IOS IPS troubleshooting

vicente.madrigal · ‎06-20-2007

Hi all,

I am enabling the IPS functionality on a 3825 router with IOS 12.4(3d). The problem is that when I enable the IPS (inbound direction of the router's ethernet interface) I start having connectivity problems with some applications even with all the signatures on alert (not to drop traffic).

Is there a debug or some troubleshooting that I can use in order to verify why the IPS is dropping some of the traffic?

Also I have read that when you enable the IPS functionality the router automatically activates de inspect engine and in consequence it will drop out-of-order packets and half open connections, is this correct?

Regards.

ymzhang · ‎06-20-2007

most likely you are hitting the out-of-order issue. It is fixed in the latest T-train.

Regarding your question, you are right. When ips is enabled, it will activates the deep inspection engine which will drop out-of-order packets.

-Chris

vicente.madrigal · ‎06-21-2007

Thanks Chris,

I will try the IOS upgrade to see if that helps me to solve the issue, by the way I am still looking for some debugs or troubleshooting commands that help me to verify that the IPS (and inspect engine) is dropping the packets. Do you know some commands or debugs that can help me?

Regards.

ymzhang · ‎06-21-2007

Yes. The module/doe that drops out-of-order packets belongs to the firewall session tracking function. If you use 'debug ip inspect detail' command, you should be able to find clue. Be careful not to use this command on your production network, this debug command will generate lots of messages.

Thanks,

-Chris