Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1159
Views
0
Helpful
4
Replies

Ask : IPS Bottleneck Issue

probopurwo
Level 1
Level 1

‎06-03-2012 08:05 PM - edited ‎03-10-2019 05:41 AM

Hi all,

please give me an understanding about the ips packet flow inspection.

I got a problem with IPS, it seems like a Bottleneck issue.

When i turning on the IPS machine, all process being down.

But when i turning off the IPS, all process begin normal again.

FYI, i already setting the by pass configuration to ON and setting whole events action Rule being "Produce Alert"

What probably cause with my problem ?

What should i conduct with Anomaly Detection ? Should i change the AD mode to be inactive ?

Thank you.

Labels:
0 Helpful
4 Replies 4

sawgupta
Level 1
Level 1

‎06-09-2012 06:18 PM

What do you mean by "all process being down" ?

With Bypass set to ON, IPS should simply pass all traffic without analyzing.

Event Action being set to "Produce Alert", is the alert rate too high ? Are there some particular signatures firing a lot ? (Check show statistics virtual-sensor).

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
0 Helpful

probopurwo
Level 1
Level 1
In response to sawgupta

‎06-10-2012 07:08 PM

Thank Sawan for your answer,

first i want to inform you about the all process being down, it mean that the server inside the server farm being down when i turn on the IPS.

i already set the by pass ON in interface, and make all action in signatures to be produce alert, mean that no packet drop / modify inline conducted by the IPS Sensor, but the servers still cannot operate as well as IPS being turning off.

what problem may be occure ?

0 Helpful

sawgupta
Level 1
Level 1
In response to probopurwo

‎06-11-2012 08:00 AM

If Bypass is set to ON, then IPS shouldn't be doing anything. It looks like a configuration issue.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
0 Helpful

probopurwo
Level 1
Level 1
In response to sawgupta

‎06-11-2012 07:05 PM

Yeah, it should be like that, but actually when i setting up the by pass to be ON, the traffic from server farm still can operate as well as turning off IPS.

actually, i just configure the interface pair, one to ASA and one to Access-Server Farm.

before, this configuration can operate well, and no problem occure.

but after deploying some Application inside the Server Farm, there are so many problem, most of them is The Process of the Application being "Slow" When the IPS is turning ON.

What is the best practice configuration of IPS, what do you think ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card