06-14-2012 09:37 AM - edited 03-10-2019 05:42 AM
Running a Cisco 2911-SEC router, IOS 15.2(2)T1.
IOS IPS, NAT, ZBFW, Trend URL Filtering, DMVPN, and SSL_VPN are all in use.
Around 100 users and a dozen or so servers are behind this particular router as a firewall to/from the Internet (10Mbps pipe).
My syslog is flooded with messages like the following (there are hundreds of copies of each message with no discernible pattern):
06-14-2012 11:23:06 Local0.Info router 10492: 010480: Jun 14 11:23:05.353 CDT: %IPS-6-SEND_TCP_PAK: Sending TCP packet:(xxx.xxx.xxx.xxx:xx)=>(xxx.xxx.xxx.xxx:xxxxx),tcp flag:0x4, pak:0x30E9354C, iso:0x36412FA0,tcp seq:0x0, tcp ack:0x0, tcp_window:5840, ip_checksum:0xD956, GigabitEthernet0/1,feat_flags:0x10000, fast_path(no)
06-14-2012 11:23:06 Local0.Info router 10491: 010479: Jun 14 11:23:05.009 CDT: %IPS-6-OOO_FULL: Out-of-Order reached its maximum queue size! Drop this packet
06-14-2012 11:22:45 Local0.Info router 10490: 010478: Jun 14 11:22:43.685 CDT: %IPS-6-TIMEOUT_EVENT: Synwait timer timeout event.
None of these 3 messages seem to exist anywhere in Cisco documentation, so I'm unable to look up the exact meaning and left to only guess.
For the first type of message, why does IPS feel the need to tell me that it's sending a TCP packet? Is there something special about the packets it logs that it thinks I should know? Does "Sending TCP packet:" actually mean it's blocking it or thinks it should be blocking it?
For the OOO full ones, I've tried tuning the TCP reassembly parameters, but it has no effect. The only documentation I can find says to use "ip inspect tcp reassembly ..." commands, however since we use the zone-based policy engine rather than the ip inspect engine, I also tried tuning "parameter-map type ooo global" to the same values. Neither had any effect on the frequency of the messages. I can't find any way to tune parameters under the IOS IPS engine itself.
Anybody have any ideas on what else to try?
Edit to add: I have an identical 2911 router in another location that doesn't throw any of these log messages. It's on a significantly faster Internet connection, but much lighter user load, which leads me to believe the issue is definitely caused by heavy load, which is why I want to increase the reassembly limits to cope with the load.
10-27-2012 03:07 AM
%IPS-6-SEND_TCP_PAK: Sending TCP packet: &
%IPS-6-TIMEOUT_EVENT:
logs are caused by half-open connections, the IPS is waiting for FIN or SYN messages
in TCP session connections. These are expected and you can view the half-open connections
by issuing "show ip inspect sessions".
Regarding the documentation, actually we still have an open internal enhancement request
to create documentation for IPS-6-SEND_TCP_PAK and IPS-6-TIMEOUT_EVENT events.
Here is the defect ID : CSCty10906 < http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty10906>
There is a feature available in IOS called logging discriminator
that you can use to stop seeing this log message, you can check more information
about this configuration here :
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htnmsylg.html#wp1057165
Let me know if you have any further questions
Regards,
Chirag
10-29-2012 06:02 AM
you can view the half-open connections
by issuing "show ip inspect sessions".
I get nothing in response to that command:
my2911#sh ip inspect sessions
my2911#
Also, I am not able to view the defect ID that you linked. The bug search tool says it is Cisco-proprietary and cannot be disclosed.
As far as limiting or suppressing the log messages, yes I know that's a possibility, but I first wanted to find out what they represent and why they're occurring rather than simply ignore them.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide