https://community.cisco.com/t5/network-security/ids-question/m-p/1546307#M66264 <P>Hi. We have a Cisco IDS 4215 along with 2x Cisco Pix 515e's. I manage the Pix's but know nothing about the IDS (neither does anyone else here, it was installed by a 3rd party long ago). We have a situation where traffic from an external supplier is occasionally getting dropped (they come in over a site-to-site VPN). We've already established (from the firewall syslogs) that the SYN-ACK packets are getting lost somewhere and I want to rule out the IDS. What would the consequences be of me switching off the IDS for 1 day? If problem persists then I can rule that out. If problem goes away then I'll know it's IDS and know where to concentrate my efforts.</P><P></P><P>Thanks</P><P></P><P>Rex</P> Sun, 10 Mar 2019 12:10:13 GMT Rex Biesty 2019-03-10T12:10:13Z https://community.cisco.com/t5/network-security/ids-question/m-p/1546307#M66264 <P>Hi. We have a Cisco IDS 4215 along with 2x Cisco Pix 515e's. I manage the Pix's but know nothing about the IDS (neither does anyone else here, it was installed by a 3rd party long ago). We have a situation where traffic from an external supplier is occasionally getting dropped (they come in over a site-to-site VPN). We've already established (from the firewall syslogs) that the SYN-ACK packets are getting lost somewhere and I want to rule out the IDS. What would the consequences be of me switching off the IDS for 1 day? If problem persists then I can rule that out. If problem goes away then I'll know it's IDS and know where to concentrate my efforts.</P><P></P><P>Thanks</P><P></P><P>Rex</P> Sun, 10 Mar 2019 12:10:13 GMT https://community.cisco.com/t5/network-security/ids-question/m-p/1546307#M66264 Rex Biesty 2019-03-10T12:10:13Z https://community.cisco.com/t5/network-security/ids-question/m-p/1546308#M66265 <HTML><HEAD></HEAD><BODY><P>Does the IDS box comes in the picture after packet has been decrypted on Pix's ?</P><P></P><P>a#What you can do to isolate the issue is to turn the bypass mode ON on the IDS box which would bypass packet processing and sensor merely acts as a bridge in the network, the drivers no longer sends the packet to sensorApp for processing, see if the issue persist ?</P><P>b#Secondly, if you have lot of assymetric traffic flowing than normalizers 1330's may be causing the packet drops, if from above a# you know for sure sensor is causing the trouble than you may enable assymetric flows through the sensor to isolate pointb#</P><P></P><P>let me know how it goes !!</P></BODY></HTML> Fri, 29 Oct 2010 09:56:47 GMT https://community.cisco.com/t5/network-security/ids-question/m-p/1546308#M66265 abinjola 2010-10-29T09:56:47Z https://community.cisco.com/t5/network-security/ids-question/m-p/1546309#M66266 <HTML><HEAD></HEAD><BODY><P>If the packets are encrypted it doesn't make sense for SYN-ACKs to be missing. The IDS just sees encrypted UDP packet, so it can't know to drop the SYN-ACKs only. So, if that is the case, I am skeptical about it being the IDS.</P><P></P><P>Rgs,</P><P>PK</P></BODY></HTML> Fri, 29 Oct 2010 17:26:27 GMT https://community.cisco.com/t5/network-security/ids-question/m-p/1546309#M66266 Panos Kampanakis 2010-10-29T17:26:27Z https://community.cisco.com/t5/network-security/ids-question/m-p/1546310#M66267 <HTML><HEAD></HEAD><BODY><P>Is it an IDs configuration or</P><P>IPS? If it is an IDS that means you have a span/monitor</P><P>sending traffic to the IDs and it should not be impacting your traffic.</P><P>An IPS does have your traffic passing through it and then you would want to</P><P>put it into bypass mode. Sorry if I was stating the obvious</P></BODY></HTML> Fri, 29 Oct 2010 20:29:49 GMT https://community.cisco.com/t5/network-security/ids-question/m-p/1546310#M66267 andywt123 2010-10-29T20:29:49Z