IOS IPS ACL failure

haithamnofal · ‎04-14-2008

Hi,

I am enabling IOS IPS on my router's fa0/1 interface and I am filtering out some IP addresses from this IPS as per the below config, however the IPS is still firing signatures when receiving mal traffic these IPs!!

Any ideas why?!!

Here is the IPS config:

ip ips sdf location flash:/128MB.sdf

ip ips signature 2004 0 disable

ip ips name MyIPS list 1

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$

ip address 10.2.2.254 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.1.1.254 255.255.255.0

ip ips MyIPS in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

logging trap debugging

logging 10.1.1.111

access-list 1 deny 10.1.1.111

access-list 1 deny 192.1.24.10

access-list 1 permit any

And here is the alarm which I see:

04-15-2008 01:12:56 Local7.Warning 10.1.1.254 130: *Apr 14 22:12:29.255: %IP_VFR-4-TOO_MANY_FRAGMENTS: FastEthernet0/1: Too many fragments per datagram (more than 32) - sent by 10.1.1.111, destined to 10.1.1.254

R/ Haitham

haithamnofal · ‎04-14-2008

Hi again,

A strange behaviour is that I disabled the IPS on fa0/1 using the command "no ip ips MyIPS in" but the router kept giving me alarms!!

Any idea!

R/ Haitham

Mark Yeates · ‎04-14-2008

Haitham,

I don't believe this log entry to be related to IPS, it is warning you the datagram that is being reassembled has received more fragments than its threshold. Try adding the

"ip virtual-reassembly max-fragments ï»¿(number)" command

(number) being the maximum number of fragments that you wish to allow, to increase the fragment value.

Mark

Mark Yeates · ‎04-14-2008

Sorry I forgot to attach the VRF guide.

http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/h_vfrag.html

Mark