01-31-2002 07:51 PM - edited 03-08-2019 09:43 PM
We're running a 7206VXR 12.2(3) ENT/FW/IDS/IPSEC. We want to enable IDS and only log to a syslog server. We don't have a Net Director. The docs mention configuring the local and remote PO's. We aren't running any other IDS solutions, so we don't have a remote PO.
The problem:
When we enable IDS, the network starts acting strange. In particlar, timeout errors in Outlook when checking email. Clients have complained about their web site and/or other services not working properly.
Below is our config file:
ip audit notify log
ip audit po max-events 100
ip audit name AUDIT.1 info action alarm
ip audit name AUDIT.1 attack action alarm
(we also specify our syslog server)
When we apply this to an interface, we can see alerts being logged in our syslog server. So, why are we having problems? Instrusions should only be logged, and packets shouldn't be dropped since we're only specifying ALERT.
Can anyone offer any insight into this?
02-01-2002 06:31 AM
What are your speeds and load for the interfaces that you're running the feature set on?
Scott
02-01-2002 06:49 AM
Fast Ethernet 100Base-T <-> 7206 VXR <-> DS-3 Serial
800kbps - 3Mbps, depending on time of day through the interfaces
Serial3/0.500 is up, line protocol is up
Hardware is M1T-T3 pa
Description: UUNet Uplink xxxxx DS-3
Interface is unnumbered. Using address of FastEthernet0/0 (xxx.xxx.xxx.xxx)
MTU 4470 bytes, BW 9474 Kbit, DLY 200 usec,
reliability 255/255, txload 55/255, rxload 19/255
Encapsulation FRAME-RELAY IETF
FastEthernet0/0 is up, line protocol is up
Hardware is DEC21140A, address is 0002.17de.3000 (bia 0002.17de.3000)
Description: To Servers
Internet address is xxx.xxx.xxx.x/24
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 254/255, txload 2/255, rxload 5/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 2 drops
5 minute input rate 2304000 bits/sec, 429 packets/sec
5 minute output rate 897000 bits/sec, 361 packets/sec
636316615 packets input, 1057163447 bytes
Received 1172811 broadcasts, 0 runts, 15374 giants, 1 throttles
9160614 input errors, 9160614 CRC, 0 frame, 0 overrun, 197 ignored
0 watchdog
4569861 input packets with dribble condition detected
549463550 packets output, 929140880 bytes, 25 underruns(0/0/0)
25 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
02-01-2002 09:21 AM
I suggest that you open a case with our Technical Assistance Center(TAC) to get their expert advice. I was wanting to see if you had large pipes/high bandwidth usage, as the overhead of turning on the IDS feature set is known to slow down the router. However, your bandwidth usage is an order of magnitude lower than what I would have flagged as a problem. Those of us on the list are typically experts in our IDS appliances and switch blades and not IOS/router folks.
Sorry I couldn't help
Scott
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: