Re: Rash of Sig IDs 994 & 995 after updating to 3.0(1)S4
The 994 and 995 sigs are new in 3.0(1)S4.
The 995 fires when the sensor interface is physically unplugged (workd only for IDS-4210), or when the sensor stops receiving any packets on it's monitoring interface (all IDS-42xx sensors).
The 994 fires when the sensor starts seeing packets again.
So either you network is very quiet for some periods, in which case the sensor will fire the 995 when no more packets are seen, and 994 when it starts back up (typical in lab environments).
Or your sensor is being physically unplugged for short periods of time.
Or the switch that your sensor is connected to may be rebooting or breaking connection with the sensor for short periods of time.
These signatures can be configured through SigWizMenu (I belive they are also in nrConfigure for hte Unix Director):
LinkStatusSeverityYou can change the alarm severity of the link status alarms (0-5, 0=off, 5=most severe) - Severity of the 995 sig when it fires for the interface being physically disconneted on the IDS-4210 sensor. The 995 sig could fire when the interface is unplugged or if the sensor doesn't see anymore traffic, and each scenario has a different severity.
NoTrafficTimeoutThe number of seconds of no traffic to fire the traffic flow alarm (10-1000) - This tells the sensor how long there shouldn't be any traffic to fire the 995 sig.
TrafficFlowSeverityYou can change the alarm severity of the traffic flow alarms (0-5, 0=off, 5=most severe) - severity for both the 995 and 994 sigs when they are firing because of not seeing traffic.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :