cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1852
Views
0
Helpful
4
Replies

Cisco IPS make slow copy between linux server

ngo duyen
Level 1
Level 1

we have 3 subnet A, B, C . Each subnet have some linux servers. Subnet C is protected by cisco IPS 4270.

1)If we config IPS to bypass traffice, copy speed between servers around 10MB/s -> 25MB/s.

2) IF  IPS protect subnetC.

When we copy file from a serrver of SubnetC to subnet A or B, copy speed increase from min to around 20MB/s.

And when we copy file from a serrver of SubnetA or B to subnet C, copy speed very slow around 700kB/s-> 2MB/s

The server used command "scp .... "

So we think there are signatures we should tuning. we have CSM but we havent seen any relate events about this problem.

Help me check this problem!

4 Replies 4

ngo duyen
Level 1
Level 1

Have you got a suggestion?


Sent from Cisco Technical Support Android App

You coud log into the CLI and submit "show stat virtual-sensor | beg Per-Signature" and see what signatures might be triggering.  Do this for a few times over a period of 20 minutes to get a baseline on what signatures regularly fire/increment.  Then perform another copy between Unix machines, submit the above command again and see what signatures trigger to see if you can find one, or more of them that might be causing your issue.

You could also try creating a filter to remove all signature actions on SCP traffic between the affected machines to see if that would help.

Jon.

Hello,

You can do what Jon mentioned, you might see a signature being triggered when Host C takes place but if by any chance you do not then create captures for both traffic flows (With C and Without C).

Afterwards compare

You might find some weird in that TCP session that involes C (packet loss, then retransmissions, ooo packets, etc).

Make sure you correlate all of the information

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Don;t forget the Normalizer engine signatures that do not report when they fire.

Everyone gets bit by that at least once.

- Bob

Review Cisco Networking for a $25 gift card