Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IDS Firewall Problems

We're running a 7206VXR 12.2(3) ENT/FW/IDS/IPSEC. We want to enable IDS and only log to a syslog server. We don't have a Net Director. The docs mention configuring the local and remote PO's. We aren't running any other IDS solutions, so we don't have a remote PO.

The problem:

When we enable IDS, the network starts acting strange. In particlar, timeout errors in Outlook when checking email. Clients have complained about their web site and/or other services not working properly.

Below is our config file:

ip audit notify log

ip audit po max-events 100

ip audit name AUDIT.1 info action alarm

ip audit name AUDIT.1 attack action alarm

(we also specify our syslog server)

When we apply this to an interface, we can see alerts being logged in our syslog server. So, why are we having problems? Instrusions should only be logged, and packets shouldn't be dropped since we're only specifying ALERT.

Can anyone offer any insight into this?

3 REPLIES
Cisco Employee

Re: IDS Firewall Problems

What are your speeds and load for the interfaces that you're running the feature set on?

Scott

New Member

Re: IDS Firewall Problems

Fast Ethernet 100Base-T <-> 7206 VXR <-> DS-3 Serial

800kbps - 3Mbps, depending on time of day through the interfaces

Serial3/0.500 is up, line protocol is up

Hardware is M1T-T3 pa

Description: UUNet Uplink xxxxx DS-3

Interface is unnumbered. Using address of FastEthernet0/0 (xxx.xxx.xxx.xxx)

MTU 4470 bytes, BW 9474 Kbit, DLY 200 usec,

reliability 255/255, txload 55/255, rxload 19/255

Encapsulation FRAME-RELAY IETF

FastEthernet0/0 is up, line protocol is up

Hardware is DEC21140A, address is 0002.17de.3000 (bia 0002.17de.3000)

Description: To Servers

Internet address is xxx.xxx.xxx.x/24

MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

reliability 254/255, txload 2/255, rxload 5/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 100Mb/s, 100BaseTX/FX

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:00, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Queueing strategy: fifo

Output queue 0/40, 0 drops; input queue 0/75, 2 drops

5 minute input rate 2304000 bits/sec, 429 packets/sec

5 minute output rate 897000 bits/sec, 361 packets/sec

636316615 packets input, 1057163447 bytes

Received 1172811 broadcasts, 0 runts, 15374 giants, 1 throttles

9160614 input errors, 9160614 CRC, 0 frame, 0 overrun, 197 ignored

0 watchdog

4569861 input packets with dribble condition detected

549463550 packets output, 929140880 bytes, 25 underruns(0/0/0)

25 output errors, 0 collisions, 1 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

Cisco Employee

Re: IDS Firewall Problems

I suggest that you open a case with our Technical Assistance Center(TAC) to get their expert advice. I was wanting to see if you had large pipes/high bandwidth usage, as the overhead of turning on the IDS feature set is known to slow down the router. However, your bandwidth usage is an order of magnitude lower than what I would have flagged as a problem. Those of us on the list are typically experts in our IDS appliances and switch blades and not IOS/router folks.

Sorry I couldn't help

Scott

87
Views
0
Helpful
3
Replies