Filter
Top Products
19-10
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 19 Configuring the ASA 5500-X IPS SSP
ASA 5500-X IPS SSP Default Gateway
ASA 5500-X IPS SSP Default Gateway
To access the Internet from the ASA 5500-X IPS SSP and to manage it from hosts behind other interfaces
on the ASA 5500-X, connect the Management 0/0 interface on the ASA 5500-X to a Layer 3 device.
Configure the default gateway on the sensor as the Layer 3 device. The appropriate static route on the
ASA 5500-X is required so that the return traffic reaches the ASA 5500-X IPS SSP through this Layer
3 device.
Note The Management 0/0 interface on the ASA 5500-X has no through traffic support. If the sensor is
configured to use the IP address of the management interface of the ASA as the default gateway, the
sensor cannot access the Internet and the sensor cannot be managed or accessed from the hosts behind
the other interfaces on the ASA 5500-X.
Promiscuous Mode and Under Runs
The ASA 5500-X can exhibit under runs on the internal data interface going to the ASA 5500-X IPS SSP
when it is configured in promiscuous mode.
The under runs for promiscuous mode inspection are expected behavior if you inspect a lot of traffic or
have spikes in traffic rates, because the ASA does not wait for the ASA 5500-X IPS SSP to finish
inspection before forwarding traffic. It is also possible to have under runs if the ASA 5500-X IPS SSP
inspects long flows, such as file downloads. If you have a lot of long flows, you can limit IPS inspection
with the specify-flow-depth setting under service analysis-engine global-settings. Limiting inspection
to 800,000 bytes per stream reduces the number of under runs. You can check for symptoms of long
flows by looking at the per CPU processing load percentage statistics in show statistics analysis-engine.
If any of the threads are running at 100%, this may be triggered by a long flow.
For More Information
• For the procedure for specifying flow depth, see Configuring Global Variables, page 6-12.
• For the procedure for checking the load percentage statistics, see Displaying Statistics, page 17-31.
The ASA 5500-X IPS SSP and Bypass Mode
The ASA 5500-X IPS SSP does not support bypass mode. The adaptive security appliance will either
fail open, fail close, or fail over depending on the configuration of the adaptive security appliance and
the type of activity being done on the ASA 5500-X IPS SSP.
The SensorApp Fails
The following occurs when the SensorApp fails:
• If the adaptive security appliance is configured for failover, then the adaptive security appliance fails
over.
• If the adaptive security appliance is not configured for failover or failover is not possible:
–
If set to fail-open, the adaptive security appliance passes traffic without sending it to the
ASA IPS module.
–
If set to fail-close, the adaptive security appliance stops passing traffic until the ASA IPS
module is restarted.