11-01-2009 09:25 PM - edited 03-10-2019 04:48 AM
Dear Experts!
We have several AIP-SSM-20s on the ASA
and one of the AIP-SSM-20 has seen high
cpu status one hours ago and it still going on.
another AIP-SSM-20 has 2~20% cpu load.
Is this normal status? Do you have same
experience?
I have one more question,where can I find
Ips Manager Express configuraiton manual on the cisco site?
I have not found manual anywhere on the cisco site for the configuration IPS.
I really appreciate for any help.
Regards.
======================================
CPU Statistics
Usage over last 5 seconds = 97
Usage over last minute = 93
Usage over last 5 minutes = 72
Memory Statistics
Memory usage (bytes) = 1026400256
Memory free (bytes) = 1067204608
========================================
11-02-2009 12:15 AM
Check the amount of packets going through IPS. May be there are lot of small packets processed by it and so CPU is high.
IME guide is here: http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/ime/imeguide7.html
it is a manual how to configure IPS too.
11-02-2009 12:55 AM
Thanks for your reply!
Yes you`re right there are a lot of packets going throutgh IPS.
Is it possible to find on the IME
which ip address to generate packets ?
Thanks again!
11-02-2009 12:58 AM
11-02-2009 01:30 AM
Analyze events for time of high CPU utilization and see if there were alarms for some flood, for example, DNS flood, SYN flood etc.
11-02-2009 08:57 PM
Dear Andrey!
Thanks for your reply.
I have found a lot attack of TCP SYN HOST
Sweep.
Is it relate with high cpu on the IPS?
Thanks for any help.
11-03-2009 02:12 AM
May be.
If this attack was absent in time of normal CPU load I think that this event may cause it.
You may check it.
11-03-2009 11:28 AM
It is difficult to say, I'm not seeing the exact signature.
If it is 3030/0, it is my understanding (from experience and TAC) that it is quite common that a busy host(user)/SMTP server/proxy server fire this alarm.
It is my understanding that 3030/0 is based on the source port of the initial SYN. So an internal host initiates a TCP connection to an internet host, its source TCP port is (for example) 1049. The IPS tracks that. The user powers off their PC at the end of the day. Next day, user powers up the host and TCP source ports begin all over at 1024 (XP, don't know about Vista/7.) The user connects to TCP hosts in the Internet, one of those TCP SYNs is sourced by TCP 1049. 3030/0 fires. My understanding from TAC is that the IPS module remembers this TCP communication as long as the IPS itself hasn't been rebooted. So, one may see a whole lot of 3030/0 alarms.
An SMTP server can make this fire a lot.
Potential resolution options may be; disabling 3030/0 or write and EAF (and try to be specific on the source host(s).
11-03-2009 04:51 PM
Thanks for your relpy.
Yes your`r right, that`s Sig.Id is
3030/0.
As your opinion ,Sig.ID 3030/0 is not
cause high cpu on IPS Module?
11-04-2009 04:50 AM
Sig 3030/0 fires when there are 15 destination hosts were seen with 1 src host.
I don't know about your network but usually this signature don't cause high CPU load.
May be if you have 1000 hosts generating sweep it may cause the high CPU load.
In any case you may turn off this signature and then see if it causes high CPU utilization.
11-04-2009 06:02 AM
Sorry, my attempt was primarily to point out there is a sig that may fire very often from legitimate authorized hosts. You were discussing a sig firing a lot.
As a test, you could disable 3030/0 temporarily to see if it changes your CPU usage. However, my suspicion is that it may not have much effect. Someone else here may disagree.
A whole lot of signature have been created and enabled by default over the past year. And maybe you are on a version of IPS OS SW which enables the Atomic Engine (I think that is the engine) sigs, maybe there is more CPU cycle consumption with that.
Maybe a TAC case is suitable for your issue.
11-05-2009 12:55 AM
First of all thanks for your relpy.
As your opinion,I did disalbe sig no.3030
but it did not effect high cpu situation.
I found strange status on gigabit interface.
There through a lot of traffic.
I attaching gigabit 0/1 interface status.
Do you think that is relate on high cpu
consumption?
Thanks for any helps!
11-05-2009 04:31 AM
Does Gi0/1 subinterfaced to process the traffic and return the clear one to ASA or you use it in promiscuous mode?
11-05-2009 05:53 PM
Thanks for your advice.
I did try clear the interface counter but I have not found commands on the AIP-SSM.
Can you tell me how can I clear interface counter?
Thanks for any help
11-06-2009 12:18 AM
# show interfaces clear
it will clear all interfaces counters not specific one.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide