Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
502
Views
0
Helpful
1
Replies

Trouble with IDS

yliaskovski
Level 1
Level 1

‎01-23-2006 04:42 AM - edited ‎03-10-2019 01:51 AM

Greetings all!

I have a 4235 appliance running 4.1(1)S47 For a long time a device worked normally, but suddenly it began to give out strange statistics. Particularly, on CLI command " show interface sensing" appears the following message:

"Sensing int0 is up

Hardware is eth0, TX

Reset port

MAC statistics from the Gig Ethernet Interface int0

Missed Packet Percentage = 99

Link Status = Up

Total Packets Received = 214

Total Bytes Received = 61661

Total Receive Errors = 49718

....

Total Receive FIFO Errors = 49718 (?????)

Total Receive Missed Errors = 49718"

In addition to this appliance detects the following alert events.

"signature: sigId=993 sigName=Missed Packet Count subSigId=0 version=S37 The packet drop rate has exceeded the threshold

participants:

attack:

attacker: proxy=false

addr: locality=OUT 0.0.0.0

victim:

addr: locality=OUT 0.0.0.0

alertDetails: Traffic Source: int0 ; Missed 100% of packets in the last 30 seconds"

Security Monitor running on VMS 2.2 (with patch fcs-idsmdc-v2.0.1-w2k) don't recieve any security or audit massages from appliance. The recovery procedure haven't gave any positive results. Situation is the same.

Any comments or suggestions would be highly appreciated.

Labels:
0 Helpful
1 Reply 1

charles.kim
Level 1
Level 1

‎01-23-2006 06:10 PM

I too am having a problem which resembles this...(Cisco 4250) Events or traps were no longer being sent by this device. show events on console of the sensor reported packet loss and a percentage of missed packets in the 8000% range... yes 8000 percent

I went ahead and switched out the fiber cables to make sure I wasn't having a physical layer problem. The thing that bugs me is that the switch is reporting that the errors off of the port are on the receiving end. However, the switch port is a monitor port, it should only be sending copies of the packets seen. Changing out the cable did not fix this problem. I ended up rebooting the sensor, the events started to show up on the console and the missed packet percentage disappeared. The only problem is that the switch is still reporting receive errors for that span port. This problem will eventually come back.

PS... Dont you hate it when you update your sensors signatures and it blows out the sensor configuration...what a tool.

any other help or insight would be appreciated.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card