The problem we have is that the IPS is constantly at 100% CPU.
This is how the network is connected:
We have a 6500 on which we have a FWSM module and the default gateway for the FWSM (for internet) is on vlan 88.
This 6500 is then trunked to another switch. One of the ports on that switch is in vlan 88. That is where the IPS is connected and the other interface of the IPS goes to our outside ASA.
The other two interfaces of the IPS are connected on the other side of the ASA towards internet.
First thing I noticed is that the number of packets the IPS has received is huge.
When the CPU peeks there is a huge ammount of packets on the port where the IPS is connected na on the trunk betwean the 6500 and the other switch.
If i change something on the IPS (lets say modify any of the signatures) the CPU goes down and the number of packets on the trunk and on the port where the ips is cpnnected drops (around 100 packets/second). Then all of a sudden there is a storm of 10000-20000 packets per second and the IPS starts peeking the CPU at 100%.
I removed the interface pair from the sensor just to see wether something is going to change but it didn't. THe ips doesn't scan the traffic but the cpu started peeking again.
Currently the CPU is at 100%, inspection load is at 8%, System memory usage is at 47%, analysis engine memory is at 35%. Disk usage is also normal.
It seems that the IPS is creating some sort of a broadcast storm but I can't figure why.
Does anyone have an idea as to what might cause this?
Instead of connecting the IPS on another switch and going through a trunk I created a port in vlan 88 on the core 6500 switch and connected the IPS there. The problems stoped then. There is no packet storm and the CPU usage on the IPS is normal.
From the top applications gadget i noticed that all the packets causing the storm were UDP/161 (snmp) packets. Since the IPS is between two firewalls I blocked UDP/161 od both firewalls an it seemed to work fine. About 16 hours later the cpu was again at 100% but this time it was UDP/389 packets that were causing the storm (These are LDAP packets). So in both cases it was UDP traffic that was causing the storm. Any idea how to solve this?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :