Filter
Top Products
E-62
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
OL-24002-01
Appendix E Troubleshooting
Troubleshooting the ASA 5500 AIP SSM
The ASA 5500 AIP SSM and the Data Plane
Symptom
The ASA 5500 AIP SSM data plane is kept in the Up state while applying signature updates.
You can check the ASA 5500 AIP SSM data plane status by using the show module command during
signature updates.
Possible Cause
Bypass mode is set to off. The issue is seen when updating signatures, and when you
use either CSM or IDM to apply signature updates. This issue is not seen when upgrading IPS
system software.
The ASA 5500 AIP SSM and Jumbo Packet Frame Size
Refer to the following URL for information about ASA 5500 AIP SSM jumbo packet frame size:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1328
869
Note
A jumbo frame is an Ethernet packet that is larger than the standard maximum of 1518 bytes (including
Layer 2 header and FCS).
The ASA 5500 AIP SSM and Jumbo Packets
The jumbo packet count in the show interface command output from the lines
Total Jumbo Packets
Received
and
Total Jumbo Packets Transmitted
for ASA IPS modules may be larger than expected
due to some packets that were almost jumbo size on the wire being counted as jumbo size by the IPS.
This miscount is a result of header bytes added to the packet by the ASA before the packet is transmitted
to the IPS. For IPv4, 58 bytes of header data are added. For IPv6, 78 bytes of header data are added. The
ASA removes the added IPS header before the packet leaves the ASA.
TCP Reset Differences Between IPS Appliances and ASA IPS Modules
The IPS appliance sends TCP reset packets to both the attacker and victim when Reset TCP Connection
is selected. The IPS appliance sends a TCP reset packet only to the victim under the following
circumstances:
•
When a Deny Packet Inline or Deny Connection Inline is selected
•
When TCP-based signatures and Reset TCP Connection have NOT been selected
In the case of the ASA IPS module, the TCP reset request is sent to the ASA, and the ASA then sends
the TCP reset packets. The ASA sends TCP reset packets to both the attacker and victim when the Reset
TCP Connection is selected. When Deny Packet Inline or Deny Connection Inline is selected, the ASA
sends the TCP reset packet to either the attacker or victim depending on the configuration of the
signature. Signatures configured to swap the attacker and victim when reporting the alert can cause the
ASA to send the TCP reset packet to the attacker.
For More Information
For detailed information about event actions, refer to Event Actions.