Frequency of Sensor Authentication to PIX (Blocking Device)

cgiulini · ‎06-24-2003

I have several IDS sensors configured to use PIXs as blocking devices for setting up shuns. Since upgrading to version 4.0 I've noticed that these sensors are authenticating to the PIXs very frequently - more than once per minute.

(This may have been happening all along, I coincidentally increased logging detail on these firewalls about the same time as the upgrade to version 4.x on the sensors)

This doesn't appear to have any kind of impact on performance, but I am wondering if someone could point me to an overview of what's going on with this process. I'm assuming it's required to handle the shun / clear shun process, but I'd like to understand exactly what's going on here. Also wondering if there is any way to tune the reauthentication interval and if so, what are the performance implications of doing so?

Thanks for the feedback.

Regards,

Chad

stleary · ‎06-25-2003

The sensor should only authenticate to the PIX once when it first

connects. But if you are using TACACS+ and the sensor account

is set up for per-command authentication, then you might see

the PIX authenticate the sensor to the NAS server whenever the

sensor sends a command, possibly even including keepalive

messages which are sent about every 30 seconds from the

sensor to the PIX. This behavior has not changed between 3.x

and 4.x.