Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
446
Views
0
Helpful
4
Replies

S246 caused sensor to stop passing traffic

jshelmer
Level 1
Level 1

‎08-23-2006 05:08 PM - edited ‎03-10-2019 03:11 AM

I applied S246 to AIP-SSM-10's this evening. The AIP-SSM-10's are running 5.1(2). The update said it was successful, but after it completed it caused all traffic going through the sensor to drop. I've stopped sending traffic through the sensor from the ASA, but what's the next step?

sh ver tell me that MainApp and AnalysisEngine are Running. What's the next step to troubleshoot?

Labels:
0 Helpful
4 Replies 4

ssnapp
Level 1
Level 1

‎08-24-2006 06:45 AM

The first thing to do is log into the CLI and look at output from "show int" to see if any traffic is getting to the sensor. Specifically look for Total Packets Received from the sensing interface. Then look at "show stat virt" to see if any traffic is getting into the virtual sensor.

It is also possible you didn't wait long enough for the sig update to complete. It could take a while to rebuild certain cache files even after reporting a successful update, and during that time the sensor would not be passing any traffic.

If you can't determine what is going on from the "show int" and "show stat virt", your best bet is to collect a "show tech" from both the ASA and the SSM module and open a TAC case so that the support engineers can look at it.

0 Helpful

jshelmer
Level 1
Level 1
In response to ssnapp

‎08-24-2006 11:18 AM

Thanks for the pointers. It appears that traffic is getting to the sensor interface, but is getting marked as errors.

kssnchqips2# sh int gigabitEthernet0/1

MAC statistics from interface GigabitEthernet0/1

Interface function = Sensing interface

Description =

Media Type = backplane

Missed Packet Percentage = 100

Inline Mode = Unpaired

Pair Status = N/A

Link Status = Up

Link Speed = Auto_1000

Link Duplex = Auto_Full

Total Packets Received = 1054106281

Total Bytes Received = 1025753691656

Total Multicast Packets Received = 0

Total Broadcast Packets Received = 0

Total Jumbo Packets Received = 0

Total Undersize Packets Received = 0

Total Receive Errors = 3934

Total Receive FIFO Overruns = 57

Total Packets Transmitted = 1054104717

Total Bytes Transmitted = 1025753383141

Total Multicast Packets Transmitted = 0

Total Broadcast Packets Transmitted = 0

Total Jumbo Packets Transmitted = 0

Total Undersize Packets Transmitted = 0

Total Transmit Errors = 0

Total Transmit FIFO Overruns = 0

kssnchqips2#

The "Total Packets Received" counter is not incrementing.

But the "Total Bytes Received" counter is going up.

The "Total Receive Errors" also increment with each packet I send to the IPS.

0 Helpful

ssnapp
Level 1
Level 1
In response to jshelmer

‎08-24-2006 01:23 PM

The only time I have seen something like this after a sig update was when the service account was used to ifconfig up the sensing interface in order to use tcpdump directly on the sensing interface.

Please get a "show tech" from the sensor and open a TAC case. Have the TAC engineer escalate this to IPS development so we can look at the information.

After getting a show tech, can you reset (reboot) the sensor to reload the interface drivers and see if this resolves it?

0 Helpful

jshelmer
Level 1
Level 1
In response to ssnapp

‎08-25-2006 06:33 AM

Thank you.

The "sh tech" has been attached to case 604241911.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card