We're running a 7206VXR 12.2(3) ENT/FW/IDS/IPSEC. We want to enable IDS and only log to a syslog server. We don't have a Net Director. The docs mention configuring the local and remote PO's. We aren't running any other IDS solutions, so we don't have a remote PO.
When we enable IDS, the network starts acting strange. In particlar, timeout errors in Outlook when checking email. Clients have complained about their web site and/or other services not working properly.
Below is our config file:
ip audit notify log
ip audit po max-events 100
ip audit name AUDIT.1 info action alarm
ip audit name AUDIT.1 attack action alarm
(we also specify our syslog server)
When we apply this to an interface, we can see alerts being logged in our syslog server. So, why are we having problems? Instrusions should only be logged, and packets shouldn't be dropped since we're only specifying ALERT.
I suggest that you open a case with our Technical Assistance Center(TAC) to get their expert advice. I was wanting to see if you had large pipes/high bandwidth usage, as the overhead of turning on the IDS feature set is known to slow down the router. However, your bandwidth usage is an order of magnitude lower than what I would have flagged as a problem. Those of us on the list are typically experts in our IDS appliances and switch blades and not IOS/router folks.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...