Cisco Cisco ASA 5515-X IPS Security Services Processor 情報ガイド

Contributed by Prapanch Ramamoorthy and Abhishek Prabhakar, Cisco
TAC Engineers.
Jun 07, 2013

This document describes why the Cisco Adaptive Security Appliance (ASA) might send traffic to an
embedded service module for inspection when there is no Intrusion Prevention System (IPS) module policy in
the configuration.

A.

It is possible that a connection was built to send traffic to the IPS module for inspection when the ASA was
configured, and that connection is still active.

For example, a customer with an ASA5515−IPS has no configured policy in a policy map to send the traffic
to the software IPS module; however, traffic arrives at the module from the ASA.

When you use the packet display feature on the IPS, you can see the traffic that comes to the IPS from the
ASA:

14:34:38.341927 IP 192.168.1.2.1719 > 192.168.10.39.1888: UDP, length 128

14:34:38.341992 IP 192.168.1.2.1719 > 192.168.10.39.1888: UDP, length 128

14:34:38.345031 IP 192.168.1.2.1719 > 192.168.110.39.1888: UDP, length 34

14:34:38.345068 IP 192.168.1.2.1719 > 192.168.110.39.1888: UDP, length 34

The interface statistics on the IPS sensing interface were cleared, and packets were received:

sensor#  show interfaces portChannel

MAC statistics from interface PortChannel0/0

   Interface function = Sensing interface

   Description =

   Media Type = backplane

   Default Vlan = 0

   InlineMode = Unpaired

   Pair Status = N/A

   Hardware Bypass Capable = No

   Hardware Bypass Paired = N/A