IOS IPS log messages

Dave Cornell · ‎06-14-2012

Running a Cisco 2911-SEC router, IOS 15.2(2)T1.

IOS IPS, NAT, ZBFW, Trend URL Filtering, DMVPN, and SSL_VPN are all in use.

Around 100 users and a dozen or so servers are behind this particular router as a firewall to/from the Internet (10Mbps pipe).

My syslog is flooded with messages like the following (there are hundreds of copies of each message with no discernible pattern):

06-14-2012 11:23:06 Local0.Info router 10492: 010480: Jun 14 11:23:05.353 CDT: %IPS-6-SEND_TCP_PAK: Sending TCP packet:(xxx.xxx.xxx.xxx:xx)=>(xxx.xxx.xxx.xxx:xxxxx),tcp flag:0x4, pak:0x30E9354C, iso:0x36412FA0,tcp seq:0x0, tcp ack:0x0, tcp_window:5840, ip_checksum:0xD956, GigabitEthernet0/1,feat_flags:0x10000, fast_path(no)

06-14-2012 11:23:06 Local0.Info router 10491: 010479: Jun 14 11:23:05.009 CDT: %IPS-6-OOO_FULL: Out-of-Order reached its maximum queue size! Drop this packet

06-14-2012 11:22:45 Local0.Info router 10490: 010478: Jun 14 11:22:43.685 CDT: %IPS-6-TIMEOUT_EVENT: Synwait timer timeout event.

None of these 3 messages seem to exist anywhere in Cisco documentation, so I'm unable to look up the exact meaning and left to only guess.

For the first type of message, why does IPS feel the need to tell me that it's sending a TCP packet? Is there something special about the packets it logs that it thinks I should know? Does "Sending TCP packet:" actually mean it's blocking it or thinks it should be blocking it?

For the OOO full ones, I've tried tuning the TCP reassembly parameters, but it has no effect. The only documentation I can find says to use "ip inspect tcp reassembly ..." commands, however since we use the zone-based policy engine rather than the ip inspect engine, I also tried tuning "parameter-map type ooo global" to the same values. Neither had any effect on the frequency of the messages. I can't find any way to tune parameters under the IOS IPS engine itself.

Anybody have any ideas on what else to try?

Edit to add: I have an identical 2911 router in another location that doesn't throw any of these log messages. It's on a significantly faster Internet connection, but much lighter user load, which leads me to believe the issue is definitely caused by heavy load, which is why I want to increase the reassembly limits to cope with the load.

csaxena · ‎10-27-2012

%IPS-6-SEND_TCP_PAK: Sending TCP packet: &

%IPS-6-TIMEOUT_EVENT:

logs are caused by half-open connections, the IPS is waiting for FIN or SYN messages
in TCP session connections. These are expected and you can view the half-open connections
by issuing "show ip inspect sessions".
Regarding the documentation, actually we still have an open internal enhancement request
to create documentation for IPS-6-SEND_TCP_PAK and IPS-6-TIMEOUT_EVENT events.
Here is the defect ID : CSCty10906 < http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty10906>

There is a feature available in IOS called logging discriminator
that you can use to stop seeing this log message, you can check more information
about this configuration here :
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htnmsylg.html#wp1057165

Let me know if you have any further questions

Regards,

Chirag

Dave Cornell · ‎10-29-2012

you can view the half-open connections
 by issuing "show ip inspect sessions".

I get nothing in response to that command:

my2911#sh ip inspect sessions

my2911#

Also, I am not able to view the defect ID that you linked. The bug search tool says it is Cisco-proprietary and cannot be disclosed.

As far as limiting or suppressing the log messages, yes I know that's a possibility, but I first wanted to find out what they represent and why they're occurring rather than simply ignore them.