cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2334
Views
0
Helpful
2
Replies

ios based ips configuration issue: no traffic passed

fabios
Level 1
Level 1

Hello everybody,

I am kind of new to IPS on IOS. I have read a lot and learned a few thing but I am running in some issues, before opening a case with TAC I want to make sure I am not overlooking some very important bit that prevents IOS from working on my setup.

I have a router configured for IRB (integrated routing and bridgin) with FastEthernet 0/0/0 and GigabitEtherner 0/1.4 in bridge-group 1 bridging traffic directed to the 2 web server to protect. Internet connectivity is provided by TELCO CPE equipment (connected on Gi0/1.4) that NATs public ip address into a private one of the server. Traffic is then bridged from Gi0/1.4 to Fa0/0/0 and sent to the server.

Without IPS the server are accessible from the Internet.

I loaded the SDF file and set everything up. As soon as I issue the ip ips FW-ips out command under interface fa0/0/0 (FW-ips is the ips name) the server become inaccessible from the Internet. Same if I issue the ip ips FW-ips in command under interface Gi0/1.4

the several debug ip ips command failed to return any output.

I am kind of stuck.

Any help apreciated. Signature and ips config below.

Thank you

Fabio

ip ips config location flash:ips retries 1

ip ips name FW-ips

!

ip ips signature-category

  category all

   retired true

  category ios_ips advanced

   retired false

   enabled true

   event-action reset-tcp-connection deny-attacker-inline produce-alert

!

2 Replies 2

raga.fusionet
Level 4
Level 4

Fabios,

Most likely your server is generating false positives on normal traffic, since you have the following event actions "deny-attacker-inline" and "reset-tcp" the "attacker" in this case your server will be denied.

In this case you could remove those as event actions, watch the network traffic and see how your network behaves, what is firing false positives and then start tuning those events. Once you have a good idea of what's normal you can start enabling other event actions. If you just enable deny attacker inline for all categories you are likely to end up generating a DoS on your own services. 

I hope this helps.

Raga

Raga,

Thanks. I had the same issue even before adding those actions and I don not see any signature firing (i.e. not syslog activity at all).

I will have to dig further into this and see why this is happening. Also the ip ips debug are not very helpful if understanding the issue (they do not show packet processing).

Any good read pointer about troubleshooting IPS will be apreciated.

Cheers

Fabio

Review Cisco Networking for a $25 gift card