IOS IPS - Reset Conection

Rodolfo Navero · ‎10-10-2013

Hi,

IOS IPS was configured to only generate alert. During testing it was observed that the IPS was reset in giving connections.

log below:

*Oct 10 14:30:29: %IPS-6-SEND_TCP_PAK: Sending TCP packet:(X.X.X.X:433)=>(y.y.y.y:63170),tcp flag:0x4, pak:0x2166449C, iso:0x3D5C7160,tcp seq:0x0, tcp ack:0x0, tcp_window:8192, ip_checksum:0x44B8, Serial0/0/0.1,feat_flags:0x10000, fast_path(no)

Some time ago cisco identified a bug in earlier versions. After opening some TAC, suggested upgrading the IOS and subscription packages.

Cisco recommendation below:

IOS Version : c2900-universalk9-mz.SPA.153-3.M.bin

Packet sig: OS-S744-CLI.pkg

Configuration Cisco Router

ip ips config location flash:ips retries 1

ip ips notify SDEE

ip ips name iosips

!

ip ips signature-category

category all

retired true

category ios_ips basic

retired false

event-action produce-alert

Could anyone tell how to solve this problem?

BestRegards

Rodolfo Navero

Julio Carvajal · ‎10-10-2013

Hello Rodolfo,

So are you saying you did the upgrade as TAC requested and are still facing the same issue?

What's the BUG ID?

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Rodolfo Navero · ‎10-10-2013

Hello Julio,

Yes, just follow the request of the TAC, have BUG ID number ID : CSCty10906

The strange thing is that IPS does not match the signature effects, making it impossible to identify the event.

Regards

Rodolfo Navero

Julio Carvajal · ‎10-10-2013

Hello Rodolfo,

I see what you mean.

You get something like :

%IPS-6-SEND_TCP_PAK:

and

%IPS-6-TIMEOUT_EVENT:

the only workaround I know is the following:

ip ips tunables alert-off

which will turn those alerts off

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Rodolfo Navero · ‎10-11-2013

But it will make the warnings go away, right?

but still see the reset command sh ip ips statics.

It seems the problem is in the subsystem of the feature.

I used up the hidden command on the router, but not solved the problem.

csdb tcp reassembly max-queue-length

Interfaces configured for ips 1

Session creations since subsystem startup or last reset 240

Current session counts (estab/half-open/terminating) [7:17:0]

Maxever session counts (estab/half-open/terminating) [10:59:1]

Last session created 00:00:01

Last statistic reset 00:04:15

TCP reassembly statistics

Out-of-order packets dropped 0

++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I performed some tests.

When I make disable all signatures, presents no reset.

However when I enable a single signature, the reset continues.

I believe Cisco has a bug in the compilation of feature

sh ip ips statistics

Interfaces configured for ips 1

Session creations since subsystem startup or last reset 0

Current session counts (estab/half-open/terminating) [4:3:0]

Maxever session counts (estab/half-open/terminating) [4:3:0]

Last session created 00:23:36

Last statistic reset 00:15:40

TCP reassembly statistics

Out-of-order packets dropped 0

Regards

Rodolfo Navero

Julio Carvajal · ‎10-11-2013

Hello Rodolfo,

Totally agree with you,

My recommendation:

Reopen the TAC case and push for a fix or at least an explanation

Regards,

Jcarvaja

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC