IOS IPS ACL failure

Unanswered Question
Apr 14th, 2008


I am enabling IOS IPS on my router's fa0/1 interface and I am filtering out some IP addresses from this IPS as per the below config, however the IPS is still firing signatures when receiving mal traffic these IPs!!

Any ideas why?!!

Here is the IPS config:

ip ips sdf location flash:/128MB.sdf

ip ips signature 2004 0 disable

ip ips name MyIPS list 1

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$

ip address

ip nat outside

ip virtual-reassembly

duplex auto

speed auto


interface FastEthernet0/1

ip address

ip ips MyIPS in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

logging trap debugging


access-list 1 deny

access-list 1 deny

access-list 1 permit any

And here is the alarm which I see:

04-15-2008 01:12:56 Local7.Warning 130: *Apr 14 22:12:29.255: %IP_VFR-4-TOO_MANY_FRAGMENTS: FastEthernet0/1: Too many fragments per datagram (more than 32) - sent by, destined to

What made me more surprised is that I disabled the IPS on fa0/1 using the command "no ip ips MyIPS in" but the router kept giving me alarms!!

Any thoughts!!

R/ Haitham

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
didyap Fri, 04/18/2008 - 12:23

To create an access control list (ACL) filter for the deny actions on the intrusion prevention system (IPS) interface

rather than ingress interface, use the

ip ips deny-action ips-interface command in global configuration mode.

To return to the default, use the no form of this command.

ip ips deny-action ips-interface

Flow the URL for the further command for the IPS :


This Discussion