We have several AIP-SSM-20s on the ASA
and one of the AIP-SSM-20 has seen high
cpu status one hours ago and it still going on.
another AIP-SSM-20 has 2~20% cpu load.
Is this normal status? Do you have same
I have one more question,where can I find
Ips Manager Express configuraiton manual on the cisco site?
I have not found manual anywhere on the cisco site for the configuration IPS.
I really appreciate for any help.
Usage over last 5 seconds = 97
Usage over last minute = 93
Usage over last 5 minutes = 72
Memory usage (bytes) = 1026400256
Memory free (bytes) = 1067204608
Check the amount of packets going through IPS. May be there are lot of small packets processed by it and so CPU is high.
it is a manual how to configure IPS too.
Thanks for your reply!
Yes you`re right there are a lot of packets going throutgh IPS.
Is it possible to find on the IME
which ip address to generate packets ?
Analyze events for time of high CPU utilization and see if there were alarms for some flood, for example, DNS flood, SYN flood etc.
Thanks for your reply.
I have found a lot attack of TCP SYN HOST
Is it relate with high cpu on the IPS?
Thanks for any help.
It is difficult to say, I'm not seeing the exact signature.
If it is 3030/0, it is my understanding (from experience and TAC) that it is quite common that a busy host(user)/SMTP server/proxy server fire this alarm.
It is my understanding that 3030/0 is based on the source port of the initial SYN. So an internal host initiates a TCP connection to an internet host, its source TCP port is (for example) 1049. The IPS tracks that. The user powers off their PC at the end of the day. Next day, user powers up the host and TCP source ports begin all over at 1024 (XP, don't know about Vista/7.) The user connects to TCP hosts in the Internet, one of those TCP SYNs is sourced by TCP 1049. 3030/0 fires. My understanding from TAC is that the IPS module remembers this TCP communication as long as the IPS itself hasn't been rebooted. So, one may see a whole lot of 3030/0 alarms.
An SMTP server can make this fire a lot.
Potential resolution options may be; disabling 3030/0 or write and EAF (and try to be specific on the source host(s).
Thanks for your relpy.
Yes your`r right, that`s Sig.Id is
As your opinion ,Sig.ID 3030/0 is not
cause high cpu on IPS Module?
Sig 3030/0 fires when there are 15 destination hosts were seen with 1 src host.
I don't know about your network but usually this signature don't cause high CPU load.
May be if you have 1000 hosts generating sweep it may cause the high CPU load.
In any case you may turn off this signature and then see if it causes high CPU utilization.
Sorry, my attempt was primarily to point out there is a sig that may fire very often from legitimate authorized hosts. You were discussing a sig firing a lot.
As a test, you could disable 3030/0 temporarily to see if it changes your CPU usage. However, my suspicion is that it may not have much effect. Someone else here may disagree.
A whole lot of signature have been created and enabled by default over the past year. And maybe you are on a version of IPS OS SW which enables the Atomic Engine (I think that is the engine) sigs, maybe there is more CPU cycle consumption with that.
Maybe a TAC case is suitable for your issue.
First of all thanks for your relpy.
As your opinion,I did disalbe sig no.3030
but it did not effect high cpu situation.
I found strange status on gigabit interface.
There through a lot of traffic.
I attaching gigabit 0/1 interface status.
Do you think that is relate on high cpu
Thanks for any helps!
Thanks for your advice.
I did try clear the interface counter but I have not found commands on the AIP-SSM.
Can you tell me how can I clear interface counter?
Thanks for any help