ASA FAQ: Why does the ASA send packets to the IPS module with no IPS policy configuration?

Available Languages

Updated:June 7, 2013
Document ID:116145

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes why the Cisco Adaptive Security Appliance (ASA) might send traffic to an embedded service module for inspection when there is no Intrusion Prevention System (IPS) module policy in the configuration.

Q. Why does the ASA send packets to the IPS module for inspection when there is no IPS policy configured?

A.

It is possible that a connection was built to send traffic to the IPS module for inspection when the ASA was configured, and that connection is still active.

For example, a customer with an ASA5515-IPS has no configured policy in a policy map to send the traffic to the software IPS module; however, traffic arrives at the module from the ASA.

When you use the packet display feature on the IPS, you can see the traffic that comes to the IPS from the ASA:

14:34:38.341927 IP 192.168.1.2.1719 > 192.168.10.39.1888: UDP, length 128
14:34:38.341992 IP 192.168.1.2.1719 > 192.168.10.39.1888: UDP, length 128
14:34:38.345031 IP 192.168.1.2.1719 > 192.168.110.39.1888: UDP, length 34
14:34:38.345068 IP 192.168.1.2.1719 > 192.168.110.39.1888: UDP, length 34

The interface statistics on the IPS sensing interface were cleared, and packets were received:

sensor#  show interfaces portChannel
MAC statistics from interface PortChannel0/0
   Interface function = Sensing interface
   Description =
   Media Type = backplane
   Default Vlan = 0
   InlineMode = Unpaired
   Pair Status = N/A
   Hardware Bypass Capable = No
   Hardware Bypass Paired = N/A
   Link Status = Up
   Admin Enabled Status = Enabled
   Link Speed = N/A
   Link Duplex = N/A
   Missed Packet Percentage = 0
   Total Packets Received = 128
   Total Bytes Received = 17904
   Total Packets Transmitted = 128
   Total Bytes Transmitted = 17904

The cause of the issue is that sometime in the past a configuration was added to the ASA to send traffic to the IPS module, and the connnections were not cleared out after the IPS configuration was removed on the ASA. This is common with non-TCP protocols that constantly pass traffic.


On the ASA, enter the show conn command to determine if the packets that you see on the IPS module have connection entries. In order to see the uptimes, enter the show conn detail command. In order to ensure the connections are not re-directed to the IPS, you might have to enter the clear conn <address> command on the ASA to clear those specific connections:

ASA# clear conn address 192.168.1.2
3 connection(s) deleted.
ASA#

Related Information

Revision History

Revision Publish Date Comments
1.0
07-Jun-2013
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Prapanch Ramamoorthy and Abhishek Prabhakar
    Cisco TAC Engineers.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products