Cisco Network Security Troubleshooting Handbook
Identify, analyze, and resolve current and potential network security problems Learn diagnostic commands, common problems and resolutions, best practices, and case studies covering a wide array of Cisco network security troubleshooting scenarios and products Refer to common problems and resolutions in each chapter to identify and solve chronic issues or expedite escalation of problems to the Cisco TAC/HTTS Flip directly to the techniques you need by following the modular chapter organization Isolate the components of a complex network problem in sequence Master the troubleshooting techniques used by TAC/HTTS security support engineers to isolate problems and resolve them on all four security domains: IDS/IPS, AAA, VPNs, and firewallsWith the myriad Cisco (R) security products available today, you need access to a comprehensive source of defensive troubleshooting strategies to protect your enterprise network. Cisco Network Security Troubleshooting Handbook can single-handedly help you analyze current and potential network security problems and identify viable solutions, detailing each step until you reach the best resolution. Through its modular design, the book allows you to move between chapters and sections to find just the information you need. Chapters open with an in-depth architectural look at numerous popular Cisco security products and their packet flows, while also discussing potential third-party compatibility issues. By following the presentation of troubleshooting techniques and tips, you can observe and analyze problems through the eyes of an experienced Cisco TAC or High-Touch Technical Support (HTTS) engineer or determine how to escalate your case to a TAC/HTTS engineer. Part I starts with a solid overview of troubleshooting tools and methodologies. In Part II, the author explains the features of Cisco ASA and Cisco PIX (R) version 7.0 security platforms, Firewall Services Module (FWSM), and Cisco IOS (R) firewalls. Part III covers troubleshooting IPsec Virtual Private Networks (IPsec VPN) on Cisco IOS routers, Cisco PIX firewalls with embedded VPN functionalities, and the Cisco 3000 Concentrator. Troubleshooting tools and techniques on the Authentication, Authorization, and Accounting (AAA) framework are discussed thoroughly on routers, Cisco PIX firewalls, and Cisco VPN 3000 concentrators in Part IV. Part IV also covers troubleshooting Cisco Secure ACS on Windows, the server-side component of the AAA framework. IDS/IPS troubleshooting on IDS/IPS appliances, IDSM-2 blade, and NM-CIDS blade on Cisco IOS routers are covered in Part V. In Part VI, the author examines the troubleshooting techniques for VPN/Security Management Solution (VMS) tools used for managing products from all four security domains in greater detail: IDS/IPS, AAA, VPNs, and firewalls. Cisco Network Security Troubleshooting Handbook prepares you to troubleshoot your network's security devices and presents step-by-step procedures for tackling issues that arise, so that you can protect your network. This security book is part of the Cisco Press (R) Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.
- Paperback | 1152 pages
- 188 x 228.6 x 58.4mm | 1,859.75g
- 11 Nov 2005
- Pearson Education (US)
- Cisco Press
- Indianapolis, United States
Back cover copy
Identify, analyze, and resolve current and potential network security problems Learn diagnostic commands, common problems and resolutions, best practices, and case studies covering a wide array of Cisco network security troubleshooting scenarios and products Refer to common problems and resolutions in each chapter to identify and solve chronic issues or expedite escalation of problems to the Cisco TAC/HTTS Flip directly to the techniques you need by following the modular chapter organization Isolate the components of a complex network problem in sequence Master the troubleshooting techniques used by TAC/HTTS security support engineers to isolate problems and resolve them on all four security domains: IDS/IPS, AAA, VPNs, and firewalls With the myriad Cisco(R) security products available today, you need access to a comprehensive source of defensive troubleshooting strategies to protect your enterprise network. "Cisco Network Security Troubleshooting Handbook" can single-handedly help you analyze current and potential network security problems and identify viable solutions, detailing each step until you reach the best resolution. Through its modular design, the book allows you to move between chapters and sections to find just the information you need. Chapters open with an in-depth architectural look at numerous popular Cisco security products and their packet flows, while also discussing potential third-party compatibility issues. By following the presentation of troubleshooting techniques and tips, you can observe and analyze problems through the eyes of an experienced Cisco TAC or High-Touch Technical Support (HTTS) engineer or determine how to escalate your case to a TAC/HTTS engineer. Part I starts with a solid overview of troubleshooting tools and methodologies. In Part II, the author explains the features of Cisco ASA and Cisco PIX(R) version 7.0 security platforms, Firewall Services Module (FWSM), and Cisco IOS(R) firewalls. Part III covers troubleshooting IPsec Virtual Private Networks (IPsec VPN) on Cisco IOS routers, Cisco PIX firewalls with embedded VPN functionalities, and the Cisco 3000 Concentrator. Troubleshooting tools and techniques on the Authentication, Authorization, and Accounting (AAA) framework are discussed thoroughly on routers, Cisco PIX firewalls, and Cisco VPN 3000 concentrators in Part IV. Part IV also covers troubleshooting Cisco Secure ACS on Windows, the server-side component of the AAA framework. IDS/IPS troubleshooting on IDS/IPS appliances, IDSM-2 blade, and NM-CIDS blade on Cisco IOS routers are covered in Part V. In Part VI, the author examines the troubleshooting techniques for VPN/Security Management Solution (VMS) tools used for managing products from all four security domains in greater detail: IDS/IPS, AAA, VPNs, and firewalls. "Cisco Network Security Troubleshooting Handbook" prepares you to troubleshoot your network's security devices and presents step-by-step procedures for tackling issues that arise, so that you can protect your network. This security book is part of the Cisco Press(R) Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.
About Mynul Hoda
Mynul Hoda, CCIE (R) No. 9159 (Routing/Switching and Security), CISSP, is a lead engineer in HTTS for Cisco and is based in San Jose, California, where he has been working as a senior security/VPN support engineer since 2003. Before joining HTTS, he was a senior support engineer in the Cisco TAC. His areas of expertise include configuring and troubleshooting all forms of security/VPN technologies such as AAA, IPS, firewalls, and VPNs.
Table of contents
Part I Troubleshooting Tools and MethodologyChapter 1 Troubleshooting MethodsProactive Actions for Handling Network FailureTypes of FailureProblem-Solving ModelStep 1: Define the ProblemStep 2: Gather the FactsStep 3: Consider Possible ProblemsStep 4: Create an Action PlanStep 5: Implement the Action PlanStep 6: Observe ResultsStep 7: Repeat if NecessaryStep 8: Document the ChangesSummaryChapter 2 Understanding Troubleshooting ToolsUsing Device Diagnostic Commandsshow Commandsdebug CommandsTest Commandsping Commandtraceroute Commandtelnet Commandnslookup CommandNetwork AnalyzersTrivial File Transfer Protocol (TFTP) ServerFTP ServerSyslog ServerAudit and Attack ToolsCore DumpUsing TFTPUsing FTPUsing rcpUsing a Flash DiskAdditional Configuration"Exception Memory" Command debug sanity CommandTesting the Core Dump SetupPart II Troubleshooting Cisco Secure FirewallsChapter 3 Troubleshooting Cisco Secure PIX FirewallsOverview of PIX FirewallPIX Packet ProcessingFile System OverviewAccess-Listtime-range KeywordEnable/DisableOutbound ACLnat-controlModular Policy Framework (MPF) ObjectiveTransparent FirewallDiagnostic Commands and Toolsshow Commandsshow xlate [detail]show connection [detail]show local-hostshow service-policyshow asp dropshow cpu usageshow trafficshow blocksshow output filtersshow tech-supportDebug Commandsdebug icmp tracedebug application_protocoldebug pix processdebug fixup tcp | udpcapture CommandSniffer CaptureSyslogTraceback/CrashinfoOther ToolsProblem Areas BreakdownLicensing IssuesPassword Recovery IssueSoftware Upgrade and Downgrade IssuesStandard Upgrade ProcedureUpgrade using ROM Monitor ModeDowngrade ProcedureUpgrading PIX Firewall in a Failover SetupConnection Issues Across PIX FirewallConfiguration StepsTroubleshooting StepsTransparent Firewall IssuesConfiguration StepsTroubleshooting StepsVirtual FirewallSecurity ContextHow the Virtual Firewall WorksLimitations of Virtual FirewallConfiguration StepsTroubleshooting StepsQuality of Service (QoS) IssuesPolicingLow Latency Queuing (LLQ)Troubleshooting StepsPerformance IssuesHigh CPU UtilizationHigh Memory UtilizationLarge ACLReverse DNS & IDENT ProtocolCase StudiesActive/Standby ModelActive/Active ModelHardware and License RequirementsSystem and User Failover GroupInitialization, Configuration Synchronization/Command ReplicationConfiguration ExamplesAsymmetrical Routing SupportTroubleshooting StepsCommon Problems and ResolutionsBest PracticesProtecting the PIX Firewall ItselfProtecting Network ResourcesChapter 4 Troubleshooting Firewall Services ModuleOverview of FWSM FirewallFWSM ArchitectureControl Plane (CP)Network Processors (NP)Packet FlowsDiagnostic Commands and ToolsShow Commandsshow Commands on the Switchshow Commands on the FWSMDebug CommandsSniffer on the FWSMSyslog on the FWSMSniffer CaptureAnalysis of Problem AreasLicensing IssuesHardware IssuesFirewall Module Administration IssuesFlashSetting the Boot Device (Route Processor)Maintenance PartitionPassword Recovery ProcedureUpgrading a New ImageUpgrading Software Images Connection ProblemsConfiguration StepsTroubleshooting StepsAAA IssuesVirtual and Transparent FirewallHigh CPU IssuesIntermittent Packet Drops IssuesFailover Issues Failover OperationsConfiguration StepsTroubleshooting StepsCase StudiesCase Study 1: Multiple SVI for FWSMWhy Change the Existing Model?Scenario One: DHCP Helper with FWSM 1.1(x)Scenario Two: Alternate ConfigurationCase Study 2: Understanding Access-List Memory UtilizationThe Compilation Process: Active and Backup TreesHow Memory Is Allocated: Release 1.1(x) or 2.2(1) in Single ModeHow memory is Allocated: Release 2.2(1) in Multiple ModeTrees and contexts: A Matter of MappingFWSM Release 2.3: The ACL Partition ManagerExamples of ACL CompilationAccess-lists: Best PracticesCommon Problems and ResolutionsBest PracticesChapter 5 Troubleshooting an IOS FirewallOverview of IOS Firewall (CBAC)Single Channel Protocol InspectionUDP and CBACICMP and CBACApplication Layer Protocol (TCP-based) and CBACMulti-Channel Protocol InspectionNAT/PAT and CBACPort Application Mapping (PAM) and CBACDenial of Service (DoS) Detection And PreventionTCP Syn Flood and DoS Attack Launched by UDPFragmentationReal-Time Alerts and Audit TrailsInteraction of CBAC with IPsecTransparent Cisco IOS FirewallDiagnostic Commands and Toolsshow Commandsdebug commandsSyslogPacket Capture (Sniffer Traces)Categories of Problem AreasSelection of Software for IOS Firewall Issues Unable to Connect (Inbound and Outbound) across CBACPacket Failure to Reach the Router's Incoming InterfaceMisconfigured ACLMisconfigured NAT and RoutingIP Inspection Applied In the Wrong DirectionUDP Inspection Is Not ConfiguredReturn Traffic Might Not Be Coming Back to the RouterICMP Traffic Is Not InspectedThere Is a Problem with Inspecting Single Channel ProtocolRequired Multi-Channel Protocol is Not InspectedIP URL Filtering Blocking The ConnectionRedundancy or Asymmetric Routing ProblemsPerformance IssuesTimeouts for TCP, UDP, and DNSShort Threshold Values for Half-open and New ConnectionsHTTP Inspection DilemmaSwitching PathLarge ACLReverse DNS and IDENT ProtocolsRunning Older CodeIntermittent Packet DropsIP URL Filtering Is Not WorkingCase StudiesHow auth-proxy WorksMethod of AuthenticationSupported PlatformConfiguration StepsTroubleshooting auth-proxyCommon Problems and ResolutionsBest PracticesBasic Router SecurityAnti-spoofing ConfigurationPart III Troubleshooting Virtual Private NetworksChapter 6 Troubleshooting IPsec VPNs on IOS RoutersOverview of IPsec ProtocolEncryption and DecryptionSymmetric Algorithms Asymmetric AlgorithmsDigital SignaturesSecurity ProtocolsAuthentication Header (AH)Encapsulating Security Header (ESP)Transport ModeTunnel ModeSecurity Associations (SAs)SA and Key Management with IKE ProtocolIKE Phase 1Diagnostic Commands and Toolsshow Commandsshow Command for Phase Ishow Commands for Phase IIshow Commands for Interface Countersshow Command for Verifying IPsec ConfigurationCommands for Tearing Down Tunneldebug CommandsAnalysis of Problem AreasBasic LAN-to-LAN TroubleshootingSuccessful LAN-to-LAN Tunnel Establishment ProcessTunnel Establishment Fails at Phase ITunnel Establishment Fails at Phase IITunnel Is Established but Unable To Pass TrafficGRE over IPSecConfiguration StepsTroubleshooting StepsPublic Key Infrastructure (PKI) TroubleshootingConfiguration StepsTroubleshooting StepsRemote Access Client VPN ConnectionConfiguration StepsTroubleshooting StepsCase StudiesDMVPN ArchitectureMultipoint GRE Tunnel Interface (mGRE Interface)Next Hop Resolution Protocol (NHRP)Configuration Steps Troubleshooting DMVPNNHRP Mapping ProblemCrypto Socket Creation ProblemCrypto VPN problemPassing Data Across an Established Tunnel ProblemCommon Problems and ResolutionsNAT With IPsec IssuesNAT in the Tunnel End PointsNAT in the MiddleFirewall and IPsec IssuesMaximum Transmission Unit (MTU) IssuesSplit Tunneling IssuesBest PracticesStateful FailoverStateless FailoverLoss of Connection Detection MechanismStateless Failover Mechanism OptionsChapter 7 Troubleshooting IPsec VPN on PIX FirewallsOverview of IPsec ProtocolDiagnostic Commands and Toolsshow Commandsdebug CommandsCategorization of Problem AreasLAN-to-LAN TroubleshootingConfiguration StepsTroubleshooting StepsRemote Access VPN TroubleshootingConfiguration StepsTroubleshooting StepsCase StudiesCommon Problems and Resolutions NAT with IPsec IssuesNAT in the tunnel End PointNAT Device In the Middle of Tunnel End PointsFirewall and IPsecMaximum Transmission Unit (MTU) IssuesSplit Tunneling IssuesBest PracticesDead Peer Discovery (DPD)Reverse Route Injection (RRI)Stateful Failover For VPN ConnectionsChapter 8 Troubleshooting IPsec VPNs on VPN 3000 Series ConcentratorsDiagnostic Commands and ToolsDebug ToolMonitoring ToolAdminister SessionsConfiguration FilesLED IndicatorsCrash Dump FileVPN Client LogAnalysis of Problem AreasLAN-to-LAN Tunnel IssuesConfiguration StepsTroubleshooting StepsRemote Access VPN Connection Configuration StepsTroubleshooting StepsDigital Certificate IssuesDigital Certificate on the VPN ClientDigital Certificate on the VPN ConcentratorCase StudiesClientless SSL VPNConfiguration Steps for Basic SSL VPN ConnectionTroubleshooting Steps for Basic SSL VPN ConnectionConfiguration Steps for Web Server AccessTroubleshooting Steps For Web Server AccessConfiguration Steps for CIFS AccessTroubleshooting Steps for CIFS AccessThin ClientConfiguration Steps for Port ForwardingJava Applet DebuggingTroubleshooting Steps for Port ForwardingConfiguration Steps for MAPI ProxyTroubleshooting Steps for MAPI ProxyConfiguration Steps for E-mail ProxyTroubleshooting Steps for E-mail ProxyThick Client (SSL VPN Client)Configuration Steps for SSL VPN ClientTroubleshooting Steps for SSL VPN Client (SVC)Common Problems and ResolutionsBest PracticesRedundancy Using VRRPRedundancy and Load Sharing Using ClusteringRedundancy Using IPsec Backup ServersPart IV Troubleshooting Network Access ControlChapter 9 Troubleshooting AAA on IOS RoutersOverview of Authentication, Authorization, and Accounting (AAA)AAA ArchitectureAAA Communication ProtocolsTACACS+RADIUSDifference between RADIUS and TACACS+Diagnostic Commands and Toolsshow Commandsdebug Commands Analysis of Problem AreasRouter Management TroubleshootingLogin AuthenticationConfiguration StepsTroubleshooting StepsEnable Password AuthenticationExec AuthorizationCommand AuthorizationAccountingDialup Networking TroubleshootingAuthentication and Authorization for Dialup NetworkingAccounting for Dialup NetworkingX-Auth Troubleshooting for IPsecAuth-proxy TroubleshootingCase StudiesRouter ConfigurationLAC ConfigurationRADIUS Server ConfigurationLAC RADIUS ConfigurationLNS RADIUS ConfigurationTroubleshooting StepsLAC Router TroubleshootingLNS Router TroubleshootingCommon Problems and ResolutionsBest PracticesChapter 10 Troubleshooting AAA on PIX Firewalls and FWSMOverview of Authentication, Authorization, and Accounting (AAA)AuthenticationAuthorizationAuthorization for an Administrative SessionAuthorization for VPN Connection (X-Auth)AccountingDiagnostic Commands and Toolsshow commandsdebug CommandsSyslogOther Useful ToolsProblem Areas AnalysisFirewall Management with AAA TroubleshootingLogin Authentication IssuesEnable AuthenticationCommand AuthorizationTroubleshooting StepsAccountingCut-Through Proxy AuthenticationAuthentication for Cut-Through ProxyTroubleshooting Cut-Through Proxy AuthenticationAuthorization for Cut-Through ProxyAccounting for Cut-Through ProxyExtended Authentication (X-Auth) Issues for Remote AccessVPN ConnectionConfiguration StepsTroubleshooting TechniquesCase StudiesCase Study 1: AAA ExemptionCase Study 2: Virtual TelnetConfiguring Virtual TelnetTroubleshooting Virtual TelnetCase Study 3: Virtual HTTPCommon Problems and ResolutionsBest PracticesChapter 11 Troubleshooting AAA on the SwitchesOverview of AAASwitch ManagementIdentity-Based Network Services (IBNSs)IEEE 802.1x FrameworkExtensible Authentication Protocol (EAP)RADIUS IN 802.1xWhat Is AuthenticatedMachine AuthenticationAuthorizationAccountingExtension of IEEE 802.1x Standard by Cisco IBNS InitiativeDiagnostic Commands and ToolsSwitch Management Identity-Based Network Services (IBNSs)Categorization of Problem AreasSwitch Management TroubleshootingLogin AuthenticationEnable Password AuthenticationAuthorizationAccounting Identity-Based Network Services (IBNSs)Configuration StepsAuthorizationTroubleshooting StepsCase StudiesConfiguring Automatic Client Enrollment on AD and Installinga Machine Certificate on a Windows ClientGenerating and Installing the CA Root Certificate on the ACS ServerGenerating and Installing an ACS Server Certificate on the ACS ServerCommon Problems and ResolutionsBest PracticesFor Switch ManagementFor Identity-Based Network Services (IBNSs)Chapter 12 Troubleshooting AAA on VPN 3000 Series ConcentratorAAA Implementation on the ConcentratorVPN Concentrator ManagementTunnel Group and User AuthenticationDiagnostic Commands and ToolsAnalysis of Problem AreasVPN Concentrator Management TroubleshootingConfiguration StepsGroup/User Authentication (X-Auth) TroubleshootingBoth Group and User Authentication Are Performed Locallyon the VPN 3000 ConcentratorGroup Authentication Is Done Locally and No User Authentication Is DoneGroup Authentication Is Done Locally on VPN 3000 Concentrator and User Authentication Is Done with RADIUS ServerGroup Authentication Is Done with a RADIUS Server and User Authentication Is Done LocallyBoth Group and User Authentications ArePerformed with the RADIUS ServerUser Is Locked to a Specific GroupDynamic Filters on the VPN 3000 ConcentratorConfiguration of Dynamic Filters on CiscoSecure ACSTroubleshooting StepsCase StudiesVPN 3000 Concentrator ConfigurationGroup Configuration on the VPN 3000 ConcentratorDefining the CS ACS RADIUS Server on VPN 3000 ConcentratorCS ACS Windows ConfigurationAAA Client Definition for VPN 3000 ConcentratorConfiguring the Unknown User Policy for Windows NT/2000 Domain AuthenticationTesting the NT/RADIUS Password Expiration FeatureCommon Problems and ResolutionsBest PracticesChapter 13 Troubleshooting Cisco Secure ACS on WindowsOverview of CS ACSCS ACS ArchitectureThe Life of an AAA Packet in CS ACSDiagnostic Commands and ToolsReports and Activity (Real-time Troubleshooting)Radtest and TactestPackage.cab FileCategorization of Problem AreasInstallation and Upgrade IssuesCS ACS on Windows PlatformCS ACS with Active Directory IntegrationConfiguration StepsTroubleshooting StepsCS ACS with Novell NDS IntegrationConfiguration StepsTroubleshooting StepsCS ACS with ACE Server (Secure ID [SDI]) IntegrationInstallation and Configuration StepsTroubleshooting StepsReplication IssuesConfigurationTroubleshooting StepsNetwork Access Restrictions (NARs) IssuesConfiguration StepsTroubleshooting StepsDownloadable ACL IssuesDownloading ACL per User Basis Using Filter-idUsing Cisco AV-PairUsing Shared Profile ComponentsTroubleshooting StepsCase StudiesBack Up and Restore the CS ACS DatabaseCreating a Dump Text FileUser/NAS Import OptionsImport User InformationImport NAS InformationCompact User DatabaseExport User and Group InformationCommon Problems and ResolutionsBest PracticesPart V Troubleshooting Intrusion Prevention SystemsChapter 14 Troubleshooting Cisco Intrusion Prevention SystemOverview of IPS Sensor SoftwareIPS Deployment ArchitectureIPS Software Building BlocksMainAppAnalysisEngineCLICommunication ProtocolsModes of Sensor OperationInline ModeInline Bypass ModePromiscuous ModeCombined ModesHardware and Interfaces SupportedDiagnostic Commands and Toolsshow Commandsshow versionshow configurationshow eventsshow statistics serviceshow interfacesshow tech-supportcidDump Scripttcpdump commandiplogpacket CommandClassification of Problem AreasInitial Setup IssuesUser Management IssuesCreation and Modification of User ProfilesCreating the Service AccountSoftware Installation and Upgrade IssuesObtaining Sensor SoftwareIPS Software Image Naming ConventionsInstalling or Re-imaging the IPS Appliances System ImageDisaster Recovery PlanUpgrading Major/Minor Software or Service Pack/Signature UpdateUpgrading to IPS 5.0Licensing IssuesHow Do I Know if I have A Valid License?How to Procure The License Key From Cisco.comLicensing the SensorCommunication IssuesBasic Connectivity IssuesConnectivity Issues Between IPS Sensor and IPS MC or IDMConnectivity Issues Between IPS Sensor and Security MonitorIssues with Receiving Events on Monitoring DeviceSensorApp Is Not RunningPhysical Connectivity, SPAN, or VACL Port IssuesUnable to See AlertsBlocking IssuesTypes of BlockingACL or VACL Consideration on the Managed DevicesSupported Managed Devices and VersionsProper Planning for BlockingMaster Blocking Sensor (MBS)Configuration Steps for BlockingConfiguring Steps for the Master Blocking Sensor (MBS)Troubleshooting Steps for BlockingTCP Reset IssuesInline IPS IssuesConfiguration StepsTroubleshooting StepsCase StudiesCapturing IPS Traffic with a HubCapturing IPS Traffic with SPANSPAN TerminologySPAN Traffic TypesSPAN on Catalyst 2900/3500XLSPAN on Catalyst 2950, 3550 and 3750SPAN on Catalyst 4000/6000 with Cat OSSPAN on Catalyst 4000/6000 with Native IOSCapturing IPS Traffic with Remote SPAN (RSPAN)Hardware RequirementsConfiguration StepsCapturing IPS Traffic with VACLCapturing IPS Traffic with RSPAN and VACLCapturing IPS Traffic with MLS IP IDSCommon Problems and Their ResolutionBest PracticesPreventive MaintenanceCreation of Service AccountBack up a Good ConfigurationRecommendation on Connecting Sensor to the NetworkRecommendation on Connecting the Sniffing Interface ththof the Sensor to the NetworkRating IPS SensorRecommendation on Connecting Command and Control InterfaceRecommendation on Settings of Signature on SensorRecommendation on Inline-Mode DeploymentChapter 15 Troubleshooting IDSM-2 Blade on SwitchOverview of IDSM-2 Blade on the SwitchSoftware and Hardware RequirementsSlot Assignment on the SwitchFront Panel Indicator Lights and How to Use ThemInstalling the IDSM-2 Blade on the SwitchRemoving the IDSM-2 Blade from the SwitchPorts Supported on IDSM-2 BladeDiagnostic Commands and Toolsshow Commands in Both Modesshow Commands in CatOSshow Commands in Native IOSCommon Problems and ResolutionsHardware IssuesIDSM-2 Hardware Issues on Native IOSIDSM-2 HW Issue on CatOSCommunication Issues with IDSM-2 Command and Control PortConfiguration StepsTroubleshooting StepsFailing to Get Traffic from the Switch with Promiscuous ModeConfiguration StepsTroubleshooting StepsIssues with Inline ModeNot Generating Events IssuesTCP Reset IssuesCase StudyHow to Re-image the IDSM-2 with System ImageHow to Upgrade the Maintenance PartitionHow to Upgrade the Signature/Service Packs/Minor/MajorSoftware UpgradeHow to Upgrade the IDSM-2 Blade from IDSM 4.x to 5.xCommon Problems and ResolutionsBest PracticesChapter 16 Troubleshooting Cisco IDS Network Module (NM-CIDS)Overview of NM-CIDS on the RouterSoftware and Hardware RequirementsFront Panel Indicator Lights and How to Use ThemSlot Assignment on the RouterInstalling NM-CIDS Blade on the RouterRemoving NM-CIDS Blade from the RouterPorts Supported on NM-CIDSDiagnostic Commands and ToolsCommon Problems and ResolutionsHardware Issues NM-CIDS Console Access IssuesAssigning IP Address to the IDS-Sensor Interface on the RouterConnecting to NM-CIDSDisconnecting from NM-CIDSTroubleshooting Console Access IssuesCommunication Issues with NM-CIDS Command and Control PortIssues with Not Receiving Traffic from the RouterUsing the Sniffing PortConfiguration StepsTroubleshooting StepsManaging NM-CIDS from an IOS RouterSoftware Installation and Upgrade IssuesCase StudiesCEF Forwarding PathIPS Insertion PointsNetwork Address Translation (NAT)EncryptionAccess List CheckIP Multicast, UDP Flooding, IP BroadcastGeneric Routing Encapsulation (GRE) TunnelsAddress Resolution Protocol (ARP) PacketsPackets Dropped by the IOSForwarding the Packets to the IDS at a Rate Higher Than the Internal Interface Can HandleCommon Problems and ResolutionsRe-imaging the NM-CIDS Application PartitionPerforming the Re-image of Application PartitionTroubleshooting StepsConfiguring Time on the NM-CIDSDefault Behavior for Time Setting on NM-CIDSUsing Network Time Protocol (NTP) ServerBest PracticesChapter 17 Troubleshooting CiscoWorks Common ServicesOverview of CiscoWorks Common ServicesCommunication ArchitectureUser Management on CiscoWorks Common ServicesDiagnostic Commands and ToolsHow to Collect mdcsupport on a Windows PlatformCategorization and Explanation of MDCSupport-Created Log FilesCategorization of Problem AreasLicensing IssuesRegistration for CiscoWorks Common ServicesInstalling/Upgrading the License Key for CiscoWorks Common ServicesRegistration for the Management Center for Cisco Security Agents (CSA MC)Installing the License Key for the Management Center for ththCisco Security Agents (CSA MC)Common Licensing Issues and Work-AroundsInstallation IssuesInstallation StepsTroubleshooting Installation ProblemsUser Management IssuesDatabase Management IssuesCiscoWorks Common Services BackupCiscoWorks Common Services RestoreCase StudiesCommon Problems and ResolutionsBest PracticesChapter 18 Troubleshooting IDM and IDS/IPS Management Console (IDS/IPS MC)Overview of IDM and IDS/IPS Management Console (IDS/IPS MC)IDS/IPS MC and Security Monitor ProcessesCommunication ArchitectureDiagnostic Commands and ToolsAudit ReportsMDCSupport FileHow to Collect MDCSupport on a Windows PlatformWhat to Look for and What Is Important in the MDCSupport FileEnable Additional Debugging on IDS/IPS MCAnalysis of Problem AreasImportant Procedures and TechniquesVerifying Allowed Hosts on the SensorAdding Allowed Hosts on the SensorVerifying the SSH and SSL Connection Between IDS/IPS MC and ththa SensorResolving SSH and SSL Connection Problems Between IDS/IPS MC and ththa SensorVerifying If the Sensor Processes Are RunningVerifying That the Service Pack or Signature Level Sensor Is RunningVerifying the Service Pack or Signature Level on IDS/IPS MCVerifying That the IDS/IPS MC (Apache) Certificate Is ValidRegenerating IDS/IPS MC (Apache) CertificateResolving Issues with the IDS/IPS Sensor Being Unable to Get thththe CertificateChanging the VMS Server IP AddressManually Updating the Signature Level on the SensorUnable to Access the Sensor Using IDMIDS/IPS MC Installation and Upgrade IssuesIDS/IPS MC Licensing IssuesCorrupted LicenseDetermining If a License Is ExpiredImporting Sensor Issues with IDS/IPS MCConfiguration StepsTroubleshooting StepsSignature or Service Pack Upgrade Issues with IDS/IPS MCUpgrade ProcedureTroubleshooting StepsConfiguration Deployment Issues with IDS/IPS MCConfiguration StepsTroubleshooting StepsDatabase Maintenance (Pruning) IssuesCase StudyLaunch the Attack and BlockingTroubleshooting StepsCommon Problems and ResolutionsBest PracticesChapter 19 Troubleshooting Firewall MCOverview of Firewall MCFirewall MC ProcessesCommunication ArchitectureDiagnostic Commands and ToolsCollecting the Debug Information (Diagnostics)Using GUIUsing CLIWhat Does the CiscoWorks MDCSupport Utility Generate?Other Useful Log Files Not Collected by mdcsupportAnalysis of Problem AreasInstallation IssuesInstallation VerificationsInstallation TroubleshootingInitialization IssuesBrowser IssuesAuthentication IssuesFirewall MC Authenticated by the Firewall During Configuration ththImport and DeploymentFirewall MC Authenticated by the Auto Update Server During ththConfiguration DeploymentFirewalls Authenticated by the Auto Update Server During Configuration orththImage PullingActivity and Job Management IssuesUnlocking of an ActivityStopping a Job from Being DeployedDevice Import IssuesConfiguration Generation and Deployment IssuesFirewall MC is Unable To Push the Configuration to the AUSGetting "Incomplete Auto Update Server contact info." Message when ththPushing The Configuration to AUSMemory Issues with Firewall Services Module (FWSM) during ththDeploymentDatabase Management IssuesBacking up and Restoring DatabasesScheduling Checkpoint Events for the DatabaseCompacting a Database for Performance ImprovementDisaster Recovery PlanCommon Problems and ResolutionsBest PracticesChapter 20 Troubleshooting Router MCOverview of Router MCRouter MC ProcessesCommunication ArchitectureFeatures Introduced on Different Versions of Router MCDiagnostic Commands and ToolsSetting the Logging LevelCollecting the Debug Information (Diagnostics)Using a Graphic User InterfaceUsing a Command Line InterfaceCollecting the Router MC DatabaseUsing the Log FilesReportsAnalysis of Problem AreasInstallation and Upgrade IssuesInitialization IssuesBrowser Issues Authentication IssuesAuthentication Issues with the Router MCAuthentication Issues with the Managed Device Using SSHActivity and Job Management IssuesDevice Import IssuesConfiguration Generation and Deployment IssuesDatabase Management IssuesBacking up and Restoring DatabaseTroubleshooting Router MC Backup/Restore OperationsCase StudyUnderstanding User PermissionsCiscoWorks Server Roles and Router MC PermissionsACS Roles and Router MC PermissionsSetting up Router MC to Work with ACSStep 1: Define the Router MC Server in ACSStep 2: Define the Login Module in CiscoWorks as TACACS+Step 3: Synchronize CiscoWorks Common Services with the ththACS Server ConfigurationStep 4: Define Usernames, Device Groups, And User Groups in ACSBest PracticesChapter 21 Troubleshooting Cisco Security Agent Management Console (CSA MC)and CSA AgentOverview of CSA MC and AgentManagement Model for CSAgentCSA MC Directory StructureCommunication ArchitectureHow Cisco Security Agents Protect Against AttacksDiagnostic Commands and ToolsCSA MC LogWindows System InformationServer Selftest InformationCSA MC Log DirectoryCSA Agent LogCSA Agent Log DirectoryTurning on Debug ModeDetails Log-csainfo.log fileLogs for Blue ScreenRtrformat UtilityAdditional Logs Controlled by the Sysvars.cf fileCategorization of Problem AreasInstallation and Upgrade IssuesNew Installation Issues with CSA MCNew Installation Issues with CSAgentUpgrade Issues with CSA MCCSAgent Update IssuesLicensing IssuesHow to Procure the LicenseHow to Import the LicenseDetermining the Number of Desktop/Server Licenses That Are in UseTroubleshooting Licensing IssuesCSA MC Launching IssuesCSA MC Not LaunchingCSA MC Is Launching, but SlowlyCSAgent Communication, Registration, and ththPolling Issues with CSA MCApplication Issues with CSAgentHow to Create ExceptionsHow to Disable Individual CSAgent ShimsDisabling csauser.dllCreating Buffer Overflow ExclusionsTroubleshooting StepsReport Generation IssuesProfiler IssuesDatabase Maintenance IssuesDisaster Recovery Plan (DRP) for CSA MCPurging Events from the DatabaseCompacting the DatabaseChecking and Repairing the CSA MC MSDE DatabaseCommon Problems and ResolutionsBest PracticesRecommendation on InstallationTest ModeDisaster Recovery for CSAChapter 22 Troubleshooting IEV and Security MonitorsOverview of IEV and Security MonitorCommunication ArchitectureHow Does It Work?RDEP/SDEE Collector ManagementXML ParsingAlert InserterIDS/IPS MC and Security Monitor ProcessesUser Management for Security MonitorDiagnostic Commands and ToolsCategorization of Problem AreasInstallation IssuesIssues with LaunchingDNS IssuesIssues with Enabling SSLGetting Internal Server Error While Opening Security MonitorSecurity Monitor Takes a Long Time to LaunchPage Cannot Be Found Error While Trying to Launch Security MonitorIDS/IPS MC Launches But Security Monitor Does NotSecurity Monitor Behaves StrangelyLicensing IssuesDevice Management IssuesImporting IDS Sensors from IDS/IPS MCAdding Other DevicesIEV and Security Monitor Connect with SensorNotification IssuesEvent Viewer IssuesLaunching the Event ViewerUsing the Event ViewerGenerating Events for TestTroubleshooting StepsReport Generation IssuesReport Generation FailsReport Fails to CompleteDatabase Maintenance IssuesProactive Measures Immediately After Installing the Security MonitorReactive Measures During Run TimeCase StudyConfiguration StepsTroubleshoot E-mail NotificationCommon Problems and ResolutionsBest Practices