Folks-

Trying to get logged into my IDS on our ASA.

I did a "show module" while in the ASA's CLI, found which module is the IPS (module 1), then did a "show module 1 details". This showed me the IP address associated with that IPS, told me it's UP, and so on.

There's also a Mgmt Access List. The workstation I am trying to reach the IPS from is on that list.

So I attempt to reach the IPS from the ASDM gui. From the Home screen, I click the Intrusion Prevention tab. It asks me for the particulars to connect. I type in the IP I got above, doublecheck the port is correct (again, referring to "show module 1 details"), and username/pass (I'd reset the username/pass from the ASDM gui Tools menu, and waited at least 5 minutes before attempting, as I understand the system reboots the IPS module after resetting pass. Password defaults to user cisco, pass cisco apparently).

I then get a STOP error "Error connecting to sensor. Error loading sensor".

Seems to me I have verified the module is UP and functioning, yet I can't login. Obviously the problem must be with me- what could I be doing wrong? Does my logic seem reasonable so far?

Can you log into the sensor from the cli? 'session 1'

willroute4food:

Thanks for replying. I am new to this stuff, so pardon my lack of knowledge in advance please.

I tried that. Logged into our ASA via CLI, escalated privs, did a session 1 and it took the default pass. I immediately changed that, and am presently logged into the CLI of the IPS.

Ah, the light begins to glow dimly, here....

<hostname># session 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.
<mega-snippage here>
***LICENSE NOTICE***
The license key on the SSM-IPS10 has expired.
The system will continue to operate with the currently installed
signature set. A valid license must be obtained in order to apply
signature updates. Please go to http://www.cisco.com/go/license
to obtain a new license or install a license.
<hostname>#

ha! no problem man, thats what forums are all about right. so now you could do a show config and see whats actually going on with that thing. you could also just run 'setup', the parameters in the current config will be set as your default setup options, but the prompts will give you a chance to modify them if you would like.

I am presently logging output of a "show tech-support" to a text file, having did a "show config" too.

OK, gave up on the logging show tech-support. Nuts to that!

Basically I need to find out if it's in promiscuous mode. I am digging around and nothing's jumping out at me ...

ah, you should have said so. thats declared on the asa, in your policy-map configuration.

let me guess, the info would come from the GUI "IPS" configuration page?

Can't get there.

nope, in the asdm go to firewall->service policies. Look for your ids policy in there. Or go in the cli, and do a 'show policy-map', and you should see your ips policy nested in that map.

logged into CLI and escalated to priv exec mode. No such command as "show policy-map" (I'd tried it earlier, it was the first thing that came to mind... and seems to be noexistent, thus my problem).

In the gui, went to Config/Firewall, Service Policy Rules show two rulesets but neither is apparently afiliated with the IPS (I may be wrong, though)

more info:

in the GUI, I go to the Configuration tab, Firewall section. Service Policy Rules, I have an "inspection_default".... I doubleclick it to examine it.

Traffic Classification tab: "Default Inspection Traffic" is selected (under the Traffic Match Criteria" subsection.

I click on the Default Inspections tab: many services/protocols/ports are listed.

I click on the Rule Actions tab: Many selections are made on the Protocol Inspection subtab. I leave that alone, click on "Intrusion Prevention" subtab... system pops up a "Rule Actions" stop window with the error "You have specified default inspection traffic as the traffic match criterion. Only inspect rule actions can be specified for the default inspection traffic". I do note that the information shown on the Intrusion Prevention tab (if I move the error message aside) reflects the "Enable IPS for this traffic flow" radio button is not selected, mode defaults to Inline.

I have got TONS to learn about this stuff yet. Yikes... :/

it was probably never setup correctly then, if there not a different class-map/policy for the ips. I usually do like an acl that matches all traffic, and use it in my ips class-map. Then I will insert that class-map into a policy-map (sometimes the global), and place my ips parameters in there (i.e. promiscous, fail-open, etc...).

Heres a good start for you!
http://www.cisco.com/en/US/products/ps6 ... 35ca.shtml