Feb 21

What mode do I set my Ixia Netoptics iBypass to?

I was introduced to Netoptics iBypass switches years ago, but it wasn’t until recently that I had the chance to administer one. As a new product to me, I read the user manual to make sure the IPS was connected correctly to the monitor ports. I worked with the sales engineer to make sure I understood how to use the product.

At time of deployment, I set the Bypass Mode to “TAP”. I did this because the admin of the IPS wasn’t ready to start blocking traffic yet. I was to change it after he had a chance to collect data for a while.

When the IPS admin was ready to have me reroute traffic through the IPS, we ran into some problems. I found that when I made the change, data wasn’t rerouted through the IPS. I had read the manual on how to do this, but clearly I didn’t do it correctly. See the image below with the Bypass Mode definitions.


I found the definitions to be a little confusing. It was confusing to me because I didn’t know what the Netoptics definition of Bypass was. Bypass meant that the data was going to bypass the IPS or monitoring tool. I was thinking that Bypass meant that it was going to Bypass the normal data flow path. Due to this, I had put the iBypass switch into bypass mode instead of normal mode for the data to flow through the IPS.

After learning this, I was able to set the iBypass to “Fail-open”. This mode put the iBypass into normal mode… Normal mode meaning that it is rerouting traffic through the IPS. If the IPS failed, the iBypass would send the data through bypassing the failed IPS.

Here are my definitions of Ixia’s Netoptics iBypass modes.

  1. Tap – Copy the data and send it to the IPS.
  2. Fail-Close – Reroute traffic through the IPS, when the IPS fails, don’t send data through the iBypass.
  3. Fail-Open – Reroute traffic through the IPS, when the IPS fails, keep sending data through the iBypass.
  4. Force-Bypass-Off – Force traffic through IPS.
  5. Force-Bypass-On-Close – Stop rerouting traffic, block all traffic.
  6. Force-Bypass-on-Open – Stop rerouting traffic, allow traffic to pass.

So far my experience with the iBypass switch has been a positive one.

I hope this helps you new iBypass switch users out there.

Please feel free to share your comments below!




Mar 27

Cisco ASA VPN and RSA SDI Troubleshooting

RSA SDI is a setup that allow a user to use a token to log in to a system. This is a two factor authentication method. The Cisco ASA VPN can be setup to have the user enter the token number, or the users Pin. If the user enters their Pin, the Anyconnect client then looks for the soft token on the computer and retrieves the token number. The ASA then sends the token number to the RSA server for authentication. This blog is not about how this process works, only a few tips on troubleshooting the connection.

If the Cisco ASA is not setup correctly in the RSA server the ASA will put the server in Suspended mode and will not try to use it until it’s out of suspended mode. In the case below, the Cisco ASA has network access to the RSA server, but the IP of the Cisco ASA was not entered correctly into the RSA application. Below is an example of a suspended server. Note that I named the Server group GOATRSA, you can give it any name you want.

Cisco-ASA-Firewall# show aaa-server GOATRSA host
Server Group: GOATRSA
Server Protocol: sdi
Server Address:
Server port: 5500
Server status: ACTIVE, Last transaction at 12:30:45 UTC Wed Mar 8 2014
Number of pending requests 0
Average round trip time 3385ms
Number of authentication requests 21
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 0
Number of rejects 0
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 21
Number of unrecognized responses 0

SDI Server List:
Active Address:
Server Address:
Server port: 5500
Priority: 0
Proximity: 0
Number of accepts 0
Number of rejects 0
Number of bad next token codes 0
Number of bad new pins sent 0
Number of retries 18
Number of timeouts 18

How to clear an RSA server in SUSPENDED status?

Remove and add the server back into the group
From the CLI in the Cisco ASA issue the following commands, make sure you use your correct Group name, Interface, and host IP.
No aaa-server GOATRSA (INSIDE) host
aaa-server GOATRSA (INSIDE) host

After you add the server and issue the show command “show aaa-server GOATRSA host“, you will notice the status change to UP.

How to test a users RSA Token log in from the Cisco ASA CLI?
From the CLI in the Cisco ASA issue the following command.
test aaa-server authentication host username password
test aaa-server authentication GOATRSA host username ScapeGoat password 11223344
– The Cisco ASA will tell you if this failed or was a success.

After a sucessfull log on your Cisco ASA will receive a file in the root of the file system that ends in a .sdi from the RSA server. When your username test passes, you will then have the .sdi file.

If you have more RSA SDI tips please reply to this post and add your notes!!! I hope this helps you!!

Click here to see Cisco’s SDI Soft token documentation.