Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IOS IPS ACL failure

Hi,

I am enabling IOS IPS on my router's fa0/1 interface and I am filtering out some IP addresses from this IPS as per the below config, however the IPS is still firing signatures when receiving mal traffic these IPs!!

Any ideas why?!!

Here is the IPS config:

ip ips sdf location flash:/128MB.sdf

ip ips signature 2004 0 disable

ip ips name MyIPS list 1

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$

ip address 10.2.2.254 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.1.1.254 255.255.255.0

ip ips MyIPS in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

logging trap debugging

logging 10.1.1.111

access-list 1 deny 10.1.1.111

access-list 1 deny 192.1.24.10

access-list 1 permit any

And here is the alarm which I see:

04-15-2008 01:12:56 Local7.Warning 10.1.1.254 130: *Apr 14 22:12:29.255: %IP_VFR-4-TOO_MANY_FRAGMENTS: FastEthernet0/1: Too many fragments per datagram (more than 32) - sent by 10.1.1.111, destined to 10.1.1.254

R/ Haitham

3 REPLIES
New Member

Re: IOS IPS ACL failure

Hi again,

A strange behaviour is that I disabled the IPS on fa0/1 using the command "no ip ips MyIPS in" but the router kept giving me alarms!!

Any idea!

R/ Haitham

Re: IOS IPS ACL failure

Haitham,

I don't believe this log entry to be related to IPS, it is warning you the datagram that is being reassembled has received more fragments than its threshold. Try adding the

"ip virtual-reassembly max-fragments (number)" command

(number) being the maximum number of fragments that you wish to allow, to increase the fragment value.

Mark

Re: IOS IPS ACL failure

120
Views
0
Helpful
3
Replies
CreatePlease to create content