«

I have a 3825 running 12.3(14)T4. On my serial port I have a T3/E3 card
connecting to an MPLS cloud with about 40 sites and on my Gi0/1 port I
have a SonicWall VPN concentrator connected to approx 200 sites. My
servers are located off the Gi0/0 port. Typical throughput through the
router averages about 2.0 MB through the Gi0/1 port and about 10 MB
through the serial port.

The router has 256MB of memory installed and about 128MB available. I
am loading 64 signatures with all the signatures set to alarm only. All
other signatures have been deleted.

After enabling IPS on the Gi0/0 outbound interface, everything works
fine for several hours and then users begin complaining about a loss of
connectivity. Users can't connect to web sites nor can they log in to
the AD and telnet and Citrix sessions get dropped and cannot be
reestablished. The logs show no signatures being triggered and my
session thresholds are well below max connection limits. Once IPS is
disabled, all problems disappear instantly. This has happened on three
different occasions.

Results from sho ip inspect conf (after IPS has been turned off) are as
follows;

Session audit trail is enabled
Session alert is enabled
one-minute (sampling period) thresholds are [4500:100000000]
connections
max-incomplete sessions thresholds are [4500:20000000]
max-incomplete tcp connections per host is 100000. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 32400 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec

Results from sho ip inspect stat (after IPS has been turned off) are as
follows;

Packet inspection statistics [process switch:fast switch]
tcp packets: [3669185:366719687]
udp packets: [6797247:165723639]
packets: [1441881:3408917]
packets: [6801515:319778749]
Interfaces configured for inspection 0
Session creations since subsystem startup or last reset 511218
Current session counts (estab/half-open/terminating) [3489:380:5]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created 2d06h
Last statistic reset 2d13h
Last session creation rate 1585
Last half-open session total 0

Results from sho ip ips stat (after IPS has been turned off) are;

Interfaces configured for ips 0
Session creations since subsystem startup or last reset 511218
Current session counts (estab/half-open/terminating) [3512:385:7]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created 2d06h
Last statistic reset 2d13h

Any advice is appreciated.

On 16 Feb 2006 17:33:07 -0800, "Greer" <> wrote:


>After enabling IPS on the Gi0/0 outbound interface, everything works
>fine for several hours and then users begin complaining about a loss of
>connectivity. Users can't connect to web sites nor can they log in to

>Any advice is appreciated.

They (those Cisco gurus in the know) say that IPS is still rough
around the edges and Cisco is still working out all the kinks. By the
sounds of it you may have run into one of those kinks.

If you have a current support contract you may want to try opening a
case with TAC.