Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAC shuns ignoring event filters with sp5 sig191

When I upgraded from sp 4 to sp 5 sig 189, I noticed NAC wouldn't shun connections, but hosts? Well, anyway... On Friday 9/23, upgrading from sig189 to sig191, my event filters for 3030 (which is configured to initiate a shun for that alert) stopped working and IDS started shunning servers that were once "protected" by the associated event filter. I downgraded back to 190 and the event filter started working again.

This ring a bell for anyone?

2 REPLIES
New Member

Re: NAC shuns ignoring event filters with sp5 sig191

The event actions on 4.1(4) and 4.1(5) are the same:

log

reset

shunHost

shunConnection

ZERO

I just tested that event action configurations (including shunHost and shunConnection) are merged from 4.1(4) to 4.1(5)S189 to 4.1(5)S191. I configured additional signatures in each version and they were all preserved.

New Member

Re: NAC shuns ignoring event filters with sp5 sig191

By preserved, I guess you mean that all is working for you.

I checked the configuration, all the commands (NAC, event filters) and they do appear in the configuration, but it appears as if the list is being ignored and sending a shun request to our firewall anyway. I opened a TAC case on this matter.

145
Views
0
Helpful
2
Replies