IOS IPS ACL failure

Unanswered Question
Apr 14th, 2008


I am enabling IOS IPS on my router's fa0/1 interface and I am filtering out some IP addresses from this IPS as per the below config, however the IPS is still firing signatures when receiving mal traffic these IPs!!

Any ideas why?!!

Here is the IPS config:

ip ips sdf location flash:/128MB.sdf

ip ips signature 2004 0 disable

ip ips name MyIPS list 1

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$

ip address

ip nat outside

ip virtual-reassembly

duplex auto

speed auto


interface FastEthernet0/1

ip address

ip ips MyIPS in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

logging trap debugging


access-list 1 deny

access-list 1 deny

access-list 1 permit any

And here is the alarm which I see:

04-15-2008 01:12:56 Local7.Warning 130: *Apr 14 22:12:29.255: %IP_VFR-4-TOO_MANY_FRAGMENTS: FastEthernet0/1: Too many fragments per datagram (more than 32) - sent by, destined to

R/ Haitham

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
haithamnofal Mon, 04/14/2008 - 14:36

Hi again,

A strange behaviour is that I disabled the IPS on fa0/1 using the command "no ip ips MyIPS in" but the router kept giving me alarms!!

Any idea!

R/ Haitham

Mark Yeates Mon, 04/14/2008 - 15:04


I don't believe this log entry to be related to IPS, it is warning you the datagram that is being reassembled has received more fragments than its threshold. Try adding the

"ip virtual-reassembly max-fragments (number)" command

(number) being the maximum number of fragments that you wish to allow, to increase the fragment value.



This Discussion