05-18-2012 02:39 PM - edited 03-10-2019 05:40 AM
With Madhu Kodali
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to discuss configuration and troubleshooting IDS/IPS sensors with Cisco expert Madhu Kodali.
Madhu is a senior QA engineer on the Intrusion Prevention Systems development team in Austin, Texas, which supports the quality assurance of Cisco's intrusion detection and prevention solutions. He has been with Cisco for 10 years. His expertise lies in intrusion detection and prevention and the associated range of Cisco management products including Cisco IPS Manager Express and Cisco Adaptive Security Device Manager. Kodali holds a master's degree in computer science from the University of Texas at Dallas and currently holds CCSP and CISSP certification.
Remember to use the rating system to let Madhu know if you have received an adequate response.
Madhu might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through June 1, 2012. Visit this forum often to view responses to your questions and the questions of other community members.
05-25-2012 08:41 AM
Hi Rahul,
ASA and IPS have different areas of application. ASA firewall provides the access control and sometimes vpn services. They also provide some basic application inspection and threat protection but a more advanced protection against malware, evasions, trojans and worms is provided by IPS. To inspect packets and streams beyond layer 4 an IPS would be needed as firewalls usually don't have intensive deep packet inspection capabilities.
Hope this helps
Madhu
05-25-2012 01:16 PM
Hi Rahul,
1) Does WLC have IPS? If yes, what is different between normal IPS?
2) Does it enough WLC IPS to protect Wireless traffic?
Thanks,
John
05-25-2012 01:53 PM
John,
I presume you are referring to Wireless Lan Controller on which I have no familiarity. However looks like there is some integration that goes between WLC and IPS as detailed in this link
For a better response you can try posting your question on the Wireless forum.
thanks
Madhu
05-25-2012 06:23 PM
Hello Madhu,
We have a pair of IDSM-2 modules, one in each of our core 7613 routers. We are using these in inline mode, with VLAN pairs. One module is dedicated to protecting our inbound internet connection. It handles two VLAN pairs, one is behind the firewall, and the second is behind our F5 load balancer, which does SSL offload.
We are experiencing unacceptably high inspection loads whenever our internet traffic goes above 50Mbps. We see high latency (around 1000ms) and packet drops. So we are compelled to bypass IDSM-2, which is rated at 500Mbps, when the traffic exceeds 100Mbps. We are not using custom rules, or any heavy logging.
The traffic primarily consists of a high number of small file transfers from mobile devices. I understand that 500Mbps may be under ideal conditions, but we're not getting even close. Is there anywhere we can look to improve performance?
Appreciate any suggestions you have!
05-26-2012 11:30 AM
Hi,
The IDSM2 is rated at 500 Mbps based on http traffic with average segment size of 650 bytes. Any other traffic profile with lesser packet size and non-TCP protocol can adversely impact the performance. However 50 Mbps sounds very low for any traffic profile. Here are some trouble shooting steps you can follow to debug this issue :
- Configure bypass mode to ON on the IDSM2 to see if that resolves the issue of high latency and inspection load. If it does not resolve the issue then check the memory usage and CPU as IDSM2 has been prone to the HDD issue needing the disk to cool down for approximately 30 min.
- If bypass mode resolves the issue then it is the type of traffic that is causing the high inspection load. If the traffic is primarily TCP then check to see if the normalizer sigs are firing. These sigs are 1330/1300 sigs that show up under "show statistics virtual-sensor". In this case there maybe some tuning needed for the sigs. If normalizer is not an issue then please check if there are any other settings like event action overrides or custom signatures that maybe causing the delay in traffic.
- If the traffic is not TCP then have the traffic sample captured and contact Cisco TAC for further assistance. Cisco TAC can help reproduce the issue and suggest the next appropriate steps. Please provide the software version on the IDSM2 and the output of "show tech-support" while opening a case.
Thanks
Madhu
05-29-2012 10:22 AM
Madhu,
Thanks for your response. This gives me a few places to look for clues.
Regards,
-Daniel
05-29-2012 12:10 PM
Hi Daniel,
Please check if you are at the latest sig level as there were a few sigs that were affecting the performance in file transfer scenarios. A show version on the IDSM2 would tell us the major version and also the Sig level. If you are at the latest sig level, then you may need to use Regex Depth setting to get better performance with file transfers (under the RegexDepth setting )
The even action overrides should not add to the processing load. I suspect it is the type of traffic that IPS is analyzing. If possible please provide a sample capture of the packets which would truly represent the traffic. This would give us an idea of the protocol and ports that are being used for the file transfer.
thanks
Madhu
05-31-2012 09:29 AM
Madhu,
The traffic is predominantly http and https. The IDSM-2 is inline behind the firewall, so traffic is mostly https at this point. Then the traffic goes through the load balancer, where it is decrypted to http and then fed through the IDSM-2 again. We have two VLAN pairs set up.
File transfer is not really how I would characterize the traffic. These are 1000s of mobile devices, each uploading 100K-1000K payloads.
I tried the RegexDepth setting to 800000 but it made no difference. The bug report suggested a lower value could be tried. Do have any suggestions how I should step it down? Is 700000 a reasonable next step?
The smartnet on these ran out 4/1/2012. We are reluctant to renew if these are not going to sufficient for our use case, so I'm in a bind to find some way to tune the performance to handle 100Mbps easily (two 50Mbps VLAN pairs).
Thanks for all your help so far!
Daniel
05-31-2012 02:29 PM
Hi Daniel,
Please make sure you have reset the IPS after changing the RegexDepth setting in sensorApp.conf.
Also, if the IDSM2 are inspecting traffic twice, please make sure that you have each vlan pair in a different virtual sensor. Or you can keep them in one virtual sensor and set
'inline-TCP-session-tracking-mode interface-and-vlan' so that each session in each vlan is tracked separately. This options appears under service analysis-engine as shown below :
idsm(config)# service analysis-engine
idsm(config-ana)# virtual-sensor vs0
idsm(config-ana-vir)# inline-TCP-session-tracking-mode ?
virtual-sensor All packets with the same session key (AaBb) within a
virtual sensor belong to the same session.
interface-and-vlan All packets with the same session key (AaBb) in the same
VLAN (or inline VLAN pair) and on the same interface
belong to the same session. Packets with the same key but
on different VLANs or interfaces are tracked
independantly.
vlan-only All packets with the same session key (AaBb) in the same
VLAN (or inline VLAN pair), regardless of the interface,
belong to the same session. Packets with the same key but
on different VLANs are tracked independantly.
thanks
Madhu
06-01-2012 08:38 AM
Madhu,
Changing the inline-TCP-session-tracking-mode made a huge difference. Performance seems to be almost 2X what it was before. I was able to leave the IDS inline during a period of peak traffic (over 120Mbps counting both VLAN pairs). At this rate the inspection load was about 70.
Thanks again for your time - this conversation has been extremely helpful.
Warm regards,
Daniel
05-30-2012 01:37 PM
Hello Madhu,
We have a pair of 5520 with IPS modules fitted in each. We have had to reinstall the IPS module on the secondary but I would like it to syncronise configuration with the IPS module in the Active ASA. Could you let me know what needs to be done, I have done the 'basic' setup on the IPS module so it has the correct IP addressing and same software ver (7.0(6))as the Active IPS but nothing seems to be syncronising.
many thanks,
Chris.
05-30-2012 01:55 PM
Hi Chris,
Configuration on IPS is not synchronized between ASA failover pair. For IPS we have to manually copy the same configuration on both modules. Once you have configured the first IPS fully you can copy that to a tftp or a ftp server and then copy that configuration back on the second IPS.
Hope this helps
Madhu
05-30-2012 02:04 PM
Thank you Madhu, exactly what I needed to know. It will save me a lot of time looking for a 'syncronise' tick box that does not exist
many thanks,
Chris.
08-24-2021 05:04 AM
Madhu
I am looking for a process document / process out line on the Capacity Maangement for IPS
Can you please guide
Surendra
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide