Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
751
Views
0
Helpful
3
Replies

Cisco IPS 4240 stops file downloads at 90%

hquiros
Level 1
Level 1

‎10-05-2010 08:42 AM - edited ‎03-10-2019 05:08 AM

Hi everybody. I have a Cisco IPS 4240 with version 7.0.4 installed and upgraded to the last signature. But since it was installed i have the issue with some file downloads because the IPS stops the file at 90-99% of download percentage (in some cases, not all), The ips is inline in front of firewall, some partner say me that i have to change the mode to promiscuous for the solution of the issue, but i think that if the IPS was designed for work inline, i dont have to change anything and maybe some expert of the forum have the correct answer.  Or this issue have solution with configuration changes.

Sorry by my write english.... I try to find some signature that causes the issue but if i disabled the sensor, the issue occurs. The firewall is not the problem because if i connect a laptop in front of the firewall and behind of IPS the issue occurs too. Well i have now some months trying of find a solution. In the page of Cisco not find some similar.... [:-(

Pd. An example of files that stop when downloads is Apple Itunes... or Microsoft Patch, or Vmware software by example.

Thanks for your response are greatly appreciated.

Labels:
0 Helpful
3 Replies 3

fadlouni
Level 1
Level 1

‎10-14-2010 07:09 AM

so you're saying if you put your sensor in bypass mode enabled, the problem remains? we first need to rule out if the issue is present when the sensor is in bypass mode (basically acting like a connected wire).

is this issue happening only with large files? what if you're downloading a small file does it also stop?

we need to find out what you mean the transfer stops in packet sense. is there a tcp reset sent? or traffic simply is dropped and the tcp connection timesout?

a good idea is to capture the traffic on the sensor on both ingress/egress interfaces. for more about packet capturing on the sensor:

http://www.cisco.com/en/US/docs/security/ips/7.0/command/reference/crCmds.html#wp481344

Regards

Fadi.

0 Helpful

hquiros
Level 1
Level 1
In response to fadlouni

‎10-19-2010 01:54 PM

Thnaks for your help this is the last packets before freeze the download:

The size of the download with problems is random, sometimes ocurrs with small size downloads sometimes ocurrs with large downloads. The download of the example have 47 MB, I think that the traffic is dropped and the tcp conn timeout. Do you see some anomalies in this traffic portion?.

14:55:20.536119 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.536122 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.536420 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.536718 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.536820 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.537123 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.537125 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.537517 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.537520 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.537522 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.537821 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.537823 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.538116 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.538118 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.538415 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.538418 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.544207 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.544307 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.638362 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.638365 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.638463 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.638562 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.638862 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.638864 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.638866 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.639164 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.639166 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.639560 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.639562 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.639564 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.639960 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.640260 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.640263 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.640568 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.641958 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.641960 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.642158 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.742304 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.742603 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.742605 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.742607 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.742903 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.743202 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.743302 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.743601 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.745000 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.745100 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.845347 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.845548 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.845550 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.845647 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.845845 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.846245 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.846247 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.846544 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
14:55:20.849040 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48010926 win 65335
14:55:20.849439 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48012386 win 65335
14:55:20.948787 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48015306 win 65335
14:55:20.948789 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48018226 win 65335
14:55:20.952982 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48021146 win 65335
14:55:20.953679 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48024066 win 65335
14:55:21.055723 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48029906 win 65335
14:55:21.055725 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48032826 win 65335
14:55:21.055930 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48035746 win 65178
14:55:21.058919 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48037206 win 65335
14:55:21.068809 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48040126 win 65335
14:55:21.068812 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48043046 win 65335
14:55:21.069006 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48045966 win 65335
14:55:21.070103 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48048886 win 65335
14:55:21.158967 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48051806 win 65335
14:55:21.159265 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48054726 win 65335
14:55:21.159465 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48057646 win 65335
14:55:21.159864 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48060566 win 65335
14:55:21.159867 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48063486 win 64605
14:55:21.162162 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48066406 win 63875
14:55:21.162260 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48066406 win 65335
14:55:21.172245 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48069326 win 65335
14:55:21.172248 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48072246 win 65335
14:55:21.172545 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48075166 win 65335
14:55:21.172645 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48078086 win 64605
14:55:21.172744 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48078086 win 65335
14:55:21.172844 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48081006 win 65335
14:55:21.173144 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48083926 win 64605
14:55:21.185225 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48083926 win 65335
14:55:21.572333 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48116046 win 65335
14:55:21.585313 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
14:55:21.585315 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
14:55:21.585414 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
14:55:21.585417 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
14:55:21.585512 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
14:55:21.677172 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
14:55:21.688654 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
14:55:21.688657 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48158386 win 65335
14:55:21.688757 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48158386 win 65335
14:55:21.780613 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335
14:55:21.883755 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335
14:55:21.986998 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335
14:55:22.090639 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335

0 Helpful

hquiros
Level 1
Level 1
In response to hquiros

‎10-19-2010 02:06 PM

An this is the capture of the portion of final packets on the other interface downloading the same file in other time.

15:12:00.320770 IP 10.0.0.1.50351 > apollo.fileburst.net.80: . ack 48096342 win 65335
15:12:00.330712 IP 10.0.0.1.50351 > apollo.fileburst.net.80: . ack 48096342 win 65335
15:12:00.330787 IP 10.0.0.1.50351 > apollo.fileburst.net.80: . ack 48096342 win 65335
15:12:00.422834 IP 10.0.0.1.50351 > apollo.fileburst.net.80: . ack 48096342 win 65335
15:12:00.424274 IP 10.0.0.1.50351 > apollo.fileburst.net.80: . ack 48096342 win 65335
15:12:00.434340 IP 10.0.0.1.50351 > apollo.fileburst.net.80: . ack 48096342 win 65335
15:12:00.526516 IP 10.0.0.1.50351 > apollo.fileburst.net.80: . ack 48096342 win 65335
15:12:00.527848 IP 10.0.0.1.50351 > apollo.fileburst.net.80: . ack 48096342 win 65335
15:12:00.537784 IP 10.0.0.1.50351 > apollo.fileburst.net.80: . ack 48096342 win 65335
15:12:00.629976 IP 10.0.0.1.50351 > apollo.fileburst.net.80: . ack 48096342 win 65335
15:12:00.631895 IP 10.0.0.1.50351 > apollo.fileburst.net.80: . ack 48160582 win 65335
15:12:00.641321 IP 10.0.0.1.50351 > apollo.fileburst.net.80: . ack 48160582 win 65335
15:12:00.744751 IP 10.0.0.1.50351 > apollo.fileburst.net.80: . ack 48160582 win 65335
15:12:00.744829 IP 10.0.0.1.50351 > apollo.fileburst.net.80: . ack 48160582 win 65335
15:12:00.746126 IP 10.0.0.1.50351 > apollo.fileburst.net.80: . ack 48160582 win 65335
15:12:00.848189 IP 10.0.0.1.50351 > apollo.fileburst.net.80: . ack 48160582 win 65335
15:12:00.849646 IP 10.0.0.1.50351 > apollo.fileburst.net.80: . ack 48160582 win 65335
15:12:01.673735 IP 10.0.0.1.50351 > apollo.fileburst.net.80: . ack 48160582 win 65335
15:12:01.675281 IP 10.0.0.1.50351 > apollo.fileburst.net.80: . ack 48169342 win 65335

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card