Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
515
Views
0
Helpful
3
Replies

IDS Sensor 4.1 doesn't capture events.

jpoudereux
Level 1
Level 1

‎06-10-2005 01:05 AM - edited ‎03-10-2019 01:29 AM

My IDS Sensor 4.1 stops capturing events after some time. I don't know if maybe it is because there are a lot of VLANs in SPAN and the IDS doesn't support all this traffic. Am i wrong?

Here is the show ver output:>

# sh ver

Application Partition:

Cisco Systems Intrusion Detection Sensor, Version 4.1(4)S174

OS Version 2.4.18-5-phoenix

Platform: WS-SVC-IDSM2-BUN

Sensor up-time is 20:49.

Using 337403904 out of 1979682816 bytes of available memory (17% usage)

Using 2.0G out of 17G bytes of available disk space (13% usage)

MainApp 2005_Feb_15_10.32 (Eng4g) 2005-02-15T10:35:34-0600 Running

AnalysisEngine 2005_Feb_15_10.32 (Eng4g) 2005-02-15T10:35:34-0600 Running

Authentication 2005_Feb_15_10.32 (Eng4g) 2005-02-15T10:35:34-0600 Running

Logger 2005_Feb_15_10.32 (Eng4g) 2005-02-15T10:35:34-0600 Running

NetworkAccess 2005_Feb_15_10.32 (Eng4g) 2005-02-15T10:35:34-0600 Running

TransactionSource 2005_Feb_15_10.32 (Eng4g) 2005-02-15T10:35:34-0600 Running

WebServer 2005_Feb_15_10.32 (Eng4g) 2005-02-15T10:35:34-0600 Running

CLI 2004_Apr_15_15.03 (Release) 2004-04-15T15:11:59-0500

Upgrade History:

* IDS-sig-4.1-4-S172 08:51:06 UTC Wed Jun 01 2005

IDS-sig-4.1-4-S174.rpm.pkg 15:13:12 UTC Wed Jun 08 2005

Maintenance Partition Version 2.1(1)

And here is the "sh event" output:

# sh event

evError: eventId=1099377235773324837 severity=warning

originator:

hostId: CISCO-IDS

appName: sensorApp

appInstanceId: 1206

time: 2005/06/10 08:43:21 2005/06/10 10:43:21 GMT

errorMessage: name=errWarning Producer appears to be out of superblocks...consider configuring TCPReassemblyMode to loose FreeBlocks: 2155

evError: eventId=1099377235773324838 severity=warning

originator:

hostId: CISCO-IDS

appName: sensorApp

appInstanceId: 1206

time: 2005/06/10 08:43:23 2005/06/10 10:43:23 GMT

errorMessage: name=errWarning Producer appears to be out of superblocks...consider configuring TCPReassemblyMode to loose FreeBlocks: 2155

But i have already configured TCP Reassembly Mode to 'loose' and it does the same: after some time, it logs a few events and starts logging this event, but the Security Monitor stops showing me any Alarm. What can I do to solve this?

Thank you very much.

Labels:
0 Helpful
3 Replies 3

jpoudereux
Level 1
Level 1

‎06-10-2005 03:26 AM

When the IDSM2 starts crashing (i mean, logging only this event), i clear the IDSM2 interface counters and i realize that no packet are processed and the "missed packet percentage" grows and grows.

That means after this crashing it stops processing packets and loses every traffic it receives. The question is why? And how can i solve this?

Thanks everybody.

0 Helpful

jpoudereux
Level 1
Level 1
In response to jpoudereux

‎06-15-2005 07:32 AM

The solution to this problem I was having is to install Maintenance Partition Image 2.1(2).

It works!

0 Helpful

chulje.sung
Level 1
Level 1

‎06-20-2005 08:29 PM

remove 4.1.4g fetch

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card