Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
374
Views
0
Helpful
2
Replies

877 with IPS and memory issues?

andrew.butterworth
Level 7
Level 7

‎06-26-2009 05:44 AM - edited ‎03-10-2019 04:40 AM

I have an 877 with 12.4(24)T Advanced IP Services. It is a DSL gateway and is configured with NAT, IPS & inbound VPN services. I have noticed that recently the L2TP/IPSec VPN feature has been failing for clients. After a bit of debugging I can see a message saying the router couldn't process the IPSec request due to a lack of memory (or something along those lines). I also noticed that the CPU is maxed out when applying new IPS signatures (for some reason the latest one (S409) won't even apply - however I haven't looked into why yet).

If I disable IPS on the dialer interface then L2TP/IPSec VPN works fine. If I reenable IPS it fails again. If I reboot the router, then give it time to get back up (IPS process maxes the CPU out for a few minutes after boot) then L2TP/IPSec VPN will work for a period - usually a day or so. After that it fails again I assume with the same memory issue.

The 877 has maximum DRAM (256Mb) & FLASH (52Mb) and I would rather keep IPS enabled if I can.

Andy

Labels:
0 Helpful
2 Replies 2

rhermes
Level 7
Level 7

‎06-26-2009 07:19 AM

You're asking alot from a little router.

Your CPU and memory are telling you that you can't put 10 lbs of features in a 5 lb bag.

You didn't mention running firewall on your 877. It might use less resources (especially while compliling signatures) than your IPS feature. Aside from that, you're going to have to transistion the least needed features of this router to keep it running. Move VPN to a different system, or stand up an external IPS sensor.

0 Helpful

andrew.butterworth
Level 7
Level 7
In response to rhermes

‎06-26-2009 12:38 PM

Yeh I already sort of thought that was the case. However disabling IPS releases an absolute load of resources. Even if I replaced it with an 1841 then with 256Mb of DRAM I am still going to be looking at similar issues?

Possibly looking at a non-cisco box to replace this now :o(

Andy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card