Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1595
Views
0
Helpful
4
Replies

Cisco IPS make slow copy between linux server

ngo duyen
Level 1
Level 1

‎11-12-2013 10:19 PM - edited ‎03-10-2019 06:05 AM

we have 3 subnet A, B, C . Each subnet have some linux servers. Subnet C is protected by cisco IPS 4270.

1)If we config IPS to bypass traffice, copy speed between servers around 10MB/s -> 25MB/s.

2) IF  IPS protect subnetC.

When we copy file from a serrver of SubnetC to subnet A or B, copy speed increase from min to around 20MB/s.

And when we copy file from a serrver of SubnetA or B to subnet C, copy speed very slow around 700kB/s-> 2MB/s

The server used command "scp .... "

So we think there are signatures we should tuning. we have CSM but we havent seen any relate events about this problem.

Help me check this problem!

Labels:
0 Helpful
4 Replies 4

ngo duyen
Level 1
Level 1

‎11-13-2013 06:11 AM

Have you got a suggestion?


Sent from Cisco Technical Support Android App

0 Helpful

JonPBerbee
Level 1
Level 1
In response to ngo duyen

‎11-13-2013 06:44 AM

You coud log into the CLI and submit "show stat virtual-sensor | beg Per-Signature" and see what signatures might be triggering.  Do this for a few times over a period of 20 minutes to get a baseline on what signatures regularly fire/increment.  Then perform another copy between Unix machines, submit the above command again and see what signatures trigger to see if you can find one, or more of them that might be causing your issue.

You could also try creating a filter to remove all signature actions on SCP traffic between the affected machines to see if that would help.

Jon.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to ngo duyen

‎11-14-2013 03:05 PM

Hello,

You can do what Jon mentioned, you might see a signature being triggered when Host C takes place but if by any chance you do not then create captures for both traffic flows (With C and Without C).

Afterwards compare

You might find some weird in that TCP session that involes C (packet loss, then retransmissions, ooo packets, etc).

Make sure you correlate all of the information

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

rhermes
Level 7
Level 7
In response to Julio Carvajal

‎11-18-2013 12:07 PM

Don;t forget the Normalizer engine signatures that do not report when they fire.

Everyone gets bit by that at least once.

- Bob

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card