Cisco IOS IPS issue

Discussion in 'Cisco' started by Greer, Feb 17, 2006.

  1. Greer

    Greer Guest

    I have a 3825 running 12.3(14)T4. On my serial port I have a T3/E3 card
    connecting to an MPLS cloud with about 40 sites and on my Gi0/1 port I
    have a SonicWall VPN concentrator connected to approx 200 sites. My
    servers are located off the Gi0/0 port. Typical throughput through the
    router averages about 2.0 MB through the Gi0/1 port and about 10 MB
    through the serial port.

    The router has 256MB of memory installed and about 128MB available. I
    am loading 64 signatures with all the signatures set to alarm only. All
    other signatures have been deleted.

    After enabling IPS on the Gi0/0 outbound interface, everything works
    fine for several hours and then users begin complaining about a loss of
    connectivity. Users can't connect to web sites nor can they log in to
    the AD and telnet and Citrix sessions get dropped and cannot be
    reestablished. The logs show no signatures being triggered and my
    session thresholds are well below max connection limits. Once IPS is
    disabled, all problems disappear instantly. This has happened on three
    different occasions.

    Results from sho ip inspect conf (after IPS has been turned off) are as
    follows;

    Session audit trail is enabled
    Session alert is enabled
    one-minute (sampling period) thresholds are [4500:100000000]
    connections
    max-incomplete sessions thresholds are [4500:20000000]
    max-incomplete tcp connections per host is 100000. Block-time 0 minute.
    tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
    tcp idle-time is 32400 sec -- udp idle-time is 30 sec
    dns-timeout is 5 sec

    Results from sho ip inspect stat (after IPS has been turned off) are as
    follows;

    Packet inspection statistics [process switch:fast switch]
    tcp packets: [3669185:366719687]
    udp packets: [6797247:165723639]
    packets: [1441881:3408917]
    packets: [6801515:319778749]
    Interfaces configured for inspection 0
    Session creations since subsystem startup or last reset 511218
    Current session counts (estab/half-open/terminating) [3489:380:5]
    Maxever session counts (estab/half-open/terminating) [0:0:0]
    Last session created 2d06h
    Last statistic reset 2d13h
    Last session creation rate 1585
    Last half-open session total 0

    Results from sho ip ips stat (after IPS has been turned off) are;

    Interfaces configured for ips 0
    Session creations since subsystem startup or last reset 511218
    Current session counts (estab/half-open/terminating) [3512:385:7]
    Maxever session counts (estab/half-open/terminating) [0:0:0]
    Last session created 2d06h
    Last statistic reset 2d13h

    Any advice is appreciated.
    Greer, Feb 17, 2006
    #1
    1. Advertising

  2. Greer

    Guest

    On 16 Feb 2006 17:33:07 -0800, "Greer" <> wrote:


    >After enabling IPS on the Gi0/0 outbound interface, everything works
    >fine for several hours and then users begin complaining about a loss of
    >connectivity. Users can't connect to web sites nor can they log in to


    >Any advice is appreciated.


    They (those Cisco gurus in the know) say that IPS is still rough
    around the edges and Cisco is still working out all the kinks. By the
    sounds of it you may have run into one of those kinks.

    If you have a current support contract you may want to try opening a
    case with TAC.
    , Feb 17, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Helmut Wollmersdorfer

    IOS newbie: 1 plus 8 external IPs

    Helmut Wollmersdorfer, Dec 30, 2004, in forum: Cisco
    Replies:
    1
    Views:
    355
  2. newsgroup

    Test IOS IPS

    newsgroup, Jul 21, 2005, in forum: Cisco
    Replies:
    0
    Views:
    537
    newsgroup
    Jul 21, 2005
  3. Replies:
    0
    Views:
    427
  4. Mike Rahl
    Replies:
    1
    Views:
    1,176
    Trendkill
    May 30, 2007
  5. Martijn Lievaart

    HSRP: virtual IPs without real IPs?

    Martijn Lievaart, Feb 9, 2012, in forum: Cisco
    Replies:
    4
    Views:
    1,099
    Martijn Lievaart
    Feb 15, 2012
Loading...

Share This Page