10-11-2011 09:23 PM - edited 03-10-2019 05:30 AM
Hi there,
We have a site with 2x 5540 asas with SSM-20 IPS Module in active standby mode.
The signatures 1204 and 1208 relating to Fragmented IP datagrams fire on traffic even when excluded from the siganture set.
Any ideas why and how to fix this issue?
Cheers
D
error attach as a pic
10-14-2011 01:01 PM
Have these signatures been retired and disabled?
Nick Smith
Cisco IPS Signature Team
10-16-2011 05:22 PM
no, but all traffic from the subnets that the issue is on are specifically excluded from the IPS signature list with custom signatures. ( its an issue that requires a lowerd MTU to fix, but causes fragmenting at certain times )
Will the IPS modules STILL fire even on traffic excluded if the signatures match the traffic? How is the traffic to be excluded other than retiring the whole signature?
Cheers
D
10-17-2011 01:28 PM
From a colleague,
The only way to prevent these two sigs (1204 and 1208) from firing is to retire them and then reset the sensor. Disabling them will only stop alerting, and they will continue to deny packets (this is part of the normalizer’s design). I don’t think a custom sig will work because the normalizer sigs will be processed before the custom sigs.
Sig 1204 is ‘IP Fragment Missing Initial Fragment’
And 1208 is ‘IP Fragment Incomplete Datagram’
There’s not much we can do with sig 1204. If the initial fragment is missing, we can’t do reassembly.
However, with sig 1208, we can adjust the timeout, which defaults to 60 seconds. Sixty seconds should be plenty of time though. It can be increased to up to 360 seconds by modifying fragment-reassembly-timeout.
Are the dropped frags causing network issues?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide