I'm trying to make the IDS shun.
In Administration>Manual Blocking I can see that the Net Device is in "Password Sent" state. On time to time I see some ip addresses as it they were being blocked in that url. But, a "show shun" or "show shun statistics" gives no result.Moreover, the error.managed log gives lots of "Comm timeout " and Read Error messages.
I think that the blocking devices properties configured on the IDS Device Manager are right.
Can anybody help me?????
A successful login and establishment of a communications session
with the net device is indicated by the "Active" state. "Password sent"
state along with comm timeouts and read error messages indicates
a problem has occurred. Here are several actions you can try:
1. Establish a session with the PIX from the sensor command line,
using the same username, password and enable password that
has been configured for the sensor. This will tell you if the sensor is
2. Are you using Telnet or SSH? Due to a known bug,
Telnet sessions between a 3.x sensor and a 6.2.1 PIX cannot be
established. If this is the case, you have 2 options:
- Configure the sensor to use SSH to talk to the PIX. This will
require you to have a 3DES license on the PIX.
- Open a TAC case and ask for the engineering release of
nr.managed that fixes DDTS CSCdx55215. This will allow
you to use Telnet to talk to the PIX.
I'm using Telnet, as we don't have 3DES license, but DES.
The PIX version is 6.2.2 , not 6.2.1 . Do you know if the bug also happens with this version? It looks like that.
Why would you need a 3DES license on the PIX? We use ssh all the time to connect to our Pix's and are running a single DES license. I would suggest setting up ssh access to the PIX from the IDS and giving it a shot. It should work with the single DES license that you have.
As Sean said, make sure you use the command line as user netrangr and use ssh -l pix -c des
I can connect from command . But I guess I should have to configure certain IDS file so that the automatic connection is made using DES, shouldn't ?
Which configuration file is that? I don't have too much knowledge about Solaris
Clarification: The PIX supports DES connections but the 3.0 sensor
does not. There is no configuration file you can edit that will change
this; it requires a sensor application code update. This update will
be forthcoming in the 4.0 sensor. In the meanwhile, you have 3
1. Obtain the nr.managed engineering build described elsewhere on
this thread and continue to use Telnet to connect to the PIX.
2. Upgrade your PIX license to 3DES and use SSH to connect.
3. Open a TAC case and request an engineering build of nr.managed
that supports DES.
i´m with you m-raft. i think it should work, but i get another error:
syslog on my 6.2.2 pix:
%PIX-6-315011: SSH session from 126.96.36.199 on interface inside for user "" disconnected by SSH server, reason: "Invalid message length" (0x00)
the "debug ssh" output shows, that DES connection is established, but a data packetis too long:
25: SSH: Device opened successfully.
26: SSH: host key initialised
27: SSH1: SSH client: IP = '188.8.131.52' interface # = 1
28: SSH1: starting SSH control process
29: SSH1: Exchanging versions - SSH-1.5-Cisco-1.25
30: SSH1: send SSH message: outdata is NULL
31: SSH1: receive SSH message: 83 (83)
32: SSH1: client version is - SSH-1.5-OpenSSH_3.1p1
33: SSH1: begin server key generation
34: SSH1: complete server key generation, elapsed time = 530 ms
35: SSH1: declare what cipher(s) we support: 0x00 0x00 0x00 0x04
36: SSH1: send SSH message: SSH_SMSG_PUBLIC_KEY (2)
37: SSH1: SSH_SMSG_PUBLIC_KEY message sent
38: SSH1: receive SSH message: SSH_CMSG_SESSION_KEY (3)
39: SSH1: SSH_CMSG_SESSION_KEY message received - msg type 0x03, length 144
40: SSH1: client requests DES cipher: 2
41: SSH1: send SSH message: SSH_SMSG_SUCCESS (14)
42: SSH1: keys exchanged and encryption on
43: SSH1: incoming data packet too long: data len (1466004078) + padding = 1466004080 > max (6152)
44: SSH1: big packet received during session setup (state = 4), so drop the connection
45: SSH1: receive SSH message: [no message ID: variable *data is NULL]
46: SSH1: send SSH message: SSH_MSG_DISCONNECT (1)
47: SSH1: Session disconnected by SSH server - error 0x00 "Invalid message length"
what could cause this problem ???
The error occurs because IDS 3.0 sensors can not establish
an SSH connection to a PIX using DES encryption. This problem
will be fixed in the 4.0 sensor. See my other post for alternatives
you can try until then.
The Telnet bug affects all 6.2.x PIX versions.
If you would like to continue using Telnet, you can download the
engineering build of nr.managed from CCO (ask your TAC
contact exactly where to find it and how to install). A future version of
IDS will fix Telnet support, as well as allowing SSH connections to
PIXes that have DES licenses.