Make sure that You must enable the desired interfaces (including subinterfaces) on the router for packet monitoring. You can select any number of interfaces or subinterfaces to be monitored. The packets sent and received on these interfaces are forwarded to NM-CIDS for inspection. You enable and disable the interfaces through the router CLI (Cisco IOS).
A common situation seen in the field is that the sensor may be monitoring traffic on 2 sides of a router or firewall.
So traffic is seen coming from the client as it goes to the router, and then again from the router to the server. And vice versa for traffic from the server to the router.
This double monitoring can sometimes look like an attack is taking place.
If you do have this situation, then the best solution is to monitor each side of the router with a different virtual sensor. This way each virtual sensor only sees one copy of each packet.
This method can be done for both inline and promiscuous deployments.
Some platforms have a 1 virtual sensor limit while others have a 4 virtual sensor limit. If you are monitoring more networks than the number of virtual sensors, then you won't be able to monitor each network with a separate virtual sensor. If you are doing inline monitoring, then there is another option. There is a inline-TCP-session-tracking mode configuration that can be set to "interface-and-vlan". With this setting the virtual sensor will separately track TCP sessions across the 2 or more networks.
If you truly are monitoring just a single network, then the above is unlikely to be your problem.
The packets you've captured, however, are not enough to test the sensor. Your packet captures are only capturing the end of your TCP session.
If you replay them to the sensor, the sensor will likely ignore the packets.
You will need to capture a complete TCP session including the initial SYN packet that starts the connection.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :