Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Ask : IPS Bottleneck Issue

Hi all,

please give me an understanding about the ips packet flow inspection.

I got a problem with IPS, it seems like a Bottleneck issue.

When i turning on the IPS machine, all process being down.

But when i turning off the IPS, all process begin normal again.

FYI, i already setting the by pass configuration to ON and setting whole events action Rule being "Produce Alert"

What probably cause with my problem ?

What should i conduct with Anomaly Detection ? Should i change the AD mode to be inactive ?

Thank you.

4 REPLIES
Bronze

Ask : IPS Bottleneck Issue

What do you mean by "all process being down" ?

With Bypass set to ON, IPS should simply pass all traffic without analyzing.

Event Action being set to "Produce Alert", is the alert rate too high ? Are there some particular signatures firing a lot ? (Check show statistics virtual-sensor).

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
New Member

Ask : IPS Bottleneck Issue

Thank Sawan for your answer,

first i want to inform you about the all process being down, it mean that the server inside the server farm being down when i turn on the IPS.

i already set the by pass ON in interface, and make all action in signatures to be produce alert, mean that no packet drop / modify inline conducted by the IPS Sensor, but the servers still cannot operate as well as IPS being turning off.

what problem may be occure ?

Bronze

Ask : IPS Bottleneck Issue

If Bypass is set to ON, then IPS shouldn't be doing anything. It looks like a configuration issue.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
New Member

Ask : IPS Bottleneck Issue

Yeah, it should be like that, but actually when i setting up the by pass to be ON, the traffic from server farm still can operate as well as turning off IPS.

actually, i just configure the interface pair, one to ASA and one to Access-Server Farm.

before, this configuration can operate well, and no problem occure.

but after deploying some Application inside the Server Farm, there are so many problem, most of them is The Process of the Application being "Slow" When the IPS is turning ON.

What is the best practice configuration of IPS, what do you think ?

546
Views
0
Helpful
4
Replies