Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 6.2 shunning

I'm trying to make the IDS shun.

In Administration>Manual Blocking I can see that the Net Device is in "Password Sent" state. On time to time I see some ip addresses as it they were being blocked in that url. But, a "show shun" or "show shun statistics" gives no result.Moreover, the error.managed log gives lots of "Comm timeout " and Read Error messages.

I think that the blocking devices properties configured on the IDS Device Manager are right.

Can anybody help me?????

  • Other Security Subjects
10 REPLIES
Cisco Employee

Re: PIX 6.2 shunning

A successful login and establishment of a communications session

with the net device is indicated by the "Active" state. "Password sent"

state along with comm timeouts and read error messages indicates

a problem has occurred. Here are several actions you can try:

1. Establish a session with the PIX from the sensor command line,

using the same username, password and enable password that

has been configured for the sensor. This will tell you if the sensor is

configured correctly.

2. Are you using Telnet or SSH? Due to a known bug,

Telnet sessions between a 3.x sensor and a 6.2.1 PIX cannot be

established. If this is the case, you have 2 options:

- Configure the sensor to use SSH to talk to the PIX. This will

require you to have a 3DES license on the PIX.

- Open a TAC case and ask for the engineering release of

nr.managed that fixes DDTS CSCdx55215. This will allow

you to use Telnet to talk to the PIX.

New Member

Re: PIX 6.2 shunning

I'm using Telnet, as we don't have 3DES license, but DES.

The PIX version is 6.2.2 , not 6.2.1 . Do you know if the bug also happens with this version? It looks like that.

New Member

Re: PIX 6.2 shunning

Why would you need a 3DES license on the PIX? We use ssh all the time to connect to our Pix's and are running a single DES license. I would suggest setting up ssh access to the PIX from the IDS and giving it a shot. It should work with the single DES license that you have.

Cisco Employee

Re: PIX 6.2 shunning

As Sean said, make sure you use the command line as user netrangr and use ssh -l pix -c des first and accept the certificate. Otherwise it will not work.

New Member

Re: PIX 6.2 shunning

Right

I can connect from command . But I guess I should have to configure certain IDS file so that the automatic connection is made using DES, shouldn't ?

Which configuration file is that? I don't have too much knowledge about Solaris

Cisco Employee

Re: PIX 6.2 shunning

Clarification: The PIX supports DES connections but the 3.0 sensor

does not. There is no configuration file you can edit that will change

this; it requires a sensor application code update. This update will

be forthcoming in the 4.0 sensor. In the meanwhile, you have 3

options:

1. Obtain the nr.managed engineering build described elsewhere on

this thread and continue to use Telnet to connect to the PIX.

2. Upgrade your PIX license to 3DES and use SSH to connect.

3. Open a TAC case and request an engineering build of nr.managed

that supports DES.

New Member

Re: PIX 6.2 shunning

i´m with you m-raft. i think it should work, but i get another error:

syslog on my 6.2.2 pix:

%PIX-6-315011: SSH session from 1.1.1.1 on interface inside for user "" disconnected by SSH server, reason: "Invalid message length" (0x00)

the "debug ssh" output shows, that DES connection is established, but a data packetis too long:

25: SSH: Device opened successfully.

26: SSH: host key initialised

27: SSH1: SSH client: IP = '1.1.1.1' interface # = 1

28: SSH1: starting SSH control process

29: SSH1: Exchanging versions - SSH-1.5-Cisco-1.25

30: SSH1: send SSH message: outdata is NULL

31: SSH1: receive SSH message: 83 (83)

32: SSH1: client version is - SSH-1.5-OpenSSH_3.1p1

33: SSH1: begin server key generation

34: SSH1: complete server key generation, elapsed time = 530 ms

35: SSH1: declare what cipher(s) we support: 0x00 0x00 0x00 0x04

36: SSH1: send SSH message: SSH_SMSG_PUBLIC_KEY (2)

37: SSH1: SSH_SMSG_PUBLIC_KEY message sent

38: SSH1: receive SSH message: SSH_CMSG_SESSION_KEY (3)

39: SSH1: SSH_CMSG_SESSION_KEY message received - msg type 0x03, length 144

40: SSH1: client requests DES cipher: 2

41: SSH1: send SSH message: SSH_SMSG_SUCCESS (14)

42: SSH1: keys exchanged and encryption on

43: SSH1: incoming data packet too long: data len (1466004078) + padding = 1466004080 > max (6152)

44: SSH1: big packet received during session setup (state = 4), so drop the connection

45: SSH1: receive SSH message: [no message ID: variable *data is NULL]

46: SSH1: send SSH message: SSH_MSG_DISCONNECT (1)

47: SSH1: Session disconnected by SSH server - error 0x00 "Invalid message length"

what could cause this problem ???

Cisco Employee

Re: PIX 6.2 shunning

The error occurs because IDS 3.0 sensors can not establish

an SSH connection to a PIX using DES encryption. This problem

will be fixed in the 4.0 sensor. See my other post for alternatives

you can try until then.

Cisco Employee

Re: PIX 6.2 shunning

The Telnet bug affects all 6.2.x PIX versions.

If you would like to continue using Telnet, you can download the

engineering build of nr.managed from CCO (ask your TAC

contact exactly where to find it and how to install). A future version of

IDS will fix Telnet support, as well as allowing SSH connections to

PIXes that have DES licenses.

208
Views
5
Helpful
10
Replies
This widget could not be displayed.