https://community.cisco.com/t5/network-security/ips-tcp-segment-overwrite-way-too-many/m-p/735115#M86405 <HTML><HEAD></HEAD><BODY><P>If you are on a 4250, 4250XL or a IDSM-2 then you might be hitting CSCsg23774.</P><P></P><P><A class="jive-link-custom" href="http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCsg23774" target="_blank">http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCsg23774</A></P><P></P><P>The defect was corrected in 6.0(1).</P></BODY></HTML> Tue, 19 Jun 2007 18:21:24 GMT mlhall 2007-06-19T18:21:24Z https://community.cisco.com/t5/network-security/ips-tcp-segment-overwrite-way-too-many/m-p/735111#M86397 <P>We had consultants install our new ips. They recommended plugging into a switch connecting our firewall to our internet router. We have a bunch of VPN tunnels terminating at our ASA firewall from our remote offices. When I check the logs on the IPS, there are tons of alerts for "tcp segment overwrite" and alot of them come from the vpn sites. My question is, what can I do to alleviate some of these messages? I can't believe that we are being attacked this much.</P><P></P><P>To clarify our installation, we have 2 switches, one in each of our two buildings, and they are connected via fibre. We have a ASA in each building and they are setup for redundancy. Our IPS has only one interface plugged into the same vlan the hosts the firewall and the internet router.</P><P></P><P>thanks</P> Sun, 10 Mar 2019 10:39:42 GMT https://community.cisco.com/t5/network-security/ips-tcp-segment-overwrite-way-too-many/m-p/735111#M86397 tverhoeven 2019-03-10T10:39:42Z https://community.cisco.com/t5/network-security/ips-tcp-segment-overwrite-way-too-many/m-p/735112#M86400 <HTML><HEAD></HEAD><BODY><P>If this is in an inline scenario the offending packets are dropped by default. To investigate it further I check to see what other alerts are triggering for the offending hosts. This will give you more information to ascertain what these hosts are really doing.</P></BODY></HTML> Tue, 19 Jun 2007 00:29:46 GMT https://community.cisco.com/t5/network-security/ips-tcp-segment-overwrite-way-too-many/m-p/735112#M86400 jlimbo 2007-06-19T00:29:46Z https://community.cisco.com/t5/network-security/ips-tcp-segment-overwrite-way-too-many/m-p/735113#M86402 <HTML><HEAD></HEAD><BODY><P>this is not inline...only have one interface.</P><P></P><P>I checked through and handful of the logs and I have ip's from my internal network and from remote vpn connections. Is there a way to search thru the log to find multiple occurrences of the same host???</P><P></P></BODY></HTML> Tue, 19 Jun 2007 00:43:33 GMT https://community.cisco.com/t5/network-security/ips-tcp-segment-overwrite-way-too-many/m-p/735113#M86402 tverhoeven 2007-06-19T00:43:33Z https://community.cisco.com/t5/network-security/ips-tcp-segment-overwrite-way-too-many/m-p/735114#M86403 <HTML><HEAD></HEAD><BODY><P>we have the same issue. we see them too much in "normal" traffic for the sig to be useful.</P></BODY></HTML> Tue, 19 Jun 2007 12:43:58 GMT https://community.cisco.com/t5/network-security/ips-tcp-segment-overwrite-way-too-many/m-p/735114#M86403 mhellman 2007-06-19T12:43:58Z https://community.cisco.com/t5/network-security/ips-tcp-segment-overwrite-way-too-many/m-p/735115#M86405 <HTML><HEAD></HEAD><BODY><P>If you are on a 4250, 4250XL or a IDSM-2 then you might be hitting CSCsg23774.</P><P></P><P><A class="jive-link-custom" href="http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCsg23774" target="_blank">http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCsg23774</A></P><P></P><P>The defect was corrected in 6.0(1).</P></BODY></HTML> Tue, 19 Jun 2007 18:21:24 GMT https://community.cisco.com/t5/network-security/ips-tcp-segment-overwrite-way-too-many/m-p/735115#M86405 mlhall 2007-06-19T18:21:24Z https://community.cisco.com/t5/network-security/ips-tcp-segment-overwrite-way-too-many/m-p/735116#M86406 <HTML><HEAD></HEAD><BODY><P>Thanks man...that seemed to do the trick.</P><P></P><P>Good thing I did not do that upgrade last week when I was studying for the IPS exam. Whole new interface would have thrown me off.</P></BODY></HTML> Wed, 20 Jun 2007 14:26:38 GMT https://community.cisco.com/t5/network-security/ips-tcp-segment-overwrite-way-too-many/m-p/735116#M86406 tverhoeven 2007-06-20T14:26:38Z