Cisco Cisco IPS 4255 Sensor
31
Release Notes for Cisco Intrusion Prevention System 5.1(8)E2
OL-20154-01
Restrictions and Limitations
Step 7
Copy your license key from a sensor to a server to keep a backup copy of the license:
sensor# copy license-key scp://user@10.89.147.3://tftpboot/dev.lic
Password: *******
sensor#
For More Information
•
For the procedure for adding remote hosts to the SSH known hosts list, refer to
•
For the procedure for making a remote host a TLS trusted host, refer to
.
•
For more information on Cisco service contracts, see
.
Restrictions and Limitations
The following restrictions and limitations apply to Cisco IPS 5.1(8)E2 software and the products that
run 5.1(8)E2:
run 5.1(8)E2:
•
An IPS appliance can support both promiscuous and inline monitoring at the same time; however
you must configure each physical interface in either promiscuous or inline mode. Because inline
monitoring requires the use of two sensing interfaces, the sensor must contain at least three physical
sensing interfaces to perform both promiscuous and inline monitoring. The exceptions to this are
AIP-SSM-10 and AIP-SSM-20. AIP-SSM can support both promiscuous and inline monitoring on
its single physical back plane interface inside the ASA. The configuration on the main ASA can be
used to designate which packets/connections should be monitored by AIP-SSM as either
promiscuous or inline.
you must configure each physical interface in either promiscuous or inline mode. Because inline
monitoring requires the use of two sensing interfaces, the sensor must contain at least three physical
sensing interfaces to perform both promiscuous and inline monitoring. The exceptions to this are
AIP-SSM-10 and AIP-SSM-20. AIP-SSM can support both promiscuous and inline monitoring on
its single physical back plane interface inside the ASA. The configuration on the main ASA can be
used to designate which packets/connections should be monitored by AIP-SSM as either
promiscuous or inline.
•
You can configure only one IDSM-2 for inline monitoring between two VLANs. Configuring more
than one IDSM-2 in inline mode between the same two VLANs can cause a packet loop in the
switch. If you need to use more than one IDSM-2 in inline mode in the switch, you must configure
each IDSM-2 for inline monitoring for a unique set of two VLANs.
than one IDSM-2 in inline mode between the same two VLANs can cause a packet loop in the
switch. If you need to use more than one IDSM-2 in inline mode in the switch, you must configure
each IDSM-2 for inline monitoring for a unique set of two VLANs.
•
NM-CIDS does not run in inline mode.
•
We do not support deploying an IPS sensor monitoring two sides of a network device that does TCP
sequence number randomization.
sequence number randomization.
The PIX and ASA Firewalls and other security devices support a feature known as TCP Sequence
Randomization. The initial TCP packets for a connection have their initial Sequence Numbers
randomized as they flow through the firewall. A sensor monitoring the side of the firewall where the
TCP client is located as well as monitoring the side of the firewall where the TCP server is located
sees the same TCP session twice, but with different sequence numbers. If the sensor is monitoring
in promiscuous mode, this can confuse the TCP Reassembly software and the sensor may not be able
to properly track the TCP Session and may not be able to send alerts for any attacks within the TCP
connection. If the sensor is monitoring in inline mode (inline interface pair, or inline VLAN pair),
it sees the TCP packets with the randomized sequence numbers as being out of order when compared
to the original sequence numbers. When this happens the inline sensor drops/denies the TCP packets
with the randomized sequence numbers and prevent the TCP connection from continuing.
Randomization. The initial TCP packets for a connection have their initial Sequence Numbers
randomized as they flow through the firewall. A sensor monitoring the side of the firewall where the
TCP client is located as well as monitoring the side of the firewall where the TCP server is located
sees the same TCP session twice, but with different sequence numbers. If the sensor is monitoring
in promiscuous mode, this can confuse the TCP Reassembly software and the sensor may not be able
to properly track the TCP Session and may not be able to send alerts for any attacks within the TCP
connection. If the sensor is monitoring in inline mode (inline interface pair, or inline VLAN pair),
it sees the TCP packets with the randomized sequence numbers as being out of order when compared
to the original sequence numbers. When this happens the inline sensor drops/denies the TCP packets
with the randomized sequence numbers and prevent the TCP connection from continuing.