Hi CPU load on IPS 4255

Unanswered Question
Mar 27th, 2009

The problem we have is that the IPS is constantly at 100% CPU.

This is how the network is connected:

We have a 6500 on which we have a FWSM module and the default gateway for the FWSM (for internet) is on vlan 88.

This 6500 is then trunked to another switch. One of the ports on that switch is in vlan 88. That is where the IPS is connected and the other interface of the IPS goes to our outside ASA.

The other two interfaces of the IPS are connected on the other side of the ASA towards internet.

First thing I noticed is that the number of packets the IPS has received is huge.

When the CPU peeks there is a huge ammount of packets on the port where the IPS is connected na on the trunk betwean the 6500 and the other switch.

If i change something on the IPS (lets say modify any of the signatures) the CPU goes down and the number of packets on the trunk and on the port where the ips is cpnnected drops (around 100 packets/second). Then all of a sudden there is a storm of 10000-20000 packets per second and the IPS starts peeking the CPU at 100%.

I removed the interface pair from the sensor just to see wether something is going to change but it didn't. THe ips doesn't scan the traffic but the cpu started peeking again.

Currently the CPU is at 100%, inspection load is at 8%, System memory usage is at 47%, analysis engine memory is at 35%. Disk usage is also normal.

It seems that the IPS is creating some sort of a broadcast storm but I can't figure why.

Does anyone have an idea as to what might cause this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kasper123 Sat, 03/28/2009 - 02:02

Instead of connecting the IPS on another switch and going through a trunk I created a port in vlan 88 on the core 6500 switch and connected the IPS there. The problems stoped then. There is no packet storm and the CPU usage on the IPS is normal.

kasper123 Mon, 03/30/2009 - 14:49

I thought I solved the problem but unfortunately it keeps happening again. Out of nowhere the CPU goes to 100% and there is a huge number of packets on the interface on which the IPS is connected.

If I go and change any signature and apply that than it all goes down and it works fine for a while.

Then it starts all over again.

Can anyone think of what might cause this?

kasper123 Thu, 04/02/2009 - 15:01

From the top applications gadget i noticed that all the packets causing the storm were UDP/161 (snmp) packets. Since the IPS is between two firewalls I blocked UDP/161 od both firewalls an it seemed to work fine. About 16 hours later the cpu was again at 100% but this time it was UDP/389 packets that were causing the storm (These are LDAP packets). So in both cases it was UDP traffic that was causing the storm. Any idea how to solve this?

kasper123 Tue, 04/07/2009 - 02:25

Now it is UDP/53 traffic that is flooded between the inside interface of the ASA and the outside interface of the FWSM.

So it is allways UDP traffic that is flooded when the IPS CPU is at 100%.

I'm desperate for a solution.

Does anyone have any idea on how to solve this?


This Discussion