https://community.cisco.com/t5/network-security/deactivated-signatures-still-causing-drops/m-p/1771937#M56124 <HTML><HEAD></HEAD><BODY><P>no, but all traffic from the subnets that the issue is on are specifically excluded from the IPS signature list with custom signatures. ( its an issue that requires a lowerd MTU to fix, but causes fragmenting at certain times )</P><P></P><P>Will the IPS modules STILL fire even on traffic excluded if the signatures match the traffic? How is the traffic to be excluded other than retiring the whole signature?</P><P></P><P>Cheers</P><P>D</P></BODY></HTML> Mon, 17 Oct 2011 00:22:55 GMT daniel.thompson 2011-10-17T00:22:55Z https://community.cisco.com/t5/network-security/deactivated-signatures-still-causing-drops/m-p/1771935#M56118 <P>Hi there,</P><P></P><P>We have a site with 2x 5540 asas with SSM-20 IPS Module in active standby mode.</P><P></P><P>The signatures 1204 and 1208 relating to Fragmented IP datagrams fire on traffic even when excluded from the siganture set.</P><P></P><P>Any ideas why and how to fix this issue?</P><P></P><P>Cheers</P><P>D</P><P></P><P></P><P>error attach as a pic</P> Sun, 10 Mar 2019 12:30:26 GMT https://community.cisco.com/t5/network-security/deactivated-signatures-still-causing-drops/m-p/1771935#M56118 daniel.thompson 2019-03-10T12:30:26Z https://community.cisco.com/t5/network-security/deactivated-signatures-still-causing-drops/m-p/1771936#M56120 <HTML><HEAD></HEAD><BODY><P>Have these signatures been retired and disabled?</P><P></P><P>Nick Smith</P><P>Cisco IPS Signature Team</P></BODY></HTML> Fri, 14 Oct 2011 20:01:08 GMT https://community.cisco.com/t5/network-security/deactivated-signatures-still-causing-drops/m-p/1771936#M56120 nicksmi 2011-10-14T20:01:08Z https://community.cisco.com/t5/network-security/deactivated-signatures-still-causing-drops/m-p/1771937#M56124 <HTML><HEAD></HEAD><BODY><P>no, but all traffic from the subnets that the issue is on are specifically excluded from the IPS signature list with custom signatures. ( its an issue that requires a lowerd MTU to fix, but causes fragmenting at certain times )</P><P></P><P>Will the IPS modules STILL fire even on traffic excluded if the signatures match the traffic? How is the traffic to be excluded other than retiring the whole signature?</P><P></P><P>Cheers</P><P>D</P></BODY></HTML> Mon, 17 Oct 2011 00:22:55 GMT https://community.cisco.com/t5/network-security/deactivated-signatures-still-causing-drops/m-p/1771937#M56124 daniel.thompson 2011-10-17T00:22:55Z https://community.cisco.com/t5/network-security/deactivated-signatures-still-causing-drops/m-p/1771938#M56128 <HTML><HEAD></HEAD><BODY><P>From a colleague,</P><P></P><P>The only way to prevent these two sigs (1204 and 1208) from firing is to retire them and then reset the sensor.&nbsp; Disabling them will only stop alerting, and they will continue to deny packets (this is part of the normalizer’s design).&nbsp; I don’t think a custom sig will work because the normalizer sigs will be processed before the custom sigs.</P><P></P><P> Sig 1204 is ‘IP Fragment Missing Initial Fragment’</P><P> And 1208 is ‘IP Fragment Incomplete Datagram’</P><P></P><P> There’s not much we can do with sig 1204.&nbsp; If the initial fragment is missing, we can’t do reassembly.</P><P> However, with sig 1208, we can adjust the timeout, which defaults to 60 seconds.&nbsp; Sixty seconds should be plenty of time though.&nbsp;&nbsp; It can be increased to up to 360 seconds by modifying fragment-reassembly-timeout.&nbsp; </P><P></P><P>Are the dropped frags causing network issues?</P></BODY></HTML> Mon, 17 Oct 2011 20:28:13 GMT https://community.cisco.com/t5/network-security/deactivated-signatures-still-causing-drops/m-p/1771938#M56128 nicksmi 2011-10-17T20:28:13Z