Hi Piotr, I tried to have both VS without the PortChannel and it doesn't seem to work: I get no alarms. It only works when I assign the PortChannel to a VS, but only for the traffic inspected to that VS then it seems (I didn't tested failover, but I was only able to get alarms / blocked packets when I map the interface to the Virtual Sensor that is allocated to the active context of a particular ASA).
Tried upgrading to 7.1(8) with no luck. I guess I will pass it for now and pray that I won't see it in the lab... 2014-03-24 17:53 GMT+01:00 Piotr Kaluzny <pio...@ipexpert.com>: > Did you try to assign it to another VS? Or leave it unassigned? I had a > similar problem but one solution finally worked. > > Regards, > > Piotr Kaluzny : Sr Instructor : iPexpert <http://www.ipexpert.com> > CCIE # 25665 :: Security > *:: World-Class Cisco Certification Training* > > Direct: +1-810-326-1444 > :: Free Videos <http://www.youtube.com/ipexpertinc> > :: Free Training / Product Offerings <https://www.facebook.com/IPexpert> > :: CCIE Blog <http://blog.ipexpert.com/> > :: Twitter <https://twitter.com/ipexpert> > > > On Mon, Mar 24, 2014 at 5:47 PM, Bastien Migette < > bastien.mige...@gmail.com> wrote: > >> Hi Folks, >> >> Currently doing WB2 LAB2 and not sure what I am missing here. >> IPS Config guide states: >> >> The ASA 5500-X IPS SSP has one sensing interface, PortChannel 0/0. When >> you create multiple virtual sensors, you must assign this interface to only >> one virtual sensor. For the other virtual sensors you do not need to >> designate an interface. >> >> After you create virtual sensors, you must map them to a security context >> on the adaptive security appliance using the *allocate-ips* command. You >> can map many security contexts to many virtual sensors. >> >> >> The thing is IPS Inspection works only when this interface is mapped to >> the virtual sensor. >> >> >> For example, if I configure vs0 for PortChannel0 on ASA3, DMZ ICMP >> packets will generate alerts (going thru C1 as per the lab task). >> >> If I put the int on VS1, no alerts. >> >> >> For ASA4, if I map the PortChannel to VS0, no ICMP are blocked. If I map >> it to VS1, ICMPs are blocked correctly. >> >> >> ASA3/act(config)# sh ver | i Vers >> >> Cisco Adaptive Security Appliance Software Version 8.6(1) <system> >> >> >> ASA3/act(config)# sh ips >> >> Sensor Name Sensor ID Allocated To Mapped Name >> >> ----------- --------- ------------ ----------- >> >> vs0 1 C1 vs0 >> >> vs1 2 C2 vs1 >> >> >> ASA3/act(config)# sh module ips details >> >> Getting details from the Service Module, please wait... >> >> >> Card Type: ASA 5515-X IPS Security Services Processor >> >> Model: ASA5515-IPS >> >> Hardware version: N/A >> >> Software version: 7.1(4)E4 >> >> >> >> Any idea ? >> >> I checked the DSG and as far as I know I have same config, except that I >> put MGMT in 10.1.1.0 (vlan 100) >> >> _______________________________________________ >> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: >> >> iPexpert on YouTube: www.youtube.com/ipexpertinc >> > >
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
