Re: Problems trying to download from the web

Luis Carranza · ‎12-15-2009

Hi guys:

This is the firstime that I post something here, so here's my question:

I got a problem with an IPS Module, because when I want to download something from the web (FTP, HTTP,etc) it's very slow, for example if I want to download something of 3 mb it takes like 1 hour to download so I was checking the Service Policy Rules in the ASA and I just uncheck the one that I think was affecting which was FTP, but the problem still there, so I disable the IPS module and everything works great, so right now I'm checking the signatures in the IPS but I cannot find anything yet, so I want to know if anyone has this problem before.

If you already post this problem please let me know because I was looking in the forum and i couldn't find something.

Regards.

Carlos Castillo · ‎01-06-2010

Luis,

Try disabling all of the TCP Drop (1330) signatures on the IPS. These signatures look at the packet headers and drop all packets that do not meet RFC specifications.

1330-0: TCP packet has bad checksum. This signature will not produce an alert in
promiscuous mode regardless of the signature status.

1330-1: TCP packet has bad flag combination. A packet will never be passed on
for inspection if it has a bad flag combination regardless of the status
parameter. This signature will not produce an alert in promiscuous mode
regardless of the signature status.

1330-2: TCP packet with an URG pointer value and no URG flag. If the event
action parameter is set to modify packet inline the URG pointer will be set to
zero. This signature will not produce an alert in promiscuous mode regardless
of the signature status.

1330-3: TCP packet with a bad TCP option list. This signature should remain
Disabled and Retired. See Cisco bug id CSCsh32196 for further details. This
signature will not produce an alert in promiscuous mode regardless of the
signature status.

1330-4: TCP option has a bad length. If the signature event action is either
unset or set to modify packet inline or if the signature status is disabled
the packet will be modified to remove tcp options that extend past the end of
the packet header and passed on for inspection.

1330-5: TCP MSS option was seen in packet without the SYN flag set.

1330-6: TCP window scale option was seen in packet without the SYN flag set.

1330-7: TCP packet has a bad window scale value. If the signature event action
is either unset or set to modify packet inline or if the signature status is
disabled the packet will be modified to set the window scale option to the
closest constraint value.

1330-8: TCP SACK allowed option was seen in a packet without the SYN flag set.
If event action is set to modify packet inline the selective ack allowed
option will be cleared.

1330-9: TCP packet with SYN and ACK flags set that also contains data. This
signature will not produce an alert in promiscuous mode regardless of the
signature status.

1330-10: TCP data sequenced after the FIN. This signature will not produce an
alert in promiscuous mode regardless of the signature status.

1330-11: TCP packet has timestamp option when timestamp option is not allowed.
This signature is not implemented. This signature will not produce an alert in
promiscuous mode regardless of the signature status.

1330-12: TCP segment is out of order. If the signature status is set to
disabled, the packet will be passed to all engines that are not stream based.
This signature will not produce an alert in promiscuous mode regardless of the
signature status.

1330-13: TCP packet has invalid header. This signature is not implemented.
This signature will not produce an alert in promiscuous mode regardless of the
signature status.

1330-14: TCP packet with RST or SYN flag was sent in the sequence window but
was not the next in sequence. If a packet in a stream causes this signature to
produce an alert, processing will cease for that stream. This signature will
not produce an alert in promiscuous mode regardless of the signature status.

1330-15: TCP packet's sequence was already ACKed by peer (excluding
keepalives). This signature will not produce an alert in promiscuous mode
regardless of the signature status.

1330-16: TCP packet failed PAWS check (PAWS=protection against wrapped
sequence numbers). This signature will not produce an alert in promiscuous
mode regardless of the signature status.

1330-17: TCP segment out of state order. If a packet in a stream causes this
signature to produce an alert, processing will cease for that stream. This
signature will not produce an alert in promiscuous mode regardless of the
signature status.

1330-18: TCP segment out of window. If a packet in a stream causes this
signature to produce an alert, processing will cease for that stream. This
signature will not produce an alert in promiscuous mode regardless of the
signature status.

1330-19: TCP packet has timestamp option but the stream's SYN packet did not.
If event actions are either not set or set to modify packet inline or the
signature status is set to disabled the timestamp option will be cleared.

1330-20: TCP packet with SYN and ACK flags set has window scale option but the
SYN packet did not. If event actions are either not set or event actions are
set to modify packet inline or if the signature status is set to disabled the
window scale option will be cleared.

1330-21: TCP packet has selective ACK ok option but the stream's SYN packet
did not. If event actions are either unset or set to modify packet inline or
if the signature status is set to disabled the selective ACK ok option will be
cleared.

Luis Carranza · ‎01-19-2010

Hi Carlos:

Thanks for your response, in fact it was very helpful and when I deactivated those signatures the problem was solved.

So now I just want to know what are the risks that I could have if I leave those signatures deactivated.

Regards

sachinga.hcl · ‎04-15-2010

Hi Carlos,

I find your post quite informative regarding to IPS, for the tcp-options.

So I am rating you as 5.

Thanks n Best regards.

Sachin Garg