08-13-2013 11:07 AM - edited 03-10-2019 06:01 AM
We have a pair of BP peerings between our network and our upstream service provider. Since the peering points are geographically distributed and we run a "cold potato" routing policy on our network we cannot guarantee symmetric routing for traffic exchanged with our upstream service provider.
Yesterday we followed the bouncing ball through the IPS/IDS setup documentation on a Cisco 2901 running 15.2(4)M3 and acting as a BGP speaking peering router at one of our peering points. Immediately the router started throwing %IPS-6-SEND_TCP_PAK and %IPS-6-TIMEOUT_EVENT messages in the logs. We also observed that some upstream service provider web sites became inaccessible to our users. Turning off IPS/IDS on the 2901 restored connectivity for our users to those web sites.
Three questions:
08-13-2013 08:39 PM
Hello Bill,
1) Yes, there are some normalizer functions on some IOS-IPS signatures that will behave like that with this scenarios (Asymetric routing not something good to any kind of security device)
2) Yes, it will close the connections, I will definetly need to look for specific actions regarding that but you could just check the IOS IPS Signature statistics on your router , see which is the one triggering the most and then see the action configured for it (and change it if required)
3) If you cannot change that behavior then it would be safe to tell the router is not a good place to set an IPS or any other kind of firewall configuration unless you set with a weaker security policy (useless from a security standard point of view)
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide