Cisco ips 4270 cpu 100% utilization...

Similar Messages

• Cisco ips 4270 unequal cpu utilization

  I am having 2 cisco IPS 4270 devices with an IOS version 7.0(2)E4. When monitoring through IPS manager, I am able to see 4 CPU's.
  In CPU 1 the utilzation is showing near to 100 percent. CPU 2 is showing zero or very less utilsation. CPU 3 & CPU 4 are showing average utilization - nearly equal to 40 percent.
  I doubt why i am getting zero percent CPU utilization in CPU 2 and 100 percent utilisation in CPU 1?
  whether we can do a distribution of CPU among the four CPU's.?
  Hey cisco folks, please help.

  This was mentioned in a previous post, specifically the reply by Scott Fringer.  Post here:
  https://supportforums.cisco.com/message/3065777#3065777
  In Scott's post, he quoted the E3 engine release notes regarding CPU utilization (highlighting mine):
  The E3 signature engine update contains changes from CSCsu77935
  The resolution of this defect modified the idle time algorithm of the sensor by applying additional CPU to polling of the NICs to decrease the polling interval and reduce latency. This results in the CPU usage being reported higher than in previous releases, including using external tools such as top and ps.
  You can notice this additional CPU load on single-CPU platforms, as well as the primary CPU of multi-core systems. Since the additional CPU load that is reported while polling is actually available to process packets, and reduces as inspection load goes up, it does not negatively affect the overall throughput of the IPS.
  So, what you are seeing should be considered normal, and doesn't need correction.  That is, unless you are seeing packet loss.

• CISCO IPS 4270 rebooting again and again

  Dear Experts,
  We are facing problem where Cisco IPS 4270 is keep rebooting, attached are the logs.
  after entering username and password it again goes into restart cycle
  Appreciate your help
  Muhammad Nasim

  You should try reimageing you sensor. If that doesn't;t fix this issue, you need to RMA the unit to Cisco.
  Cisco might just let you RMA the unit as is if you have a contract, but bringing it is faster.
  - Bob

• CISCO IPS 4260 CPU USAGE 99%

  Hi guys
  I'm detecting something unusual on my CISCO IPS 4260. This device have 2 CPU's but only in one cpu is showing 99% of use, and the inspection load varies from 40 to 50, and sometimes 80, here's a screenshot of what I'm talking about.
  Where can I start to troubleshoot why is showing this values.?
  Regards.

  do you think is normal that the IPS signature with more hits is de SIGID 5575 (NBT NetBIOS Session Service Failed Login?
  After doing some research it seems to be normal for a windows enviroment.
  Here is the information I got
  Description
  When a client connects to a SMB server (WinNT, Win95, Samba, etc..) a TCP connection to port 139 is established. The client then provides the server with its NetBIOS name and the NetBIOS name it wishes to connect to. If the name does not exist on the server, the session setup attempt fails and an error message is sent to the client. This could be an indicator of an attack.
  Recommended Filter
  Exclude internal networks as sources.
  Benign Triggers
  The default alarm level for this is low because this happens during normal network activity within a Windows network. As an example, when mounting the C: drive from a Windows 95 system to a Windows NT system, numerous session setup failures can occur while browsing the file system.
  As you can see you could excluded to stop triggering that, this is an informational signature
  Regards,
  Remember to rate all of the helpful posts

• SA540 CPU 100% Utilization AND VPN Failures

  I am having regular trouble with my SA540 in that the VPN tunnels are failing. When I check the VPN tunnel I also find that the CPU utilization is listed at 100%.
  Any suggestions?
  Gregg

  Hi,
  Having 100% on some of your CPU is normal on the IPS platform.
  The device is using it's idle cycles to prepare for the handling of the incoming packets and to reduce the delay it will introduce on their path so it is expected to get this even when under low load.
  If you want to have a better idea of the capacity % of your IPS you are currently using, you should have a look at the Inspection Load value. Looking at the data you provided, you are around 25% at the moment.
  For the rdep timeout message, it seems to be a software issue. Looking closer at the picture you attached, we also see "Analysis Engine Status: Not Responding".
  It is a bit difficult to troubleshoot those on CSC so I would advise you to open a TAC case if you want to know the exact root cause.
  What I would advise is to upgrade to the latest 7(0) code which is I believe 7.0(5a)E4 since the issue is most then likely fixed in this version.
  If you are looking for a quick fix, a reboot of the IPS should clear this but the problem will most then likely come back later.
  Regards,
  Nicolas

• IPS 4270 with 6509 VSS in Promiscous mode

  Dear all,
  I am trying to figure out how to configure 2x IPS 4270 in promiscous mode with Cisco 6509 VSS:
  I have attached the LLD core datacenter design including the IPS physical placement in my network.
  The following points are my concerns in this design:
  Shall I connect each of the IPS 4270's into VSS Chassis A and B, or I keep each IPS connected to different Chassis? (considering the SPAN port configuration on VSS and if I could encounted Asymmetric routing issue or not).
  Can I use Etherchannel in either case (keep in mind it's promiscous mode), that means the destination interface on the VSS will be an Etherchannel interface, but does the Cisco IPS 4270 support Etherchannel while in promiscous mode?
  I really appreciate your input on this matter guys.
  Cheers
  Mohammed Khair

  Hi,
  1.You can Connect the each IPS into Chasis A and B  That is Not  aproblem .But While Configuring the RSPAN Monitor From A to B and B to A should monitor the both vlans ( i mean RSAPN A and B also vice versa in your config then it will give both out put even connectivity between IPs and chasisi one fails also)
  2.IPS Supports the Etherchannel while in promiscous mode as well.

• Cisco IPS make slow copy between linux server

  we have 3 subnet A, B, C . Each subnet have some linux servers. Subnet C is protected by cisco IPS 4270.
  1)If we config IPS to bypass traffice, copy speed between servers around 10MB/s -> 25MB/s.
  2) IF  IPS protect subnetC.
  When we copy file from a serrver of SubnetC to subnet A or B, copy speed increase from min to around 20MB/s.
  And when we copy file from a serrver of SubnetA or B to subnet C, copy speed very slow around 700kB/s-> 2MB/s
  The server used command "scp .... "
  So we think there are signatures we should tuning. we have CSM but we havent seen any relate events about this problem.
  Help me check this problem!

  Hello,
  You can do what Jon mentioned, you might see a signature being triggered when Host C takes place but if by any chance you do not then create captures for both traffic flows (With C and Without C).
  Afterwards compare
  You might find some weird in that TCP session that involes C (packet loss, then retransmissions, ooo packets, etc).
  Make sure you correlate all of the information
  Rate all of the helpful posts!!!
  Regards,
  Jcarvaja
  Follow me on http://laguiadelnetworking.com

• IPS 4270-20, ver 7.1.(4)E4 - CPU 100% on 3 CPUs

  Hi,
  We have uprade our IPS 4270-20 appliances (10) to new version of 7.1.(4)E4, after upgrade we see that out of 4 CPUs, 3 CPUs shows are 100% (CPU 1, 3,4).
  However when we check the inspection load its less than 40-50%. Looks like this may be a bug but its so far not even seen in the bug tool.
  We upgraded from 7.0.4(E4) and we can't downgrade now and only option is to reimage all the 10 IPS appliances phsically on all the sites which will be disaster.
  Is there's a patch available for this or is there a workaround, if nothing is available, should we open the TAC case..?
  Appreciate if someone can advise us.
  thanks

  This is normal. The correct measure of load is inspection-load. The CPUs being shown at 100% is becuase the threads are continously polling for new data packets.
  Regards,
  Sawan Gupta

• Cisco IPS Concurrent session support in ips 4260 and 4270 sensor

  I am wondring that no document from Cisco IPS data sheets mention the concurrent session support in Cisco IPS 4200 series sensor. I am looking forward to any one who can advise about the subject.
  Thanks
  Nouman

  Hi.
  with IPS devices it's difficult to measure performance by # of connections per second since several factors count to the performance limit, including:
  1- packet size.
  2- object sizes per transaction
  3- transactions per second
  4- signatures enabled
  5- features enabled
  that why public documents try to make it more realistic by mentioning the transactional performance.
  here is a link mentioning concurrent connections for 4270:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper0900aecd806e7283.html
  although the link mentiones 100k and 200k, but we've seen situations where we had a lot more connections with a smaller amount of signatures enabled.
  for the 4260 the public document only mentions the transactional performance.
  Regards,
  Fadi.
  If this answers your question please mark the thread as resolved.

• TCP RESET - CISCO IPS 4240 in IDS Mode - Block Teamviewer

  I would like to block teamviewer in my network. we are using CISCO IPS 4240 in IDS Mode. I found that there are signatures for teamviewer in latest Signatures.
  We have only configured promiscuous interface, I read that we can issue TCP resets thru promiscuous interface as well (recommended is dedicated tcp reset interface).
  However in my case, I found that Signatures for teamviewer is not getting fired even after getting successful teamviewer connections.
  I am a beginner is IPS, Any inputs will be valuable for me.

  We're talking about sigs 15002-0, -1, -2 here. They are by default shipped disabled and retired, so you'll want to enable and activate them.
  For these, the signature settings are not hidden and what they look for is pretty clearly documented in the sig description.
  -0 looks for some specific DNS requests on TeamViewer's startup. TCP resets will have no effect on this.
  -1 looks for specific traffic to tcp port 5938 which would indicate Teamviewer's direct-connection method
  -2 looks for traffic indicating use over http when teamviewer is configured to use a proxy
  TCP resets are a best effort response, they aren't going to be a 100% effective stop

• CPU 100% RV180W

  Hi there, 
  We purchased 3 products RV180W. 
  I have seen two posts reporting the error, unresolved. 
  I installed the latest firmware available for the RV180W but it remains that the device's CPU is at 100% constantly. 
  They also appear in the log a lot of mistakes that I can not read, it is blank. 
  Thank you very much. 
  Related Posts:
  https://supportforums.cisco.com/es/discussion/11973681
  https://supportforums.cisco.com/discussion/11790766/100-cpu-usage-rv180w-firmware-version-1026

  Hello,
  This is a known issue with RV180, where the dashboard do not update the Memory and CPU usage. This is not related to the performance of the device.
  It will be addressed in the next release, but if you can always contact the Small Business Support Center and open a case in order to have it fixed.
  Hereby the contact details: http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
  Regards,
  Kremena

• Cisco IPS 4260 - Monitoring

  hi!
  we have installed two cisco ips 4260 in our test environment and want now to monitor the inspection load, which is from my point of view much more important than the cpu load, with the open source network tool cacti. I want to send alerts when a specific threshold has exceeded.
  I already monitor the cpu load, the interfaces with snmp. Do you know if it is possible to get the value of the inspection load of the ips by snmp?
  Which others parameters of the ips sensors are important to monitor?
  Thanks!!!

  At this time the sensor's inspection load is not exposed via a SNMP OID.  There is an enhancement request to add SNMP monitoring of various sensor health metrics in a future release.
  Thanks,
  Scott

• IPS 4270 placement @ Internet Edge

  Given that I have same topology as shown in Internet Edge Cisco IPS Design Best Practices  and basically inserting 4270 Appliance into an INLINE mode.
  Core and Distribution Switch  = Layer-3 routed links
  Distribution Switch and ASA = Layer-2 access port
  I'm wondering how IPS sensors be configured? I think I understand belows method but since my Core/Distrib is a layer-3 links, not sure which method gonna work since most require two vlans ...
  1. Interface Pairing
  2. VLAN Pairing
  3. VLAN Group
  Anyone has same experience?
  Thanks in advance ...
  Gerard

  I have a 4270-20 positioned at the edge of my network.  It sits between the outside of the firewall and our Internet router.  The only problem with this model is that it makes tracking down threats very difficult, as the only thing you will ever see are the NAT'd public IPs for all your traffic.
  To get around this limitation, we created an addition interface in promiscuous mode and we SPAN the traffic on the link between our core switch and the internal interface of our firewall to it.  This gives us complete outside protection and inside visibility.  This is still not an ideal setup and we are in the process of re-architechting our internal traffic so that we can run two in-line pairs on the IPS.  One internal, and one external.
  The best way to go, is having the IPS in the firewall itself, but throughput on firewalls is often a concern, and unfortunately for Cisco, quite a limitation.

• 2 IPS 4270 SETUP FOR PROMISCOUS MODE

  hi guys,
  I have two ips 4270 and i want to set up for promiscous mode, Please help me on how to setup this two device. It is first time for me two set up this devices. Can somebody give me configuration guides on how to start it?
  thank you

  Here is configuration guide for IPS version 7.0:
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idmguide7.html
  Hope that helps.

• Dock process is clocking at 100% utilization

  After 10.6.8 update the Dock process is clocking at 100% utilization of one of my CPU cores, which of course impacts overall system performance.  Has anyone else seen this kind of issue?

  Hi. The link below might help.
  http://reviews.cnet.com/8301-13727_7-20074173-263/dock-using-100-cpu-after-os-x- 10.6.8-update-for-parallels-6-users/
  Stedman