PIX redundant pair(s) and shuning from IDS

DSmirnov · ‎04-05-2004

Looks like an IDS sensor will lost communication with PIX firewall(s) if primary will failover to secondary in the redundant pair (if SSH used as a transport method - public key will be diff for the same IP). Unfortunately I don't think there is an event/alert from IDS about the problem.

Is anyway to prevent/recognize it? Is anyway to share SSH keys in redundant PIX setup?

astuckey · ‎04-06-2004

You have correctly diagnosed the problem and as far as I am aware there is no known fix.

rkrist · ‎04-07-2004

hi,

the reason for the 'communication breakdown' is the (ssh-)hostkey-checking in the redhat-os of the sensor.

here's a 'dirty' trick that work for me.

login to the sensor with the service account and type the following commands:

su

type in the password of the service account again

cd /etc/ssh/

edit the ssh_config - file

uncomment the following line:

StrictHostKeyChecking no (that means delete the # in front)

save the ssh_config - file

now you have disabled the strict check. unfortunately this is a global option!

cgiulini · ‎08-10-2004

This may be a good temporary solution, but I am not tremendously happy with this as a long term approach. It tends to defeat the benefits of using SSH for communications.

Any idea as to whether a better solution is available or in development?

Regards,

Chad Giulini

marcabal · ‎08-10-2004

There is a DDTS Issue created for this:

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCeb36035

I am not sure what release it will be addressed in.