Support User Manuals

Cisco Systems IPS4520K9 Network Router User Manual

Open as PDF

of 460

E-74

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

OL-24002-01

Appendix E Troubleshooting

Troubleshooting the ASA 5585-X IPS SSP

TCP Reset Differences Between IPS Appliances and ASA IPS Modules

The IPS appliance sends TCP reset packets to both the attacker and victim when Reset TCP Connection

is selected. The IPS appliance sends a TCP reset packet only to the victim under the following

circumstances:

•

When a Deny Packet Inline or Deny Connection Inline is selected

•

When TCP-based signatures and Reset TCP Connection have NOT been selected

In the case of the ASA IPS module, the TCP reset request is sent to the ASA, and the ASA then sends

the TCP reset packets. The ASA sends TCP reset packets to both the attacker and victim when the Reset

TCP Connection is selected. When Deny Packet Inline or Deny Connection Inline is selected, the ASA

sends the TCP reset packet to either the attacker or victim depending on the configuration of the

signature. Signatures configured to swap the attacker and victim when reporting the alert can cause the

ASA to send the TCP reset packet to the attacker.

For More Information

For detailed information about event actions, refer to Event Actions.

Troubleshooting the ASA 5585-X IPS SSP

Note

Before troubleshooting the ASA 5585-X IPS SSP, check the Caveats section of the Readme for the

software version installed on your sensor to see if you are dealing with a known issue.

This section contains troubleshooting information specific to the ASA 5585-X IPS SSP, and contains

the following topics:

•

Failover Scenarios, page E-74

•

Traffic Flow Stopped on IPS Switchports, page E-76

•

Health and Status Information, page E-76

•

The ASA 5585-X IPS SSP and the Normalizer Engine, page E-79

•

The ASA 5585-X IPS SSP and Jumbo Packet Frame Size, page E-80

•

The ASA 5585-X IPS SSP and Jumbo Packets, page E-80

•

Health and Network Security Information, page E-81

Failover Scenarios

The following failover scenarios apply to the ASA 5585-X in the event of configuration changes,

signature/signature engine updates, service packs, and SensorApp crashes on the ASA 5585-X IPS SSP.

Single ASA 5585-X in Fail-Open Mode

•

If the ASA is configured in fail-open mode for the ASA 5585-X IPS SSP, and the

ASA 5585-X IPS SSP experiences a configuration change or signature/signature engine update,

traffic is passed through the ASA without being inspected.

previous next