cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1183
Views
0
Helpful
5
Replies

IPS - tcp segment overwrite - WAY TOO MANY

tverhoeven
Level 1
Level 1

We had consultants install our new ips. They recommended plugging into a switch connecting our firewall to our internet router. We have a bunch of VPN tunnels terminating at our ASA firewall from our remote offices. When I check the logs on the IPS, there are tons of alerts for "tcp segment overwrite" and alot of them come from the vpn sites. My question is, what can I do to alleviate some of these messages? I can't believe that we are being attacked this much.

To clarify our installation, we have 2 switches, one in each of our two buildings, and they are connected via fibre. We have a ASA in each building and they are setup for redundancy. Our IPS has only one interface plugged into the same vlan the hosts the firewall and the internet router.

thanks

5 Replies 5

jlimbo
Level 1
Level 1

If this is in an inline scenario the offending packets are dropped by default. To investigate it further I check to see what other alerts are triggering for the offending hosts. This will give you more information to ascertain what these hosts are really doing.

this is not inline...only have one interface.

I checked through and handful of the logs and I have ip's from my internal network and from remote vpn connections. Is there a way to search thru the log to find multiple occurrences of the same host???

we have the same issue. we see them too much in "normal" traffic for the sig to be useful.

If you are on a 4250, 4250XL or a IDSM-2 then you might be hitting CSCsg23774.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsg23774

The defect was corrected in 6.0(1).

Thanks man...that seemed to do the trick.

Good thing I did not do that upgrade last week when I was studying for the IPS exam. Whole new interface would have thrown me off.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: