Problem with v5.x signatures

Unanswered Question
Sep 13th, 2007

Hi


I try to enable IOS IPS on my 7204-G2 router but have few problems.I use IOS c7200p-adventerprisek9-mz.124-15.T1 and signatures IOS-S297-CLI.I use this doc http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a0080747eb0.html .


At first time when I try to "copy tftp://x.x.x.x/IOS-S297-CLI.pkg idconf" the compilation process is susses but I have this messages: %IPS-4-SIGNATURE_COMPILE_FAILURE , %IPS-4-META_ENGINE_UNSUPPORTED , %IPS-4-SDF_PARSE_FAILED: file disk2:myips/7204-sigdef-default.xml.


After this I have few .xml files in my folder disk2:/myips/,but when I try to active ips on interface all the traffic stops.


At the second try after "copy tftp://x.x.x.x/IOS-S297-CLI.pkg idconf" traffic stops and then router go to reboot.In folder disk2:/myips/ at this time I have more files,but after "ip ips myips in" traffic stops again.


What the problem with signatures compilation? Maybe this is a bug in IOS or something.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
amritpatek Wed, 09/19/2007 - 13:34

You are getting these errors because you are trying to compile all signatures at a single go, which is not recommended. The v5

style signatures are common to the IOS IPS and the IDS/IPS sensor appliances but IOS IPS does not support all of the signature engines (hence the META_ENGINE_UNSUPPORTED errors) and most IOS platforms will not have sufficient CPU and memory resources to compile *all* the supported ones. In other words, the behavior you experienced is normal, the solution is to start with retiring all signature categories and then gradually enable those you need. Following link may help you

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a0080747eb0.html#wp1064428

seducer666 Tue, 09/25/2007 - 21:43

Thanks

I read the manual twice and fined solution to correct using 5.x signatures.


Ok,IPS work ,but I have few questions.

With working IPS my G2 have 70% cpu usage,and I must turn on IPS only for few networks,when I use 4.x IPS I use access-list "ip ips name myips list 141" ,it looks like:

"10 permit ip 192.168.3.0 255.255.255.0 any

20 permit ip any 192.168.3.0 255.255.255.0"

Everething work fine,IPS working only for network 3.


Now with 5.x IPS I try use the same access-list but when I turn IPS on the interface all the traffic stops. Without access-list all working fine.



Actions

This Discussion