Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Problems with blocking


I use an IDSM and I've been trying to get the blocking feature to work for some time now. The sensor is running only in promiscuous mode and my goal is to use our FWSM or the Cisco 7301 Internet facing router to block off attacks however I cannot get either option to work.

When trying to block using the 7301 I get

"Unable to execute a host block [] on [] because no blocking interfaces are configured  name=errSystemError"

My IDSM configuration for the device is


      Type = Cisco

      IP =

      NATAddr =

      Communications = ssh-3des

      ResponseCapabilities = block|rateLimit


         InterfaceName = GigabitEthernet0/2

         InterfaceDirection = in

         InterfacePreBlock = 100

         InterfacePostBlock = 110

When trying the FWSM I get

  errorMessage: firewall [] can not perform this connection block : src ip [Public attacker IP] src port [2595] dest addr [masqueraded internal IP] dest port [80].  name=errSystemError 

The special issue with the IDSM-FWSM is that I use VLAN capture to gather an entire VLAN transporting unencrypted data between our Co-Lo sites, my guess is that the IDSM OR the FWSM cannot understand which interface should be used with the shun.

Two different errors giving me the same problem, no blocking option. Anyone have any ideas?



Cisco Employee

Re: Problems with blocking


  What versions of software is running on the involved devices (IDSM-2, FWSM, 7301)?

  I note that the 7300 series is not currently listed as supported for blocking.

  What is the full output of 'sh stat net' command issued from the IDSM-2 CLI?

  The issue may be due to the nature that the shun command does not support connection or network blocking, but only host blocking.  Also, per the user guide, blocking is not supported in multiple mode admin context.  This is discussed here:


New Member

Re: Problems with blocking

I have an apology to extend to those spending time on my issue. After a few hours trouble shooting I found the answer but forgot to post an update.

The problem was that the public keys under "known hosts" didn't match the target IPs anymore. I hadn't used blocking for a while and a few firewall failovers and a hardware change caused a mismatch. Bad thing is that the logging on the IDSMs couldn't show this.



CreatePlease to create content