Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1720
Views
0
Helpful
3
Replies

CISCO IPS 4260 CPU USAGE 99%

Luis Carranza
Level 1
Level 1

‎05-21-2013 03:57 PM - edited ‎03-10-2019 05:58 AM

Hi guys

I'm detecting something unusual on my CISCO IPS 4260. This device have 2 CPU's but only in one cpu is showing 99% of use, and the inspection load varies from 40 to 50, and sometimes 80, here's a screenshot of what I'm talking about.

ips 321.png

Where can I start to troubleshoot why is showing this values.?

Regards.

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎05-21-2013 05:12 PM

Hello Luis,

We often see cases like these,

I would encourage you from now on troubleshooting or monitoring the inspection load on the IPS's to determine how they are doing as cpu utilization may not reflect real sensor load


Here is one bug ID you could follow for more information:

CSCtl74475

Let us know how the inspection load of the IPS is? and remember to rate all of the helpful posts

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Luis Carranza
Level 1
Level 1
In response to Julio Carvajal

‎05-22-2013 09:27 AM

Hi

Thanks for your answer, I will monitoring the inspection load to see if the the behavior, in fact it maintain between 40 and 50 but sometimes goes up to 80 but this is only for a few seconds.

Another thing, do you think is normal that the IPS signature with more hits is de SIGID 5575 (NBT NetBIOS Session Service Failed Login?

Regards.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Luis Carranza

‎05-22-2013 09:35 AM

do you think is normal that the IPS signature with more hits is de SIGID 5575 (NBT NetBIOS Session Service Failed Login?

After doing some research it seems to be normal for a windows enviroment.

Here is the information I got

Description


When a client connects to a SMB server (WinNT, Win95, Samba, etc..) a TCP connection to port 139 is established. The client then provides the server with its NetBIOS name and the NetBIOS name it wishes to connect to. If the name does not exist on the server, the session setup attempt fails and an error message is sent to the client. This could be an indicator of an attack.

Recommended Filter


Exclude internal networks as sources.

Benign Triggers


The default alarm level for this is low because this happens during normal network activity within a Windows network. As an example, when mounting the C: drive from a Windows 95 system to a Windows NT system, numerous session setup failures can occur while browsing the file system.

As you can see you could excluded to stop triggering that, this is an informational signature

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card