default, maybe they are denying this trafic. You can either remove the deny action from all those signatures (using a few clicks only) or make an event action filter for this particular client/server flow.

Regards

Farrukh

Bronze

Re: IDSM EtherChannel Question

It stops working when I take the IPS out of bypass mode and have it inspect traffic.

I will try an event action filter and see what happens. :)

Ok, another update.

It appears that in the second switch with IPS 3 and IPS 4, the traffic is not taking the same path as it does in switch 1. In switch 1, traffic between 2 certain hosts uses just IPS 1, like I would expect. In switch 2, I see traffic between 2 certain hosts going through IPS 3 in one direction, and IPS 4 in the other. So that leads me to think there is something wrong with the EtherChannel load balancing. Thoughts?

Re: IDSM EtherChannel Question

Technically the same source/dest pair should be served by the same IPS if the network has everything configured properly. It seems you have assymetric routing, can you post the output of:

show etherchannel load-balance

Regards

Farrukh

Bronze

Re: IDSM EtherChannel Question

SW1 (the one that seems to be load balancing properly)

SW1#sh etherchannel load-balance

EtherChannel Load-Balancing Configuration:

src-dst-ip enhanced

mpls label-ip

EtherChannel Load-Balancing Addresses Used Per-Protocol:

Non-IP: Source XOR Destination MAC address

IPv4: Source XOR Destination IP address

IPv6: Source XOR Destination IP address

MPLS: Label or IP

SW2 (the one that seems to not be load balancing properly)

SW2#sh etherchannel load-balance

EtherChannel Load-Balancing Configuration:

src-dst-ip enhanced

mpls label-ip

EtherChannel Load-Balancing Addresses Used Per-Protocol:

Non-IP: Source XOR Destination MAC address

IPv4: Source XOR Destination IP address

IPv6: Source XOR Destination IP address

MPLS: Label or IP

Re: IDSM EtherChannel Question

What are you inline normalizer settings in the virtual sensor?

Regards

Farrukh

Bronze

Re: IDSM EtherChannel Question

My Inline TCP Session Tracking Mode is Interface and VLAN.

My Normalizer Mode is Strict Evasion Protection.

You think the Normalizer should be in Asymmetric Mode Protection?

Re: IDSM EtherChannel Question

Yes that would be worth a try (At least to test if it does the trick).

Regards

Farrukh

Bronze

Re: IDSM EtherChannel Question

Ok, way late update. Asymmetric mode works. I have a TAC case open, and they have moved it from the security team to the switching team, ad they think it is a load balancing issue, not an IDSM issue. :(

Re: IDSM EtherChannel Question

Ok thats great, keep us posted :)

Regards

Farrukh

Bronze

Re: IDSM EtherChannel Question

Ok, another update. I have been working with TAC for a while now. I had 3 total TAC engineers on a WebEx session doing ELAM superman captures on the switch. We observed traffic from A to B selecting one interface in the EtherChannel, but traffic from B to A selects the other interface in the EtherChannel. So they are going to get together back there in RTP and work out a solution. In other words, I am still not inspecting traffic. :(

Re: IDSM EtherChannel Question

Thanks for the update. Must be something wrong with their EC hashing or spanning tree I guess.

Regards

Farrukh

Bronze

Re: IDSM EtherChannel Question

Re: IDSM EtherChannel Question

Thanks for the update.

Pretty cryptic description written by the TAC engineer tough.

Regards

Farrukh

291
Views
5
Helpful
25
Replies
CreatePlease to create content