700H Problem IPS "Security Service" and IPSEC
Ally Member
IPsec-VPN tunnels, the tunnel traffic gets clobber by the IPS Security Service "Prevention" feature.
If I un "Enable" IPS, the vpn tunnels function fine.
Specifically running SSH connections over the VPN to or from remote servers.
If I "Enable" IPS the tunnels drop SSH traffic, then SSH starts throwing errors:
"kex_exchange_identification: read: Connection reset by peer".
So. How do I white list all IPSec tunnel traffic from the IPS.
I would like to leave "Prevention" on. But can not with IPS wrecking SSH.
All Replies
-
If you can find the Signature you can disable it but I'm not sure which one (don't have a License to test) under Query Signatures put in IKE you will find:
Cisco Adaptive Security Appliance IKEv1 and IKEv2 Heap Buffer-Overflow
try disabling that also check in logs might say which one
or in IP Exception and put in the source by IP or FQDN
0 -
"IP Exception and put in the source by IP or FQDN" that sounds hopeful.
I don't know how the IPS works or the packet flow through the firewall.
In my mind VPN is all LAN traffic and shouldn't be touched by the firewall, but again I do not understand the flow.
And I do not understand the "signatures" and "rate bases signatures".
This is my "IKE" query.
My tunnels seem solid. They don't go down and don't seem to be re-establishing.
What I do get, IPS shutdown down SSH traffic. If I am connected via ssh, is stays alive.
But when you try to connected again, it may or may not depending on if IPS "rejects" the packets.
"W Box: directory" is a successful ssh, to the W box, doing a "stat" on known directory.
When it returns "directory" the ssh worked.
But when IPS hits "kex_exchange…." And when the firewall kicks in, all LAN traffic fails.
I'm going to try your "IP exception" idea.
0 -
Hey.. I believe your "IP exception" idea is working. I'll have to keep an eye on it, but my test script isn't kicking errors and turned "Prevention" back on.
I wasn't sure how to do the IP Exceptions. I put in one for each 'gate' and one for each 'vlan' both as source.0
Guru Member
Categories
- All Categories
- 434 Beta Program
- 2.7K Nebula
- 174 Nebula Ideas
- 117 Nebula Status and Incidents
- 6.1K Security
- 411 USG FLEX H Series
- 297 Security Ideas
- 1.6K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 43 Wireless Ideas
- 6.7K Consumer Product
- 268 Service & License
- 416 News and Release
- 87 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 82 About Community
- 87 Security Highlight
