Cisco Cisco IPS 4255 Sensor
11
Release Notes for Cisco Intrusion Prevention System 7.1(1)E4
OL-19894-01
Traffic Flow Stopped with Fail-Open Policy on IPS Switchports
Traffic Flow Stopped with Fail-Open Policy on IPS Switchports
Problem
Traffic on any port located on the ASA 5585-X IPS SSP (1/x) no longer passes through the
adaptive security when the ASA 5585-X IPS SSP is reset or shut down. This affects all traffic through
these ports regardless of whether or not the traffic would have been monitored by the IPS. The link on
the ports will link down when the ASA 5585-X IPS SSP is reset or shut down.
these ports regardless of whether or not the traffic would have been monitored by the IPS. The link on
the ports will link down when the ASA 5585-X IPS SSP is reset or shut down.
Possible Cause
Using the ports located on the ASA 5585-X IPS SSP (1/x), and resetting or shutting
down the ASA 5585-X IPS SSP via any mechanism.
Solution
Use the ports on the adaptive security appliance (0/x) instead because those ports do not lose
their link when the ASA 5585-X IPS SSP is reset or shut down.
ASA IPS 5585-X and Jumbo Packet Frame Size
Refer to the following URL for information about the jumbo packet frame size for the ASA modules:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1328
86
86
9
Note
A jumbo frame is an Ethernet packet that is larger than the standard maximum of 1518 bytes (including
Layer 2 header and FCS).
Layer 2 header and FCS).
ASA IPS 5585-X and Jumbo Packets
The jumbo packet count in the show interface command output from the lines
Total Jumbo Packets
Received
and
Total Jumbo Packets Transmitted
for ASA IPS modules may be larger than expected
due to some packets that were almost jumbo size on the wire being counted as jumbo size by the IPS.
This miscount is a result of header bytes added to the packet by the ASA before the packet is transmitted
to the IPS. For IPv4, 58 bytes of header data are added. For IPv6, 78 bytes of header data are added. The
ASA removes the added IPS header before the packet leaves the ASA.
This miscount is a result of header bytes added to the packet by the ASA before the packet is transmitted
to the IPS. For IPv4, 58 bytes of header data are added. For IPv6, 78 bytes of header data are added. The
ASA removes the added IPS header before the packet leaves the ASA.
Importing a New SSL Certificate
Import the new SSL certificate for the new sensor to each tool being used to monitor the new sensor.
For More Information
For the procedures for configuring TLS/SSL, for the CLI refer to
for the IDM refer to
, and for
the IME refer to
Cisco Security Intelligence Operations
The Cisco Security Intelligence Operations site on Cisco.com provides intelligence reports about current
vulnerabilities and security threats. It also has reports on other security topics that help you protect your
network and deploy your security systems to reduce organizational risk.
vulnerabilities and security threats. It also has reports on other security topics that help you protect your
network and deploy your security systems to reduce organizational risk.