Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1051
Views
0
Helpful
5
Replies

Problem with shun on PIX 6.2

anavarro
Level 1
Level 1

‎06-04-2002 07:35 AM - edited ‎02-20-2020 10:05 PM

Is anyone else having issues with a 4210 sensor 3.1(2)S23 using shun command on pix 515 version 6.2.(1)? Worked fine until pix OS was upgraded.

Anything diffrent that needs to be done?

Thanks,

Aaron

0 Helpful
5 Replies 5

jlively
Cisco Employee
Cisco Employee

‎06-04-2002 08:18 AM

This is a known problem (See DDTS CSCdx55215).

Here is the release note:

Symptom: managed is no longer able to shun on a pix after loading 6.2(1).

Condition: Loaded version 6.2(1) on a pix. Managing the pix in telnet mode.

Work Around: Use SSH to managed the pix. This works fine.

0 Helpful

anavarro
Level 1
Level 1
In response to jlively

‎06-04-2002 08:24 AM

Ok, I'll give it a try.

Thanks

0 Helpful

f.colantoni
Level 1
Level 1
In response to jlively

‎08-01-2002 07:02 AM

We have the same problem with a 4210 trying to shun a pix 520 [ 6.2(2)].

Using Telnet it doesn't work.

Using SSH we saw from the Deb Packet of the traffic between the IDS and the Pix that the IDS it's trying to execute this file /usr/libexec/ssh-askpass.

But it doesn't exist in that directory of the IDS (we have four 4210 and one 4230, and no one have this file).

Obviously nothinh happens on the Pix (no shun).

We use CSPM 2.3.3i - IDS are up to date (3.1(s28)).

What's the clue?

0 Helpful

stleary
Cisco Employee
Cisco Employee
In response to f.colantoni

‎08-02-2002 10:31 AM

I think the problem described in CSCdx55215 only applies to IDS

sensors that use telnet to connect to a 6.2 PIX.

Telnet will not work unless the sensor is on the inside network,

with regards to the PIX.

SSH should always work if the sensor and the PIX have been

configured correctly.

If you are still not able to shun on the PIX, please provide more

details, or open a TAC case and ask for me as the DE.

A common cause of inability to shun on the PIX is if the user

forgets to manually execute the ssh client on the sensor to

connect to the PIX, in order to perform the initial key exchange.

Another common problem is if the PIX only has a DES license

installed. Sensors require the PIX to have a 3DES license.

Users who want to continue using telnet to connect to a

6.2 PIX can obtain a Beta version of nr.managed which supports

this. Please open a TAC case if you want to do this.

Here is a link which may help with configuration issues:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13870_01.htm#xtocid16

0 Helpful

skeetin44
Level 1
Level 1

‎06-04-2002 08:40 AM

There are a couple of bug numbers below, that maybe related to your issue.

I found them in the release notes for S(23).

CSCdx53199: PIX version 6.2 code does not create shun lists

CSCdx55215: managed shunning does not work with pix running 6.2.1

Hope this helps,

Eric

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card