IPS Sensor 4240 slowing down traffic

Unanswered Question
Mar 20th, 2009

Hi All,

I have the following scenario:

The internal LAN (around 40 computers & 6 Servers) connecting to a 4500R which connects to two ASAs 5550 (In Failover) which then connects to a 2960G that connects to an IPS and finally a 2821 that gives Internet access.

In other words....

LAN - 4500R - ASAs - 2960G - IPS - 2821 - Internet.

The Problem is the following:

If the IPS Sensor 4240 is configured as Inline suddenly the network begin experiencing slowliness and the CPU on the IPS is at 100%. This only happens from time to time. I don't see any alarms being generated by the IPS indicating an attack or something like that....

If I configure the IPS as an IDS and configure the 2960G to SPAN traffic to the IDS... then everything works fine all the time & I haven't seen the problem again.

The situation is that I need the IPS Sensor to be as an IPS in Inline mode.

My question is... how do I determine what's going on????

The Sensor has a throughput around 1/4 as compared to the ASAs, but still there should not be so much traffic in the internal LAN to saturate the IPS.

The only thing I see on the IPS is the CPU at 100% when this happens. I don't see any signature match or alarm...

Please point me in the right direction to troubleshoot this problem, and I can provide more details if necessary...

Thank you All!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rjaaouan Thu, 03/26/2009 - 02:33

I think the Best design is to use the IPS behind the ASA.

in your case here is what I have found:

Traffic inspected by a sensor outside a firewall tends to be unregulated. Sensors monitoring

traffic outside a firewall see scans, sweeps, and every Internet worm and attack that exists,

along with potentially large numbers of spoofed packets from around the globe. This makes it

much more difficult to distinguish true alarms from noise or false alarms. A possible strategy

for a sensor outside a firewall is to use the event stream from the sensor to identify trends.

When the sensor is outside the firewall, consider these tuning guidelines:

- Avoid assigning a high severity level to any individual event.

- Turn off all response actions.

- Use the sensor primarily to look for trends on the Internet such as activity explosions,

which can indicate attacks like Code Red or Nimda.

you should do moniting using IME, this may be helpful to know why the load is 100% :(

I hope this is useful.



This Discussion