Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Blocking on Router

We have several appliance sensors in place. I recently switched over to the IDSMC + Security Monitor (VMS 2.1) package from CSPM. I am having problems getting the blocking feature to work (it has always worked) on our internet perimeter sensors.

Communications between the sensor and the router are fine, can manually telnet from the sensor.

Added the router as a blocking device, with correct passwords and interface.

When I attempt to do a manual block from the security monitor (event viewer) I get the message that the sensor does not have the proper services enabled. I can't find anything in the documentation that I haven't done yet.

1 REPLY
Cisco Employee

Re: Blocking on Router

I am not familiar with IDS MC, but here are a few things you can check directly on your sensor:

1) Is the sensor configured to start managed?

Check the /usr/nr/etc/daemons file and see if nr.managed is listed near the bottom of the file (NOTE lines beginning with # are comments and willbe ignored).

If nr.managed is not listed then verify your config in IDS MC and try pushing a new configuration. If this doesn't work contact the TAC.

2) If the managed configuration updated?

Look in the /usr/nr/etc/managed.conf file, and see if the entries for your router are listed.

If the configuration for your router is not in the file, then verify your config in IDS MC and try pushing a new configuration. If this doesn't work contact the TAC.

3) Is managed running?

Type nrstatus and look for the nr.managed process.

If managed is not running then look for any errors in the /usr/nr/var/errors.managed file. Correct any errors you see and try again.

You can also try nrstop;nrstart and see if this starts up managed.

If managed is still not running, and the above config files were correct then contact the TAC.

4) Is managed responding to queries?

Type nrvers and see if managed responds.

If you receive a "timeout" for the version query to managed, then it is not responding. Contact the TAC.

5) Is managed able to block for local block requests?

Type: nrexec 10003 hostid# orgid# 1 30 ShunHost 1.1.1.1 10

Replacing hostid# and orgid# with the actual numbers for your sensor.

Then Type: nrget 10003 hostid# orgid# 1 ShunHostList

You should see 1.1.1.1 in the Block List.

If this doesn't work then contact the TAC.

If this works then local blocking is working, and it could be just a problem in Security Monitor so at this point try stopping and restarting Security Monitor and try it again.

85
Views
0
Helpful
1
Replies
CreatePlease to create content