IDSM-2 inspection load high

Similar Messages

• IDSM inspection load on 100%

  Now I have IDSM with 100% inspection load on busy hour and followed by missed packets percentage increasing at that time. 
  The IDSM interface is setting as promiscuous interface
  Is it means my network throughput will limited by IDSM max inspection load / throughput which is 600Mbps?
  Thank you
  Marcel.

  No, the throughput wil not be limited in the network when you are in promiscous mode. But your visibility for attacks is highly limited.
  You should configure your span/capture settings on the 6k5 to only send as much traffic to the IDSM as this module can handle.
  Just remember that the IDSM-2 is a ten years old system and can't catch up with the typical traffic-demand we are having nowadays.
  It's time to change the IDSM against an actual external sensor.

• Ciscoips inspection load issue

  Hi Team,
  I am facing a network slowness and IPS inspection load going high on my IP 4200 device.
  Hence I reimaged and upgraded the signature to the latest. In spite of it, again the issue persists and I had to disable inspection as a work around to reduce the impact of my network.
  My IPS version is  7.1(9)E4 on device is 4240.
  I doubt, if it is due to traffic load ? the issue occurs only during the peak hours. How to check it my device is capable enough to handle the load? can someone guide me..

  Hi,
  if you deleted all Red request , you can REPEAT DELTA ,
  when you re-schedule the load again , system will give you one message saying that 'Last delta was incorrect/not successfully, and would give u option to repeat the the same load again,
  shouldn't be any problem.
  Are u loading data from DSO to Cube OR Cube to Cube ?
  Cheers,
  Sukhi

• Monitor Inspection Load IPS ASA-SSM-20

  All,
    I am aware there is a feature request but don't see any updates.  Taking the chance here that its fallen through the cracks and someone has figured out another way to monitor inspection load on ASA-SSM-20 IPS.  We are currently running 7.0(5a)E4.  I want to be able to use Solarwinds Orion to monitor Inspection Load on our IPS devices.  Does anyone know if that is yet possible...if so how?
  Thanks!

  Bump +1

• Upload through inline IPS increases inspection load

  The   IPS-4240-K9  [IPS Version 7.0(4) E4] is deployed in inline mode before the ASA and perimeter router .The design is  LAN->IPS->ASA->Internet Router.The problem is that when i am uploading on the internet the IPS inspection load increased to 100% and the devices beyond the IPS become non-responsive(ping drops from ASA and router).Surprisingly the ping response on IPS does not break,when I put the IPS in never inspect mode (by pass on) the problem does not happen.Hence its confirm that the issue is with the IPS and its inspection load due to upload.
  Please guide on how to resolve it . thanks

  Hi Sawan,
  No there is no particular signature firing a lot..normal signatures which do fire in normal operation..
  By traffic load u mean the size of file being uploaded ,even if we upload a file between 20-40 MB the ping drops on the devices beyond IPS starts and continues until the file is uploaded..once the file is uploaded completely which in the case of 20-40 MB is in within seconds the situation returns to normal...
  We will upgrade soon ...but is there any bug in this release related to this problem ??
  Thanks for the reply ..
  Rgds
  Unus

• ASA-SSM-10 inspection load 100% (version 7.0(5a)E4

  Hi all,
  I have a challenge with the IPS module in the ASA5520, the ASA-SSM-10. When we start a test to connect to the webservers I get a inspection load of 100% and traffic/performance will slow down.
  We test with 63000 sessions per minute which perform a load of: from the test-servers(clients) to the web-servers of 20.000 kbits/sec and traffic from the web-servers back to the test-servers(clients) 75.000 kbits/sec.
  Can you please advise what to do because we cannot go live with this environment only when this is fixed.
  Thanks in advance,
  Erik Verkerk.

  Hi Bob,
  thanks for you reply/suggestion and you understood the numbers correctly. Unfortunately the AIP-SSM-10 module must inspect this kind of load. I can test, within 8 hours time, a lower amount of traffic.
  I do have some questions for you:
  When you have a traffic of 75Mb/s what is your inspection load saying 80%?
  Regarding the specs Cisco tells in the documentation of the ASA5520 that when you are using a AIP-SSM-10 you can firewalling and IPS a maximum of 225Mb/s. Now I understand that this is probably the commercial figures but Iám only looking for half of this, 95MB/s. Do you have an explaination for this?
  Perhaps the amount of signatures is too much: I have 1500 signatures active, can you tell how much active signatures you run in your AIP-SSM-10?
  Last but not least question:
  It is hard for me to find some usefull documentation, specific troubleshooting the IPS, do you have suggestions?
  I hope you have the time to answers these questions it certainly helps me to understand the IPS and fix the problem.
  Many thanks in advance,
  Erik.

• ASA5585-SSP-IPS40 Inspection Load 0 with Missed Packets at 50% or more

  The IPS40 is showing missed packets yet the Inspection Load remains at 0.
  Two questions.
  1. What would cause Missed Packets and is there a "best" method to troubleshot the situation?
  2. Why does the Inspection Load remain at 0?
  vs0 is currently assigned to PortChannel0/0 (Backplane interface)
  Thanks,
  Kevin

  Hello Kevin,
  What version are you running
  Also share the following:
  show stat virt
  show int
  Also over the show tech look the following :
  exec: cat /proc/net/cisco/cids-shared.info
  And let me know the free buffer percentage you see there
  Regards,
  Remember to rate all of the helpful posts

• IDSM-2 - VSS Load Balance

  Hi everyone ...
  I have two 6509 configured with VSS, in each 6509 we have one FWSM and IDSM2.
  We have configured the FWSM with contexts and we have Failover working fine.
  Now we want to configure IDMS as IPS inline but we want to use both IDSM in load balance for improve the performance and get high availability with security.
  Is this possible ?
  I know we can get load balance with IPS appliances using etherchannel in switching (ECLB) but I don't know if we can do this with the IDSM modules in catalyst 6509 considering VSS.  
  Any suggestions ?

  The VSS is a special configuration. 
  You can configure the FWSM modules to be Failover partners but in IDSM modules you need to configure the same input/output VLANs to get the Failover or balance behaviour.  The Cisco IPS architecture has not Failover configuration.  you can find some examples with Etherchannels or Port-Channels configuration shared with some IPS units to balance the bandwith.   That's the case in VSS solucion, both chasis shared the VLANs and it's necesary to configure the input/output VLANs pairs shared between the modules to balance the bandwith.

• High ram usage when loading high resolution images

  Hello,
  I'm wondering why Firefox almost hangs my system while opening high-resolution images like this one (save your data, you have been warned):
  http://minecraft.1favre.de/output.png
  While opening, it involves X process to use CPU and a lot of memory (it's freed shortly after loading the image). Other browsers don't do that. Moreover, other browsers don't do any problems with such images, they load it fast and efortless. I Have 2GB of RAM.
  Firefox memory usage: http://wklej.org/id/1027301/
  Konqueror memory usage: http://wklej.org/id/1027305/
  Opera memory usage: http://wklej.org/id/1027306/
  Chromium was problematic with getting the log: http://img.koci.net.pl/images/screen252.png
  Unfortunately I was unable to generate log with nvidia-bugreport.sh. Doesn't work, strange. Here are some details of my system:
  02:00.0 VGA compatible controller: NVIDIA Corporation G73 [GeForce 7300 GT] (rev a1)
  nvidia-settings: version 304.88 (buildmeister@swio-display-x86-rhel47-06) Wed Mar 27 15:32:47 PDT 2013
  [root@linux mk]# uname -a
  Linux linux 3.8.10-1-ARCH #1 SMP PREEMPT Sat Apr 27 12:36:59 CEST 2013 x86_64 GNU/Linux
  root@linux mk]# X -version
  X.Org X Server 1.14.1
  Release Date: 2013-04-17
  X Protocol Version 11, Revision 0
  Build Operating System: Linux 3.8.7-1-ARCH x86_64
  Current Operating System: Linux linux 3.8.10-1-ARCH #1 SMP PREEMPT Sat Apr 27 12:36:59 CEST 2013 x86_64
  Kernel command line: BOOT_IMAGE=/boot/vmlinuz-linux root=UUID=9ddb4ac2-a9bf-44db-830c-9ba210ea6d12 ro quiet
  Build Date: 17 April 2013 02:37:06PM
  Current version of pixman: 0.28.2

  Hello,
  The Reset Firefox feature can fix many issues by restoring Firefox to its factory default state while saving your essential information.
  Note: ''This will cause you to lose any Extensions, Open websites, and some Preferences.''
  To Reset Firefox do the following:
  #Go to Firefox > Help > Troubleshooting Information.
  #Click the "Reset Firefox" button.
  #Firefox will close and reset. After Firefox is done, it will show a window with the information that is imported. Click Finish.
  #Firefox will open with all factory defaults applied.
  Further information can be found in the [[Reset Firefox – easily fix most problems]] article.
  Did this fix your problems? Please report back to us!
  Thank you.

• HR_BLP_SAVE_TIMEDATA and how to load high volume records onto Infotype 2001

  Because of high data volume (estimated 1 million records each run) and short SLA time requirement (runs every 2 hours), we chose to use functions that are called by CAT6 (Skipping the CATS to HR info types loading process) to load the time records directly into Infotype 2001 and Infotype 2002. 
  Now we discover that some records (sporadically and randomly) don't get loaded onto the infotype and they don't return from the error message table either.  We are wondering whether anyone has used these functions before, and how they resolve the issues of missing records / error handling. 
  We are also wondering if there is any other feasible solution to meet our customer's need.
  The two functions we use are:   HR_BLP_MAINTAIN_TIMEDATA and HR_BLP_SAVE_TIMEDATA

  Hi Curt,
  No, they are 32 bit RGB. I have just made an 8 bit RGB and it gives me the option. Thank you for your help

• CPU load higher after applying in 147440 kernel on Oracle database servers

  Hi all,
  Just wanted to know if anyone else is seeing an Increased CPU load with higher peaks and for longer periods of time, especially on single thread processes on oracle database servers. Our Oracle Database versions vary from Oracle 10 to Oracle 11.1.0.7 11.2.0.2 10.2.0.4. The Hardware includes Sunfire V245's, V440 and T5240. We saw a slight performance hit when going to 147440-02 at the first of Oct, but no big deal. Then we applied 147440-04 in the first part of Nov. And of course we got CPU panics and Zfs file system stopped mounting basically a complete disaster. Oracle provided and IDR for the CPU panic and then later release 147440-06. Which resolved the CPU panics and zfs file system mounts. But now our load average on is 1 to 3 points higher during load, grid control is constantly complaining of 100% utilization. I have had a call open since the first of November with oracle/sun support and have provided guds performance stats on before and after Kernel change. They are still saying that its not an issue. It is so bad we had to roll back to a July kernel on one of the servers.

  Just to let you all know what we have found. After 2 1/2 months of working with Oracle Kernel team, they have identified the Oracle Enterprise Manager (emagent) (Grid control Agent) was using nearly 60000 threads under the 147440 Kernel and only 1500 threads under an older kernel.
  I googled the solution for the emagent, but I continue to press Oracle Kernel Engineers to work with their software division, to identify other products that might cause similar problems.
  http://oracle-dba-quickanswers.blogspot.com/2011/10/emagent-consuming-very-high-cpu.html

• Why on my ipod 2 gen not load higher ios then 4.2.1

  why when i want to go higher ios on my second gen ipod will it not let me go higher i want to put new apps on it i have seen no reason not to allow it

  A 2G iPod Touch can only go as high as iOS 4.2.1.  iOS 5 is only compatible with the 3G and 4G iPod Touches (as well as the iPhone 3GS, iPhone 4, iPad, iPad 2, and iPhone 4S).
  B-rock

• Thinkpad X1 CPU load high when idling?

  I want to kick myself for not posting this as soon as I noticed, but well, nothing to do about it now.
  A couple of months ago and after some update, not sure which (maybe the Thinkvantage Tools update? Or the graphics drivers, I think are the only things I updated in this time), my Thinkpad X1 (late 2011 model, i7 2640M @ 2.8, 8GB RAM) has started to go off real hard at the main fan when the machine is idling, which doens't make sense.
  I run Win 7 64 bit Pro. I set the screensaver to just "Blank" and locking the system on activation, and after a bunch of minutes more, it's set to turn off the screen too.
  After a few minutes of the screen being off, the fan will start up and go to max, real loud. I resume the computer from that state, logging in and unlocking it, and after a few seconds into the desktop, the fan goes off. If as soon as I unlock I check the Task Manager, the only process eating up the CPU is the System Idle Process, like it should be.
  What exactly could be going on here? Can any of the latest things I updated be doing something in the background while te hcomputer is idling? It's really bad, because if I leave the machine idling, I don't want it to be going off like crazy. It's not just the fan that goes off, the machine gathers temperature, I can feel it if I touch the left part f the keyboard. So the CPU is busy doing SOMETHING, but what?
  Any help apreciated!!!
  Solved!
  Go to Solution.

  I don't have a "real time" antivirus installed, so there are no such scanning processes in my system.
  My average load is between 5 and 3 percent! It only goes up when I am working, which is NOT when it's idling. I am talking about normal situations. it goes from that 3-5 to full. 
  I will ask again perhaps you know, is there ANY process monitor that will log all activity to a file so I can check what is going on while the machine is idling with the screen off?

• Sql loader - Data loading issue with no fixed record length

  Hi All,
  I am trying to load the following data through sql loader. However the records # 1, 3 & 4 are only loading succesfully into the table and rest of the records showing as BAD. What is missing in my syntax?
  .ctl file:
  LOAD DATA
  INFILE 'C:\data.txt'
  BADFILE 'c:\data.BAD'
  DISCARDFILE 'c:\data.DSC' DISCARDMAX 50000
  INTO TABLE icap_gcims
  TRAILING NULLCOLS
       CUST_NBR_MAIN          POSITION(1:9) CHAR NULLIF (CUST_NBR_MAIN=BLANKS),
       CONTACT_TYPE          POSITION(10:11) CHAR NULLIF (CONTACT_TYPE=BLANKS),
       INQUIRY_TYPE          POSITION(12:13) CHAR NULLIF (INQUIRY_TYPE=BLANKS),
       INQUIRY_MODEL          POSITION(14:20) CHAR NULLIF (INQUIRY_MODEL=BLANKS),
       INQUIRY_COMMENTS     POSITION(21:60) CHAR NULLIF (INQUIRY_COMMENTS=BLANKS),
       OTHER_COLOUR POSITION(61:75) CHAR NULLIF (OTHER_COLOUR=BLANKS),
       OTHER_MAKE          POSITION(76:89) CHAR NULLIF (OTHER_MAKE=BLANKS),
       OTHER_MODEL_DESCRIPTION POSITION(90:109) CHAR NULLIF (OTHER_MODEL_DESCRIPTION=BLANKS),
       OTHER_MODEL_YEAR POSITION(110:111) CHAR NULLIF (OTHER_MODEL_YEAR=BLANKS)
  data.txt file:
  000000831KHAN
  000000900UHFA WANTS NEW WARRANTY ID 000001017OHAL
  000001110KHAP
  000001812NHDE231291COST OF SERVICE INSPECTIONS TOO HIGH MAXIMA 92 MK
  000002015TPFA910115CUST UPSET WITH AIRPORT DLR. $200 FOR PLUGS,OIL,FILTER CHANGE. FW
  Thanks,

  Hi,
  Better if you have given the table structure, I check your script it was fine
  11:39:01 pavan_Real>create table test1(
  11:39:02   2  CUST_NBR_MAIN  varchar2(50),
  11:39:02   3  CONTACT_TYPE varchar2(50),
  11:39:02   4  INQUIRY_TYPE varchar2(50),
  11:39:02   5  INQUIRY_MODEL varchar2(50),
  11:39:02   6  INQUIRY_COMMENTS varchar2(50),
  11:39:02   7  OTHER_COLOUR varchar2(50),
  11:39:02   8  OTHER_MAKE varchar2(50),
  11:39:02   9  OTHER_MODEL_DESCRIPTION varchar2(50),
  11:39:02  10  OTHER_MODEL_YEAR varchar2(50)
  11:39:02  11  );
  Table created.
  11:39:13 pavan_Real>select  * from test1;
  no rows selected
  C:\Documents and Settings\ivy3905>sqlldr ara/ara@pavan_real
  control = C:\control.ctl
  SQL*Loader: Release 9.2.0.1.0 - Production on Sat Sep 12 11:41:27 2009
  Copyright (c) 1982, 2002, Oracle Corporation.  All rights reserved.
  Commit point reached - logical record count 5
  11:42:20 pavan_Real>select count(*) from test1;
    COUNT(*)                                                                     
           5    control.ctl
  LOAD DATA
  INFILE 'C:\data.txt'
  BADFILE 'c:\data.BAD'
  DISCARDFILE 'c:\data.DSC' DISCARDMAX 50000
  INTO TABLE test1
  TRAILING NULLCOLS
  CUST_NBR_MAIN POSITION(1:9) CHAR NULLIF (CUST_NBR_MAIN=BLANKS),
  CONTACT_TYPE POSITION(10:11) CHAR NULLIF (CONTACT_TYPE=BLANKS),
  INQUIRY_TYPE POSITION(12:13) CHAR NULLIF (INQUIRY_TYPE=BLANKS),
  INQUIRY_MODEL POSITION(14:20) CHAR NULLIF (INQUIRY_MODEL=BLANKS),
  INQUIRY_COMMENTS POSITION(21:60) CHAR NULLIF (INQUIRY_COMMENTS=BLANKS),
  OTHER_COLOUR POSITION(61:75) CHAR NULLIF (OTHER_COLOUR=BLANKS),
  OTHER_MAKE POSITION(76:89) CHAR NULLIF (OTHER_MAKE=BLANKS),
  OTHER_MODEL_DESCRIPTION POSITION(90:109) CHAR NULLIF (OTHER_MODEL_DESCRIPTION=BLANKS),
  OTHER_MODEL_YEAR POSITION(110:111) CHAR NULLIF (OTHER_MODEL_YEAR=BLANKS)
  data.txt
  000000831KHAN
  000000900UHFA WANTS NEW WARRANTY ID 000001017OHAL
  000001110KHAP
  000001812NHDE231291COST OF SERVICE INSPECTIONS TOO HIGH MAXIMA 92 MK
  000002015TPFA910115CUST UPSET WITH AIRPORT DLR. $200 FOR PLUGS,OIL,FILTER CHANGE. FW
  CUST_NBR_MAIN     CONTACT_TYPE     INQUIRY_TYPE     INQUIRY_MODEL     INQUIRY_COMMENTS     OTHER_COLOUR     OTHER_MAKE     OTHER_MODEL_DESCRIPTION     OTHER_MODEL_YEAR
  000000831     KH     AN     NULL     NULL     NULL     NULL     NULL     NULL
  000000900     UH     FA      WANTS     NEW WARRANTY ID 000001017OHAL     NULL     NULL     NULL     NULL
  000001110     KH     AP     NULL     NULL     NULL     NULL     NULL     NULL
  000001812     NH     DE     231291C     OST OF SERVICE INSPECTIONS TOO HIGH MAXI     MA 92 MK     NULL     NULL     NULL
  000002015     TP     FA     910115C     UST UPSET WITH AIRPORT DLR. $200 FOR PLU     GS,OIL,FILTER C     HANGE. FW     NULL     NULL- Pavan Kumar N
  Edited by: Pavan Kumar on Sep 12, 2009 11:46 AM

• Inspection Rate on ASA System Limit

  Hi all,
  we just testing ASA 5585-SSP60 with software 9.1.3. On the load-generator we found out that there are problems on the system with a inspection rate higher than 40K. Has anyone experience with that ? What is an inspection rate ASA should be able to handle? I didn´t find limits on Cisco.com.
  Thanks in advance,

  Hello,
  I understand that you want to configure bandwidth limits for each AnyConnect client connection. 
  Unfortunately, the ASA does not currently support QoS policing of traffic on a per-user or per-IP-address basis:
  https://supportforums.cisco.com/docs/DOC-1361#Q_Does_ASA_SSL_VPN_AnyConnect_Client_or_Clie
  ntless_support_QOS_and_policing_bandwidth_management_capabilites
  The feature has been requested but it seems it will not be integrated in the near future.
  The available workaround is to use simple QoS as you mention but it is not scalable at all.
    You may police the ASA WAN bandwidth based on the public IP address of each remote-access AnyConnect user hogging bandwidth:
  access-list SSLVPN_LIMIT extended permit udp host host
  (ASA ip address) eq 443
  access-list SSLVPN_LIMIT extended permit tcp host host
  (ASA ip address)
  eq 443
  class-map SSLVPN
  match access-list SSLVPN_LIMIT
  policy-map LIMIT
  class SSLVPN
      police input 1500000
       police output 1500000
  service-policy LIMIT interface outside
  Thanks,
  Itzcoatl