cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
861
Views
0
Helpful
8
Replies

IPS on 2811

Adam Frederick
Level 3
Level 3

Hi, I have a 2811 with 2 interfaces. 1 that is my T1 to the Internet and 1 that connects to my LAN. On the WAN interface, I have IPS turned on for in and out. However, when I have it turned on for the in, traffic on the inside has about 30% success of loading a webpage. I've examined my interfaces and there are no errors or drops. As soon as I take the in statement off the WAN interface, traffic flows 100%. The out statement seems to have no effect whatsoever. The log doesn't show any IPS signatures being matched. I am at a loss, has anyone seen this before? The router has all of the defaults, no tweaking, only a couple of sigs disabled. Like I said operations are 100% normal when i take the in statement off, but when I put it back traffic passes at a 30% rate.

8 Replies 8

lgijssel
Level 9
Level 9

Hello Adam,

Can you please post the config of the 2811?

If possible with details about the way in which you are activating IPS for the inside.

What IPS HW/SW are you using?

Regards,

Leo

I have the same symptoms with a 2811 with Advanced IP Services 12-4.3.

When I enable the IPS feature in the LAN interface (in & out direction) with the 256MB.sdf file, some applications including http begin to fail. Then, I disabled all the signatures that was alarming, but it fail yet. It doesn´t have high cpu or any other active feature.

Which IOS version do you have Adam?

Regards,

Marco

hamoja
Level 1
Level 1

I have the same issue with IPS on the inside interface as well. Some web pages timeout and complain about page not found and download speeds degraded by 3/4 of the actual speed. Tweaked values dns-timeout/max timeout connection and so forth but no resolution.

I decided to open a case with TAC to see if they can shed light on it.

I am not using IOS IPS but I have had a similar issue with IPS 4200 series. In my case it had to do with sig 1330 and sub sigs 12, 15, 17. Sig 1330 makes up the normalizer engine and most have a default action of "deny packet inline" or "Modify packet inline", By default sig 1330 does not have the action "produce alert". Therefore, it denies traffic and you do not know about it!!

Again, not sure if IOS IPS is the same. But its worth a look. Set sig 1330 and all subsigs to produce alert and then watch your logs. The subsigs that fire the most are probably the ones causing your issues. For these remove the "deny" actions and see how it runs. Another sig that causes issues if a firewall is nearby is 1308- TTL Evasion. Seems this one causes trouble too. I always disable this one.

I hope this makes sense and is applicable.

Mike

I am currently experiencing the same issue on a 2801 router. When I enable IPS on a single interface, that single interface experiences a throughput decrease of 20 times the normal. i.e. I can download from a non IPS-enabled interface at 200KB while on the IPS-enabled interface throughput bursts to 20KB if I'm lucky. I have gone to the extent of disabling ALL of the signatures so it would seem that there is something inherently in the IPS engine itself that is truly detrimental to the proper functioning of an interface. I've got a TAC case open and have received some suggestions, but to no avail.

apmorgan
Level 1
Level 1

I am experiencing this problem as well on a 3845, I tried it with 12.3.14T and 12.4.4T both version behave similarly.

Web pages fail to load, tcp timeouts causing website to reset connection.

Anyone have any suggestions?

I think my problem was due to a parallel route path, and asymmetrical routing.

When I shutdown one route path my IPS works fine. Does anyone one if IPS requires symmetrical routing? I understand the requirement of sequential packets.

I am not sure if symmetrical routing is a requirement. I already have a case in TAC about this issue, and the TAC asked me:

"packet captures from each side of the IPS device where the asymetric routing could occur"

Because of Cisco asked me about asymmetric routing, I think it can affect the function of IPS.

Maybe the issue is a consequence of the bug CSCsa67785. Have you disabled ip cef and tested the IPS feature with asymmetrical routing?

You can try disabling "ip route-cache cef" in each interface and testing the IPS feature.

Review Cisco Networking for a $25 gift card