https://community.cisco.com/t5/network-security/ips-sensor-4240-slowing-down-traffic/m-p/1155879#M77482 <P>Hi All, </P><P>I have the following scenario: </P><P>The internal LAN (around 40 computers &amp; 6 Servers) connecting to a 4500R which connects to two ASAs 5550 (In Failover) which then connects to a 2960G that connects to an IPS and finally a 2821 that gives Internet access. </P><P>In other words....</P><P>LAN - 4500R - ASAs - 2960G - IPS - 2821 - Internet. </P><P>The Problem is the following: </P><P>If the IPS Sensor 4240 is configured as Inline suddenly the network begin experiencing slowliness and the CPU on the IPS is at 100%. This only happens from time to time. I don't see any alarms being generated by the IPS indicating an attack or something like that.... </P><P>If I configure the IPS as an IDS and configure the 2960G to SPAN traffic to the IDS... then everything works fine all the time &amp; I haven't seen the problem again. </P><P>The situation is that I need the IPS Sensor to be as an IPS in Inline mode.</P><P>My question is... how do I determine what's going on????</P><P>The Sensor has a throughput around 1/4 as compared to the ASAs, but still there should not be so much traffic in the internal LAN to saturate the IPS. </P><P>The only thing I see on the IPS is the CPU at 100% when this happens. I don't see any signature match or alarm... </P><P>Please point me in the right direction to troubleshoot this problem, and I can provide more details if necessary...</P><P>Thank you All!!</P> Sun, 10 Mar 2019 11:33:34 GMT fedecotofaja 2019-03-10T11:33:34Z https://community.cisco.com/t5/network-security/ips-sensor-4240-slowing-down-traffic/m-p/1155879#M77482 <P>Hi All, </P><P>I have the following scenario: </P><P>The internal LAN (around 40 computers &amp; 6 Servers) connecting to a 4500R which connects to two ASAs 5550 (In Failover) which then connects to a 2960G that connects to an IPS and finally a 2821 that gives Internet access. </P><P>In other words....</P><P>LAN - 4500R - ASAs - 2960G - IPS - 2821 - Internet. </P><P>The Problem is the following: </P><P>If the IPS Sensor 4240 is configured as Inline suddenly the network begin experiencing slowliness and the CPU on the IPS is at 100%. This only happens from time to time. I don't see any alarms being generated by the IPS indicating an attack or something like that.... </P><P>If I configure the IPS as an IDS and configure the 2960G to SPAN traffic to the IDS... then everything works fine all the time &amp; I haven't seen the problem again. </P><P>The situation is that I need the IPS Sensor to be as an IPS in Inline mode.</P><P>My question is... how do I determine what's going on????</P><P>The Sensor has a throughput around 1/4 as compared to the ASAs, but still there should not be so much traffic in the internal LAN to saturate the IPS. </P><P>The only thing I see on the IPS is the CPU at 100% when this happens. I don't see any signature match or alarm... </P><P>Please point me in the right direction to troubleshoot this problem, and I can provide more details if necessary...</P><P>Thank you All!!</P> Sun, 10 Mar 2019 11:33:34 GMT https://community.cisco.com/t5/network-security/ips-sensor-4240-slowing-down-traffic/m-p/1155879#M77482 fedecotofaja 2019-03-10T11:33:34Z https://community.cisco.com/t5/network-security/ips-sensor-4240-slowing-down-traffic/m-p/1155880#M77483 <HTML><HEAD></HEAD><BODY><P>What does the load and memory look like when the CPU is at 100%?</P></BODY></HTML> Mon, 23 Mar 2009 19:44:51 GMT https://community.cisco.com/t5/network-security/ips-sensor-4240-slowing-down-traffic/m-p/1155880#M77483 larry.atkins 2009-03-23T19:44:51Z https://community.cisco.com/t5/network-security/ips-sensor-4240-slowing-down-traffic/m-p/1155881#M77484 <HTML><HEAD></HEAD><BODY><P>I think the Best design is to use the IPS behind the ASA.</P><P></P><P>in your case here is what I have found:</P><P></P><P>Traffic inspected by a sensor outside a firewall tends to be unregulated. Sensors monitoring</P><P>traffic outside a firewall see scans, sweeps, and every Internet worm and attack that exists,</P><P>along with potentially large numbers of spoofed packets from around the globe. This makes it</P><P>much more difficult to distinguish true alarms from noise or false alarms. A possible strategy</P><P>for a sensor outside a firewall is to use the event stream from the sensor to identify trends.</P><P>When the sensor is outside the firewall, consider these tuning guidelines:</P><P>- Avoid assigning a high severity level to any individual event.</P><P>- Turn off all response actions.</P><P>- Use the sensor primarily to look for trends on the Internet such as activity explosions,</P><P>which can indicate attacks like Code Red or Nimda.</P><P></P><P>you should do moniting using IME, this may be helpful to know why the load is 100% <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P><P></P><P>I hope this is useful.</P><P>Reda</P></BODY></HTML> Thu, 26 Mar 2009 09:33:27 GMT https://community.cisco.com/t5/network-security/ips-sensor-4240-slowing-down-traffic/m-p/1155881#M77484 rjaaouan 2009-03-26T09:33:27Z