https://community.cisco.com/t5/network-security/ios-ips-troubleshooting/m-p/753348#M86368 <P>Hi all,</P><P></P><P>I am enabling the IPS functionality on a 3825 router with IOS 12.4(3d). The problem is that when I enable the IPS (inbound direction of the router's ethernet interface) I start having connectivity problems with some applications even with all the signatures on alert (not to drop traffic).</P><P></P><P>Is there a debug or some troubleshooting that I can use in order to verify why the IPS is dropping some of the traffic?</P><P></P><P>Also I have read that when you enable the IPS functionality the router automatically activates de inspect engine and in consequence it will drop out-of-order packets and half open connections, is this correct?</P><P></P><P>Regards.</P> Sun, 10 Mar 2019 10:40:02 GMT vicente.madrigal 2019-03-10T10:40:02Z https://community.cisco.com/t5/network-security/ios-ips-troubleshooting/m-p/753348#M86368 <P>Hi all,</P><P></P><P>I am enabling the IPS functionality on a 3825 router with IOS 12.4(3d). The problem is that when I enable the IPS (inbound direction of the router's ethernet interface) I start having connectivity problems with some applications even with all the signatures on alert (not to drop traffic).</P><P></P><P>Is there a debug or some troubleshooting that I can use in order to verify why the IPS is dropping some of the traffic?</P><P></P><P>Also I have read that when you enable the IPS functionality the router automatically activates de inspect engine and in consequence it will drop out-of-order packets and half open connections, is this correct?</P><P></P><P>Regards.</P> Sun, 10 Mar 2019 10:40:02 GMT https://community.cisco.com/t5/network-security/ios-ips-troubleshooting/m-p/753348#M86368 vicente.madrigal 2019-03-10T10:40:02Z https://community.cisco.com/t5/network-security/ios-ips-troubleshooting/m-p/753349#M86370 <HTML><HEAD></HEAD><BODY><P>most likely you are hitting the out-of-order issue. It is fixed in the latest T-train.</P><P></P><P>Regarding your question, you are right. When ips is enabled, it will activates the deep inspection engine which will drop out-of-order packets.</P><P></P><P>-Chris</P></BODY></HTML> Thu, 21 Jun 2007 04:49:30 GMT https://community.cisco.com/t5/network-security/ios-ips-troubleshooting/m-p/753349#M86370 ymzhang 2007-06-21T04:49:30Z https://community.cisco.com/t5/network-security/ios-ips-troubleshooting/m-p/753350#M86372 <HTML><HEAD></HEAD><BODY><P>Thanks Chris,</P><P></P><P>I will try the IOS upgrade to see if that helps me to solve the issue, by the way I am still looking for some debugs or troubleshooting commands that help me to verify that the IPS (and inspect engine) is dropping the packets. Do you know some commands or debugs that can help me?</P><P></P><P>Regards.</P><P></P></BODY></HTML> Thu, 21 Jun 2007 13:26:30 GMT https://community.cisco.com/t5/network-security/ios-ips-troubleshooting/m-p/753350#M86372 vicente.madrigal 2007-06-21T13:26:30Z https://community.cisco.com/t5/network-security/ios-ips-troubleshooting/m-p/753351#M86373 <HTML><HEAD></HEAD><BODY><P>Yes. The module/doe that drops out-of-order packets belongs to the firewall session tracking function. If you use 'debug ip inspect detail' command, you should be able to find clue. Be careful not to use this command on your production network, this debug command will generate lots of messages.</P><P></P><P>Thanks,</P><P>-Chris</P></BODY></HTML> Thu, 21 Jun 2007 16:40:18 GMT https://community.cisco.com/t5/network-security/ios-ips-troubleshooting/m-p/753351#M86373 ymzhang 2007-06-21T16:40:18Z