Preview Tool

Cisco Bug: CSCte74540 - AIP-SSM deny-connection on GRE packet causes GRE tunnel to be denied

Last Modified

Feb 22, 2014

Products (10)

  • Cisco IPS 4200 Series Sensors
  • Cisco IPS Sensor Software Version 7.0
  • Cisco IPS 4255 Sensor
  • Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Services Module
  • Cisco IPS 4260 Sensor
  • Cisco IPS 4270-20 Sensor
  • Cisco Intrusion Prevention System Network Module
  • Cisco IPS 4240 Sensor
  • Cisco ASA Advanced Inspection and Prevention (AIP) Security Services Module
  • Cisco Integrated Services Routers Intrusion Prevention System Module

Known Affected Releases

6.0(6)E4 6.2(3)E4 7.0(2)E3 7.1(1)E4

Description (partial)

Currently, a TCP signature firing with the deny-packet-inline action will be augmented with
deny-connection-inline and reset-tcp-connection actions automatically. A sensor can also inspect TCP
traffic that is encapsulated inside of a GRE tunnel.
An AIP-SSM inside of an ASA forwards actions to be carried out on TCP traffic, flowing inside of a
GRE tunnel, to the ASA. If a TCP signature with deny-packet-inline fires on the AIP-SSM, for traffic
flowing through a GRE tunnel, the AIP will tell the ASA to deny-packet-inline, deny-connection-inline,
and reset-tcp-connection. However, the ASA has no notion of the TCP traffic inside of the GRE
tunnel. The ASA knows only of the GRE connection itself. So, it has no way to carry out a
deny-connection or the sending of a tcp-reset.
By nature, this issue has only been seen on an ASA, containing an AIP-SSM running in inline mode.

In the specific scenario observed, the ASA was running 8.2(1), and the AIP was running 7.0(1).
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.