Packets Dropped for Legitimate Traffic without Generating Alerts

To troubleshoot this scenario, complete the following steps:

1. In the WebUI, set the filter to a group that contains at least one Branch Gateway that supports Gateway IDS/IPS.
   The dashboard context for a group is displayed.
2. Under Manage, click Devices > Gateways.
   A list of gateways is displayed in the List view.
3. Click a gateway under Device Name.
   The dashboard context for the gateway device is displayed.
4. Under Manage, click Overview. The Gateway Details page is displayed.
5. From the Actions drop-down list, click Open Remote Console.

   It opens the remote console for a CLI session through SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. . The default user ID is admin, but you can edit and customize the user ID. This custom user ID must be mapped to the device.

6. Execute the following commands to enable blocked flow log and PCAP log:

   (A9004) *#idps debug blocked-flow

   (A9004) *#idps debug pcap-log

   The debugging commands reloads the Gateway IDS/IPS engine which results in a momentary network disruption. Therefore, it is recommended to plan this activity in advance during planned maintenance.

7. Execute the show idps debug status command to ensure that the required Gateway IDS/IPS debug options are enabled.

   Wait until the Blocked-Flow status changes to Active. Reproduce the issue to capture the corresponding logs.

8. Execute the following commands to disable blocked flow log and PCAP log:

   (A9004) *#no idps debug blocked-flow

   (A9004) *#no idps debug pcap-log

9. Execute the show idps debug status command to ensure that the Gateway IDS/IPS debug options are disabled.
10. Execute the tar logs idps-logs command to collect the Gateway IDS/IPS traffic inspection engine logs.
11. Copy the idps-logs.tar.7z file from the gateway and share it with HPE Aruba Networking Technical Support.