Submit a ticketCall us

Webinar: Web Help Desk for HR, Facilities and Accounting Departments
This webinar will focus on use cases for HR, Facilities and Accounting.

Having a unified ticketing and asset management system for all the departments in your company can provide end-users with a seamless experience and make things easier for your IT team. Yet, with different business tasks and objectives, many departments don’t fully understand the capabilities of Web Help Desk and how the software can be customized for effective use in their departments.
Register Now.

Home > Success Center > Log & Event Manager (LEM) > Active Response is unable to block an IP address

Active Response is unable to block an IP address

Updated April 17, 2017


LEM can trigger a rule (which creates an SSH session to the firewall) to block an IP address on the firewall.
The SSH session uses Triple Data Encryption Standard (3DES) to authenticate to the firewall, and then block the IP address.
The LEM Active Response tool fails to authenticate to the firewall when firewall vendors change the default level encryption to block 3DES.



LEM 6.3.1 and earlier




The issue is caused when firewall vendors change the default level encryption to block an IP address. 


  • Latest LEM version
  • Latest LEM connectors
  • Current hotfix 


  1. Increase the logging level for the SSH Active Response to access the firewall.
    1. Establish a root access to LEM.
    2. Create /usr/local/contego/run/debug.conf and enter the following: com.trigeo.puma.toolactions.tool.SSHTool=12

      Include any of the following:

    3. Stop the Manager service: /etc/init.d/lem-manager stop
    4. Edit /usr/local/contego/run/manager.conf and add the following line: OutputLevelFile=debug.conf
    5. Start the Manager service: /etc/init.d/lem-manager start
  2. Allow LEM to block or attempt to block the firewall IP address.
  3. Collect the debug and send this to our developers for updating the cipher function in the Active Response.
  4. Stop the Manager service, remove the added line to manager.conf, and restart the Manager service.

    Note: You can also remove the debug.conf, but it is optional.

  5. Advise the customer that we are working on this issue.


It is possible to change the Cisco configuration to set the default encryption to include 3DES:

Always refer to Cisco documentation for precise configurations.
Below settings are temporary, and should be changed back once the LEM Active Response connectors are updated.

  1. Log in to Cisco.
  2. Enter the following:

    asa# en


    asa# config t


    asa# show ssh ciphers

    Shows all possible ciphers.

    asa# show ssh | inc Cipher

    Shows enabled cipher functions. Look for 3des-cbc followed by AES & others. If  3des-sbs is missing, the medium level default was configured, and not the low.

    asa# ssh cipher enc low

    Changes to use the low ciphers, enabling 3DES.

    asa# write mem Or use your command to save configuration changes, and then write the running cfg to start up.




Last modified
17:03, 23 Apr 2017



Internal Use Only