10-16-2010 07:06 AM - edited 03-10-2019 05:09 AM
2 asa's with ips module are in place at our centres. one of the modules in them seem to be not present.
however both acl's for ips on primary & secondary asa's have hitcnts increasing.
these were configured by one of my previous colleagues and i am not exposed to ips things.
Appreciate if someone can help me understand why the acl shows hits in asa with no ips actually present & what is it registering at present , if so how to find them out.
I would like to configure the ips fully in the primary asa and to see its results. please advise how this can be done with
any commands to check about configuration or what else needs to be configured .
Primary FW:
Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
1 IPS Not Applicable 5.1(2)S240.0
access-list chk-Ips extended permit ip any any (hitcnt=2945667)
++++++++++++++++++++
Secondary FW:
Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
access-list chk-Ips extended permit ip any any (hitcnt=1984842)
Solved! Go to Solution.
10-16-2010 08:34 AM
Hi,
The failover is still working fine because the IPS modules on both the ASAs are "down". Also, on the secondary though you see acl hit count increasing, there are no packets being redirected to the IPS modules as seen from "show service-policy".
I am not sure why the "show modu" output does not show any IPS module though we can see it in "show failover" and "show modu 1 det". It seems like the IPS in the secondary ASA has no image installed on it. Try reseating and re-imaging the IPS module on the secondary and the primary and see if it helps bring the status UP.
Thanks and Regards,
Prapanch
10-16-2010 07:51 AM
Hi,
First off, are the 2 ASAs in failover? If so, please post the output of "show failover" from both the ASAs.
Second, when you give the command "show service-policy", do you see the counters increasing for packets being redirected to the IPS module? Please post the output of "show modu 1 det", "show run policy-map" and "show run service-policy" from both the ASAs.
Thanks and Regards,
Prapanch
10-16-2010 08:25 AM
Hi,
both asa's are in failover state.command results are as seen:
( some informations have been changed for resons known ). Thank You
Primary -
Failover On
Failover unit Primary
Failover LAN Interface: failover Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at Apr 11 2010
This host: Primary - Active
Active time: 18135322 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface local (x.x.x.x): Normal
Interface demili (x.x.x.x): Link Down (Not-Monitored)
Interface public (x.x.x.x: Normal
slot 1: ASA-SSM-10 hw/sw rev (1.0/5.1(2)S240.0) status (Down/Up)
IPS, 5.1(2)S240.0, Not Applicable
Other host: Secondary - Standby Ready
Active time: 4903690 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface local (x.x.x.x) Normal
Interface demili (x.x.x.x) Normal (Not-Monitored)
Interface public (x.x.x.x) Normal
slot 1: ASA-SSM-10 hw/sw rev (1.0/) status (Down/Up)
Stateful Failover Logical Update Statistics
Link : failover Management0/0 (up)
Stateful Obj xmit xerr rcv rerr
General 268398284 0 37804364 2
sys cmd 2938478 0 2938478 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 263264819 0 34508386 0
UDP conn 1085810 0 205 0
ARP tbl 1109177 0 357295 2
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 4 42707786
Xmit Q: 0 1 285533931
----
Interface Inside:
Service-policy: chk-Ips-PMAP
Class-map: chk-Ips-CMAP
IPS: card status Down, mode promiscuous fail-open
packet input 0, packet output 8221, drop 0, reset-drop 0
Interface outside:
Service-policy: chk-Ips-PMAP
Class-map: chk-Ips-CMAP
IPS: card status Down, mode promiscuous fail-open
packet input 0, packet output 0, drop 0, reset-drop 0
-----
sh module 1 details
Getting details from the Service Module, please wait...
Unable to read details from slot 1
ASA 5500 Series Security Services Module-10
Model: ASA-SSM-10
Hardware version: 1.0
Firmware version: 1.0(10)0
Software version: 5.1(2)S240.0
App. name: IPS
App. Status: Not Applicable
App. Status Desc: Not Applicable
App. version: 5.1(2)S240.0
Data plane Status: Not Applicable
Status: Down
-----
policy-map chk-Ips-PMAP
class chk-Ips-CMAP
ips promiscuous fail-open
-----
service-policy global_policy global
service-policy chk-Ips-PMAP interface local
service-policy chk-Ips-PMAP interface public
____________________________________________________________________________________________
Secondary-
Failover On
Failover unit Secondary
Failover LAN Interface: failover Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at Apr 11 2010
This host: Secondary - Standby Ready
Active time: 3546444 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface local (x.x.x.x): Normal
Interface demili (x.x.x.x): Link Down (Not-Monitored)
Interface public (x.x.x.x): Normal
slot 1: ASA-SSM-10 hw/sw rev (1.0/) status (Down/Up)
Other host: Primary - Active
Active time: 17135843 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface local (x.x.x.x): Normal
Interface demili (x.x.x.x): Normal (Not-Monitored)
Interface public (x.x.x.x): Normal
slot 1: ASA-SSM-10 hw/sw rev (1.0/5.1(2)S240.0) status (Down/Up)
IPS, 5.1(2)S240.0, Not Applicable
Stateful Failover Logical Update Statistics
Link : failover Management0/0 (up)
Stateful Obj xmit xerr rcv rerr
General 37804480 0 268398837 0
sys cmd 2938552 0 2938552 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 34508426 0 263265290 0
UDP conn 205 0 1085781 0
ARP tbl 357297 0 1109214 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 10 285535063
Xmit Q: 0 26 42707906
---
Interface Inside:
Service-policy: chk-Ips-PMAP
Class-map: chk-Ips-CMAP
IPS: card status Down, mode promiscuous fail-open
packet input 0, packet output 0, drop 0, reset-drop 0
Interface outside:
Service-policy: chk-Ips-PMAP
Class-map: chk-Ips-CMAP
IPS: card status Down, mode promiscuous fail-open
packet input 0, packet output 0, drop 0, reset-drop 0
----
Getting details from the Service Module, please wait...
Unable to read details from slot 1
ASA 5500 Series Security Services Module-10
Model: ASA-SSM-10
Hardware version: 1.0
Firmware version: 1.0(10)0
Software version:
Data plane Status: Not Applicable
Status: Down
-----
policy-map chk-Ips-PMAP
class chk-Ips-CMAP
ips promiscuous fail-open
------
service-policy global_policy global
service-policy chk-Ips-PMAP interface local
service-policy chk-Ips-PMAP interface public
10-16-2010 08:34 AM
Hi,
The failover is still working fine because the IPS modules on both the ASAs are "down". Also, on the secondary though you see acl hit count increasing, there are no packets being redirected to the IPS modules as seen from "show service-policy".
I am not sure why the "show modu" output does not show any IPS module though we can see it in "show failover" and "show modu 1 det". It seems like the IPS in the secondary ASA has no image installed on it. Try reseating and re-imaging the IPS module on the secondary and the primary and see if it helps bring the status UP.
Thanks and Regards,
Prapanch
10-16-2010 08:41 AM
thanks for that. It is likely( i was told so) that secondary asa has faulty ips , which is either taken out from the module or not working due to the problem.
i had not any chance to physically see the status.
since one of the asa has the ips packet being directed to it. how can we check what are these counts or packets that are being inspected by ips.
any links for reference would also help. we need to see what is ips detecting and how to mitigate if it is threat.
thanks .
10-16-2010 08:46 AM
Hi,
Well all IP packets are being redirected to the IPS module as per the access-list configuration (permit ip any any). But i am not sure if the IPS is actually inspecting anything as the IPS on the primary ASA is "down" too.
If you manage to get GUI(IDM/IME) access to the module (https://IP_address_of_IPS), you can go to "Monitoring" and view all events being generated based on the packets being inspected by the IPS module.
Regards,
Prapanch
10-16-2010 08:58 AM
is there a way to get the ip for ips with any command from asa.
thanks
10-16-2010 09:09 AM
The "show modu 1 det" on the ASA will give those details. But since the IPS is "down" as seen below:
sh module 1 details
Getting details from the Service Module, please wait...
Unable to read details from slot 1
ASA 5500 Series Security Services Module-10
Model: ASA-SSM-10
Hardware version: 1.0
Firmware version: 1.0(10)0
Software version: 5.1(2)S240.0
App. name: IPS
App. Status: Not Applicable
App. Status Desc: Not Applicable
App. version: 5.1(2)S240.0
Data plane Status: Not Applicable
Status: Down
we are not able to see those details. I would suggest reseating the module and then re-imaging it as well if it doesn't help.
Regards,
Prapanch
10-16-2010 09:23 AM
Appreciate your help , i wil follow the advise and see the result.
Thank You.
10-16-2010 09:31 AM
Sure. Do let me know how it goes.
Thanks and Regards,
Prapanch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide