08-08-2005 10:44 AM - edited 03-10-2019 01:34 AM
I applied IPS-sig-S182-minreq-5.0-1.pkg to my IDS/IPS 4215 with an inline interface pair. Immediately, I began receiving phone calls from users complaining that https sessions with outside app servers were extremely slow. I also noticed that one telnet application stopped working. I did not suspect the IPS, since there were not any event logs about the https or telnet activity. After putting the inline interface into bypass mode, the problems immediately stopped. Downgrading the update back to S181 had the same effect; traffic was normal again. Has anyone else had similar problems with this signature?
08-08-2005 11:26 AM
Do you have any alerts from signature 3409? This signature went out in S182 and detects telnet sessions over webports but it does not block by default. Could you provide the output of show statistic virtual-sensor so we can see if any signature is firing abnormally (or if the sensor is seeing malformed traffic)?
08-08-2005 12:23 PM
08-08-2005 12:39 PM
If you could provide the virtual-sensor statistics while (or after) the problem is occurring it would be extremely helpful. The output of "show event status past 00:10:00" may also contain useful information.
08-08-2005 12:57 PM
I will upgrade the sensor to S182 and have my users try to connect to their telnet and https apps. I should have something to post tomorrow (8/9/2005).
08-09-2005 05:26 AM
08-09-2005 06:04 AM
The only signatures that may be related to this problem are:
1330 - TCP Drop - Bad Checksum: TCP Packet with bad checksum (set to auto drop packet)
1308 - TTL evasion: IP TTL on a TCP session varies (set to modify packet inline)
Signature 1330 is set to automatically drop tcp packets with bad checksums. This signature has existed since S149 and its alerts are found in your S181 attachment. You may want to check the ip addresses of these alerts to identify the device creating the malformed packets your network. Until you have been able to correct the problem you can set the default action of this signature to produce alert to prevent it from dropping packets.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: