Solved: Troubleshooting IDS 4215 sensing interface

tcherkon · ‎12-21-2005

Hello!

I'm deploying IDS4215 with sensing interface (Fa0/1) connected to Cat3750 Gig1/0/1 SPAN interface.

The problem is as follows. The IDS works for some time (I'm able to see alerts and 'show int' states that Fa0/1 is up). Then after a while Fa0/1 goes down I don't know why.

The Cat3750 shows that status of Gig1/0/1 turns from 'monitoring' to 'notconnect'. All I can do is to reboot IDS.

Catalyst shows no errors on interface.

I'm novice to IDS, and I appreciate any idea where to start troubleshooting.

Thanks in advance!

PS.

Catalyst settings:

interface GigabitEthernet1/0/1

description IDS span

duplex full

speed 100

end

monitor session 1 source interface Gi1/0/27 - 28

monitor session 1 source interface Gi2/0/27 - 28

monitor session 1 destination interface Gi1/0/1

IDS config:

! ------------------------------

! Version 5.1(1)

! Current configuration last modified Thu Dec 22 10:11:22 2005

! ------------------------------

service interface

physical-interfaces FastEthernet0/0

duplex auto

speed auto

exit

physical-interfaces FastEthernet0/1

description FE0/1

admin-state enabled

duplex full

speed 100

exit

! ------------------------------

service analysis-engine

virtual-sensor vs0

physical-interface FastEthernet0/1

exit

mhellman · ‎12-27-2005

I believe there is something seriously wrong with version 5.1(1). Why Cisco continues to allow users to download is beyond comprehension. I will be rebuilding about 20 sensors today because of this issue. I rebuilt 6 sensors on Friday [from an ISO image, models 4235,4240,4255] and let them run over the weekend. 5 out of 6 have the sensing interface down again.

View solution in original post

mkirbyii · ‎12-22-2005

Are you passing gigabit traffic? The 4215 is rated at 85mbps.You may be asking it to inspect to much traffic. I believe you can issue a "show interface FastEthernet0/1" and look for "missed" or "dropped" counter to see if the sensor is missing packets. Good indicator that the sensor is oversubscribed.

Your cat config looks like you spanning two ports to one, that could be to much for the sensor to inspect.

Not sure if this helps or not.

Good luck.

tcherkon · ‎12-23-2005

I've found out that link goes down because application AnalysisEngine goes down. Here's the link to the new topic.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dda140b

mhellman · ‎12-27-2005

I believe there is something seriously wrong with version 5.1(1). Why Cisco continues to allow users to download is beyond comprehension. I will be rebuilding about 20 sensors today because of this issue. I rebuilt 6 sensors on Friday [from an ISO image, models 4235,4240,4255] and let them run over the weekend. 5 out of 6 have the sensing interface down again.