Hi, I have a 2811 with 2 interfaces. 1 that is my T1 to the Internet and 1 that connects to my LAN. On the WAN interface, I have IPS turned on for in and out. However, when I have it turned on for the in, traffic on the inside has about 30% success of loading a webpage. I've examined my interfaces and there are no errors or drops. As soon as I take the in statement off the WAN interface, traffic flows 100%. The out statement seems to have no effect whatsoever. The log doesn't show any IPS signatures being matched. I am at a loss, has anyone seen this before? The router has all of the defaults, no tweaking, only a couple of sigs disabled. Like I said operations are 100% normal when i take the in statement off, but when I put it back traffic passes at a 30% rate.
I have the same symptoms with a 2811 with Advanced IP Services 12-4.3.
When I enable the IPS feature in the LAN interface (in & out direction) with the 256MB.sdf file, some applications including http begin to fail. Then, I disabled all the signatures that was alarming, but it fail yet. It doesn´t have high cpu or any other active feature.
I have the same issue with IPS on the inside interface as well. Some web pages timeout and complain about page not found and download speeds degraded by 3/4 of the actual speed. Tweaked values dns-timeout/max timeout connection and so forth but no resolution.
I decided to open a case with TAC to see if they can shed light on it.
I am not using IOS IPS but I have had a similar issue with IPS 4200 series. In my case it had to do with sig 1330 and sub sigs 12, 15, 17. Sig 1330 makes up the normalizer engine and most have a default action of "deny packet inline" or "Modify packet inline", By default sig 1330 does not have the action "produce alert". Therefore, it denies traffic and you do not know about it!!
Again, not sure if IOS IPS is the same. But its worth a look. Set sig 1330 and all subsigs to produce alert and then watch your logs. The subsigs that fire the most are probably the ones causing your issues. For these remove the "deny" actions and see how it runs. Another sig that causes issues if a firewall is nearby is 1308- TTL Evasion. Seems this one causes trouble too. I always disable this one.
I am currently experiencing the same issue on a 2801 router. When I enable IPS on a single interface, that single interface experiences a throughput decrease of 20 times the normal. i.e. I can download from a non IPS-enabled interface at 200KB while on the IPS-enabled interface throughput bursts to 20KB if I'm lucky. I have gone to the extent of disabling ALL of the signatures so it would seem that there is something inherently in the IPS engine itself that is truly detrimental to the proper functioning of an interface. I've got a TAC case open and have received some suggestions, but to no avail.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...