WRVS4400N stability issues after KRIS_DDOS_TYPE messages

jules.gaudreault · ‎02-04-2013

Hello,

Late last week I started getting security logs emails from our WRVS4400N router with a very large number of "hit KRIS_DDOS_TYPE" messages. I believe this may have something to do with someone on the office trying to setup a DVR for a security system. In th eend the router eventually crashed and I had to reset it several times my pulling the power cable. I have since shut down the DVR and put a block on the IP address IPS was reporting that the apparent DoS attacks was coming from. Everything now seems to work except for the fact that it only works for a few hours and then the router crashed again for no apparent reason. I am unable to log into it and no logs are stored to indicate any problem. My only solution is to again reset the router by cycling the power on it. Any ideas how to fix this? I would appreciate any suggestions. Thanks.

Tom Watts · ‎02-04-2013

Hi Jules, you may disable the IPS and this should resolve.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

jules.gaudreault · ‎02-04-2013

Hi Tom,

Thanks for your suggestion. I will give this a try. My concern however is that I will no longer be protected from intrusion, correct?

Tom Watts · ‎02-04-2013

The default firewall blocks all inbound connections. IPS basically is a signature scanner for all inbound and outbound packets that are known code strings for hackers and the such. The default firewall is enough in its own, IPS is just an extra bonus.

I would be lying if I said you wouldn't be more susceptible. However, I would be misleading if I said I would think it would make a huge difference considering the age of the IPS file.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

jules.gaudreault · ‎02-04-2013

OK thanks for your opinion. I have disabled IPS and hopefully this fixes my stabitlity problems. Thanks again.

jules.gaudreault · ‎02-04-2013

Hi Tom,

I disabled IPS however unfortunately the router just crashed again. Any other ideas?

Tom Watts · ‎02-04-2013

Hi Jules, ensure device is running 2.0.2.1 firmware. There isn't much any other reason for the device to crash unless it is over utilized. I know VPN tunnel from this router to a router like ASA5505 will soak the memory and make it lock up. You may want to set up an external syslog to see if there are any memory errors or something like that.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

jules.gaudreault · ‎02-05-2013

Hi Tom,

Last night I reset the setting to factory default, reinstalled firmware v2.0.2.1 and then restored my settings I backed up. Everything worked great after that but this morning it was down again. Same thing, no network and can't log into the router and forced to cycle the power.

As a "way out there" guess, are there any compatibility issues with certain switches? One thing I did change the past few days was that I took out an older cheap 8-port D-Link Gigabit switch which was maxed-out and replaced it with a Netgear ProSafe 16-port Gigabit switch (model JGS516).

Another thing that has changed is that I have added another network by cascading a D-Link DIR-655 wireless router. I have the WAN port of this router connected to a LAN port on the WRVS4400N router. The WRVS4400N router is using IP 192.168.21.x (subnet mask 255.255.255.0) and the other router is set to 192.169.10.x (subnet mask 255.255.255.0). I may be wrong but I can't see this being an issue. ANy ideas?