Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IOS IPS - Reset Conection

Hi,

IOS IPS was configured to only generate alert. During testing it was observed that the IPS was reset in giving connections.

log below:

*Oct 10 14:30:29: %IPS-6-SEND_TCP_PAK: Sending TCP packet:(X.X.X.X:433)=>(y.y.y.y:63170),tcp flag:0x4, pak:0x2166449C, iso:0x3D5C7160,tcp seq:0x0, tcp ack:0x0, tcp_window:8192, ip_checksum:0x44B8, Serial0/0/0.1,feat_flags:0x10000, fast_path(no)

Some time ago cisco identified a bug in earlier versions. After opening some TAC, suggested upgrading the IOS and subscription packages.

Cisco recommendation below:

IOS Version : c2900-universalk9-mz.SPA.153-3.M.bin

Packet sig: OS-S744-CLI.pkg

Configuration Cisco Router

ip ips config location flash:ips retries 1

ip ips notify SDEE

ip ips name iosips

!

ip ips signature-category

  category all

   retired true

  category ios_ips basic

   retired false

   event-action produce-alert

Could anyone tell how to solve this problem?

BestRegards

Rodolfo Navero

5 REPLIES

IOS IPS - Reset Conection

Hello Rodolfo,

So are you saying you did the upgrade as TAC requested and are still facing the same issue?

What's the BUG ID?

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

IOS IPS - Reset Conection

Hello Julio,

Yes, just follow the request of the TAC, have BUG ID number ID : CSCty10906

The strange thing is that IPS does not match the signature effects, making it impossible to identify the event.

Regards

Rodolfo Navero

IOS IPS - Reset Conection

Hello Rodolfo,

I see what you mean.

You get something like :

%IPS-6-SEND_TCP_PAK:


and


%IPS-6-TIMEOUT_EVENT:

the only workaround I know is the following:

ip ips tunables alert-off

which will turn those alerts off

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: IOS IPS - Reset Conection

But it will make the warnings go away, right?

but still see the reset command sh ip ips statics.

It seems the problem is in the subsystem of the feature.

I used up the hidden command on the router, but not solved the problem.

csdb tcp  reassembly max-queue-length

Interfaces configured for ips 1

Session creations since subsystem startup or last reset 240

Current session counts (estab/half-open/terminating) [7:17:0]

Maxever session counts (estab/half-open/terminating) [10:59:1]

Last session created 00:00:01

Last statistic reset 00:04:15

TCP reassembly statistics

  Out-of-order packets dropped 0

++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I performed some tests.

When I make disable all signatures, presents no reset.

However when I enable a single signature, the reset continues.

I believe Cisco has a bug in the compilation of feature

sh ip ips statistics

Interfaces configured for ips 1

Session creations since subsystem startup or last reset 0

Current session counts (estab/half-open/terminating) [4:3:0]

Maxever session counts (estab/half-open/terminating) [4:3:0]

Last session created 00:23:36

Last statistic reset 00:15:40

TCP reassembly statistics

  Out-of-order packets dropped 0

Regards

Rodolfo Navero

IOS IPS - Reset Conection

Hello Rodolfo,

Totally agree with you,

My recommendation:

Reopen the TAC case and push for a fix or at least an explanation

Regards,

Jcarvaja

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
526
Views
5
Helpful
5
Replies