Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
427
Views
0
Helpful
3
Replies

IDS Firewall Problems

bean
Level 1
Level 1

‎01-31-2002 07:51 PM - edited ‎03-08-2019 09:43 PM

We're running a 7206VXR 12.2(3) ENT/FW/IDS/IPSEC. We want to enable IDS and only log to a syslog server. We don't have a Net Director. The docs mention configuring the local and remote PO's. We aren't running any other IDS solutions, so we don't have a remote PO.

The problem:

When we enable IDS, the network starts acting strange. In particlar, timeout errors in Outlook when checking email. Clients have complained about their web site and/or other services not working properly.

Below is our config file:

ip audit notify log

ip audit po max-events 100

ip audit name AUDIT.1 info action alarm

ip audit name AUDIT.1 attack action alarm

(we also specify our syslog server)

When we apply this to an interface, we can see alerts being logged in our syslog server. So, why are we having problems? Instrusions should only be logged, and packets shouldn't be dropped since we're only specifying ALERT.

Can anyone offer any insight into this?

Labels:
0 Helpful
3 Replies 3

scothrel
Level 3
Level 3

‎02-01-2002 06:31 AM

What are your speeds and load for the interfaces that you're running the feature set on?

Scott

0 Helpful

bean
Level 1
Level 1
In response to scothrel

‎02-01-2002 06:49 AM

Fast Ethernet 100Base-T <-> 7206 VXR <-> DS-3 Serial

800kbps - 3Mbps, depending on time of day through the interfaces

Serial3/0.500 is up, line protocol is up

Hardware is M1T-T3 pa

Description: UUNet Uplink xxxxx DS-3

Interface is unnumbered. Using address of FastEthernet0/0 (xxx.xxx.xxx.xxx)

MTU 4470 bytes, BW 9474 Kbit, DLY 200 usec,

reliability 255/255, txload 55/255, rxload 19/255

Encapsulation FRAME-RELAY IETF

FastEthernet0/0 is up, line protocol is up

Hardware is DEC21140A, address is 0002.17de.3000 (bia 0002.17de.3000)

Description: To Servers

Internet address is xxx.xxx.xxx.x/24

MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

reliability 254/255, txload 2/255, rxload 5/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 100Mb/s, 100BaseTX/FX

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:00, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Queueing strategy: fifo

Output queue 0/40, 0 drops; input queue 0/75, 2 drops

5 minute input rate 2304000 bits/sec, 429 packets/sec

5 minute output rate 897000 bits/sec, 361 packets/sec

636316615 packets input, 1057163447 bytes

Received 1172811 broadcasts, 0 runts, 15374 giants, 1 throttles

9160614 input errors, 9160614 CRC, 0 frame, 0 overrun, 197 ignored

0 watchdog

4569861 input packets with dribble condition detected

549463550 packets output, 929140880 bytes, 25 underruns(0/0/0)

25 output errors, 0 collisions, 1 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

0 Helpful

scothrel
Level 3
Level 3
In response to bean

‎02-01-2002 09:21 AM

I suggest that you open a case with our Technical Assistance Center(TAC) to get their expert advice. I was wanting to see if you had large pipes/high bandwidth usage, as the overhead of turning on the IDS feature set is known to slow down the router. However, your bandwidth usage is an order of magnitude lower than what I would have flagged as a problem. Those of us on the list are typically experts in our IDS appliances and switch blades and not IOS/router folks.

Sorry I couldn't help

Scott

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents