11-02-2007 03:45 AM - edited 03-10-2019 03:51 AM
Hi guys,
I've got a strange problem here - I activated IOS IPS on both internal and external interfaces in incoming direction and also had to run CBAC on the incoming direction of the external interface. The result of all these things is that the IPS is counting connections from the internal network and it's overwriting for some reason the statistics generated by CBAC, no matter that CBAC is enabled only on the external interface in incoming direction. I'm using 1812 router with 12.4(2)XA IOS. Searched for bugs in the Bug Toolkit, nothing showed up. Here are the outputs:
interface FastEthernet0
description WAN
bandwidth 6000
ip address xxx
ip access-group 102 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
ip inspect Web in
ip ips IPS in
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
duplex auto
speed auto
service-policy output TrafficPolicy-OUT
end
interface Vlan1
description LAN
bandwidth 6000
ip address xxx
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow egress
ip nat inside
ip ips IPS in
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
service-policy output TrafficPolicy-IN
end
ip inspect name Web http alert on audit-trail off
sh ip inspect statistics
Packet inspection statistics [process switch:fast switch]
tcp packets: [1315:117238]
udp packets: [4681:36103]
packets: [12:54]
packets: [4747:119509]
http packets: [0:829]
Interfaces configured for inspection 1
Session creations since subsystem startup or last reset 5024
Current session counts (estab/half-open/terminating) [739:78:0]
Maxever session counts (estab/half-open/terminating) [815:96:8]
Last session created 00:00:00
Last statistic reset 00:10:08
Last session creation rate 487
Last half-open session total 78
sh ip ips statistics
Signature statistics [process switch:fast switch]
signature 3050:0 packets checked: [4:0]
signature 3173:0 packets checked: [18:0]
signature 5477:2 packets checked: [0:3]
signature 6253:0 packets checked: [0:159]
signature 6064:0 packets checked: [1:0]
signature 6056:0 packets checked: [1:0]
signature 5170:1 packets checked: [0:11]
signature 5322:1 packets checked: [0:2013]
signature 4620:0 packets checked: [0:339822]
signature 2157:1 packets checked: [1:37077]
signature 2157:0 packets checked: [0:2]
signature 1102:0 packets checked: [50:0]
Interfaces configured for ips 2
Session creations since subsystem startup or last reset 5153
Current session counts (estab/half-open/terminating) [744:72:0]
Maxever session counts (estab/half-open/terminating) [815:96:8]
Last session created 00:00:00
Last statistic reset 00:10:26
Any idea about that? I'm pretty sure it's a bug but still can't prove it. As you can see I'm monitoring only http traffic entering the internal network with CBAC (they have a single web server which for sure cannot handle that much connections). I'll be glad if you can help but anyway if we can't find the truth behind this I'll simply disable the IPS on the internal interface and I think I'll get statistics pretty closer to the reality (I need them to tune CBAC TCP Intercept values). Besides that it's pretty nasty that you can't see separate statistics for each interface but anyway - I can live with that if I manage to get accurate statistics with limited security in that case. Thanks in advance!
Best Regards,
Stefan
11-03-2007 04:46 AM
Latest update: I found a bug for IPS 5.0 which I think is related to my problem, but I'm using IPS v4 signatures cause I need something like 12.4(15)T for IPS 5.0 signatures so I'm not sure that's my case.
Headline IPS5.0 : Signature statistics not displayed correctly
Product IOS
Feature OTHERS Components Duplicate of
Severity 3 Severity help Status Resolved Status help
First Found-in Version 12.4(10.8)T01 All affected versions First Fixed-in Version 12.4(12.15)T Version help
Release Notes
Symptoms:
This is a CLI display bug
Conditions:
idConf/IPS 5.0 is configured on the IOS router
Workaround:
None
Further Problem Description:
None
First thing that disturbs me - it's for 5.0, second thing - sounds like IPS statistics are not correct and in my case we are talking about CBAC statistics. Any idea?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide