Submit a ticketCall us

WebinarUpcoming Webinar: Know What’s Changed – with NEW Server Configuration Monitor

Change management in IT is critical. But, even with a good change management process, changes are too often not correctly tracked, if at all. The configuration of your servers and applications is a key factor in their performance, availability, and security. Many incidents can be tracked back to an authorized (and sometimes unauthorized) configuration change, whether to a system file, configuration file, or Windows® Registry entry. Join SolarWinds VP of product management Brandon Shopp to discover how the new SolarWinds® Server Configuration Monitor is designed to help you.

Register now.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Active Response is unable to block an IP address

Active Response is unable to block an IP address

Updated April 17, 2017


LEM can trigger a rule (which creates an SSH session to the firewall) to block an IP address on the firewall.
The SSH session uses Triple Data Encryption Standard (3DES) to authenticate to the firewall, and then block the IP address.
The LEM Active Response tool fails to authenticate to the firewall when firewall vendors change the default level encryption to block 3DES.



LEM 6.3.1 and earlier




The issue is caused when firewall vendors change the default level encryption to block an IP address. 


  • Latest LEM version
  • Latest LEM connectors
  • Current hotfix 


  1. Increase the logging level for the SSH Active Response to access the firewall.
    1. Establish a root access to LEM.
    2. Create /usr/local/contego/run/debug.conf and enter the following: com.trigeo.puma.toolactions.tool.SSHTool=12

      Include any of the following:

    3. Stop the Manager service: /etc/init.d/lem-manager stop
    4. Edit /usr/local/contego/run/manager.conf and add the following line: OutputLevelFile=debug.conf
    5. Start the Manager service: /etc/init.d/lem-manager start
  2. Allow LEM to block or attempt to block the firewall IP address.
  3. Collect the debug and send this to our developers for updating the cipher function in the Active Response.
  4. Stop the Manager service, remove the added line to manager.conf, and restart the Manager service.

    Note: You can also remove the debug.conf, but it is optional.

  5. Advise the customer that we are working on this issue.


It is possible to change the Cisco configuration to set the default encryption to include 3DES:

Always refer to Cisco documentation for precise configurations.
Below settings are temporary, and should be changed back once the LEM Active Response connectors are updated.

  1. Log in to Cisco.
  2. Enter the following:

    asa# en


    asa# config t


    asa# show ssh ciphers

    Shows all possible ciphers.

    asa# show ssh | inc Cipher

    Shows enabled cipher functions. Look for 3des-cbc followed by AES & others. If  3des-sbs is missing, the medium level default was configured, and not the low.

    asa# ssh cipher enc low

    Changes to use the low ciphers, enabling 3DES.

    asa# write mem Or use your command to save configuration changes, and then write the running cfg to start up.




Last modified



Internal Use Only