IPS 4270-20, ver 7.1.(4)E4 - CPU 100% on 3 CPUs

Similar Messages

• Cisco ips 4270 unequal cpu utilization

  I am having 2 cisco IPS 4270 devices with an IOS version 7.0(2)E4. When monitoring through IPS manager, I am able to see 4 CPU's.
  In CPU 1 the utilzation is showing near to 100 percent. CPU 2 is showing zero or very less utilsation. CPU 3 & CPU 4 are showing average utilization - nearly equal to 40 percent.
  I doubt why i am getting zero percent CPU utilization in CPU 2 and 100 percent utilisation in CPU 1?
  whether we can do a distribution of CPU among the four CPU's.?
  Hey cisco folks, please help.

  This was mentioned in a previous post, specifically the reply by Scott Fringer.  Post here:
  https://supportforums.cisco.com/message/3065777#3065777
  In Scott's post, he quoted the E3 engine release notes regarding CPU utilization (highlighting mine):
  The E3 signature engine update contains changes from CSCsu77935
  The resolution of this defect modified the idle time algorithm of the sensor by applying additional CPU to polling of the NICs to decrease the polling interval and reduce latency. This results in the CPU usage being reported higher than in previous releases, including using external tools such as top and ps.
  You can notice this additional CPU load on single-CPU platforms, as well as the primary CPU of multi-core systems. Since the additional CPU load that is reported while polling is actually available to process packets, and reduces as inspection load goes up, it does not negatively affect the overall throughput of the IPS.
  So, what you are seeing should be considered normal, and doesn't need correction.  That is, unless you are seeing packet loss.

• IPS 4270 with 6509 VSS in Promiscous mode

  Dear all,
  I am trying to figure out how to configure 2x IPS 4270 in promiscous mode with Cisco 6509 VSS:
  I have attached the LLD core datacenter design including the IPS physical placement in my network.
  The following points are my concerns in this design:
  Shall I connect each of the IPS 4270's into VSS Chassis A and B, or I keep each IPS connected to different Chassis? (considering the SPAN port configuration on VSS and if I could encounted Asymmetric routing issue or not).
  Can I use Etherchannel in either case (keep in mind it's promiscous mode), that means the destination interface on the VSS will be an Etherchannel interface, but does the Cisco IPS 4270 support Etherchannel while in promiscous mode?
  I really appreciate your input on this matter guys.
  Cheers
  Mohammed Khair

  Hi,
  1.You can Connect the each IPS into Chasis A and B  That is Not  aproblem .But While Configuring the RSPAN Monitor From A to B and B to A should monitor the both vlans ( i mean RSAPN A and B also vice versa in your config then it will give both out put even connectivity between IPs and chasisi one fails also)
  2.IPS Supports the Etherchannel while in promiscous mode as well.

• Cisco ips 4270 cpu 100% utilization...

  hi folks i have cisco ips 4270 version 7.0(2) E3 when i try to access it through IDM its show the cpu utilization of cpu1=100% and cpu4=100% but cpu1 and cpu2 are varying can any one please tell me what will be the solution of this problem...
  when i try to go to the configuration then its give me the attached error..........document attached please check....

  Hi,
  Having 100% on some of your CPU is normal on the IPS platform.
  The device is using it's idle cycles to prepare for the handling of the incoming packets and to reduce the delay it will introduce on their path so it is expected to get this even when under low load.
  If you want to have a better idea of the capacity % of your IPS you are currently using, you should have a look at the Inspection Load value. Looking at the data you provided, you are around 25% at the moment.
  For the rdep timeout message, it seems to be a software issue. Looking closer at the picture you attached, we also see "Analysis Engine Status: Not Responding".
  It is a bit difficult to troubleshoot those on CSC so I would advise you to open a TAC case if you want to know the exact root cause.
  What I would advise is to upgrade to the latest 7(0) code which is I believe 7.0(5a)E4 since the issue is most then likely fixed in this version.
  If you are looking for a quick fix, a reboot of the IPS should clear this but the problem will most then likely come back later.
  Regards,
  Nicolas

• 2 IPS 4270 SETUP FOR PROMISCOUS MODE

  hi guys,
  I have two ips 4270 and i want to set up for promiscous mode, Please help me on how to setup this two device. It is first time for me two set up this devices. Can somebody give me configuration guides on how to start it?
  thank you

  Here is configuration guide for IPS version 7.0:
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idmguide7.html
  Hope that helps.

• Display the power supply status in the IPS 4270

  How to display the status of the power supply on the IPS 4270
  since the IPS has two power supplies and one has failed, so i want to check what is causing this failure (i am looking for a message from the CLI describing that the IPS power were failed).

  At this time, there is no method to display the status of the power supply from the CLI or IDM GUI of the IPS-4270.  There is an open enhancement request to have this capability added in a future release of the IPS software.
  Scott

• IPS 4270 sensors on "Inline-On-A-Stick" Mode

  Hello,
  We are planning to user VLAN pair mode using Ether channel trunks (Inline-on-a-stick) mainly to over come the lack of 10 GigE interfaces which would prevent us from adopting traditional in-line architecture for firewalls with 10 GigE interfaces.
  Do you or your customers have experience with Inline-on-a-stick? Could you please share your advices and any word of caution we need to keep in mind?
  I do know the Bypass can't work in this mode, which we are planning to address by deploying multiple IPS 4270 appliances and Ether Channels.
  Any suggestions are appreciated!
  Thanks,
  Antony

  With VLAN pairs you need to be aware of the "sharing" going on between the two VLANS on the same GigE interface. Each VLAN should be loaded to no more than 50%.
  I would reccomend an external VLAN bypass for when the sensor takes a nap, reloads or gets an OS update. I've done this with an alternate path between the two VLANS with a higher Spanning Tree cost. If you play with the SPT parmeters you can get the switchover down to under a second.

• CISCO IPS 4270 rebooting again and again

  Dear Experts,
  We are facing problem where Cisco IPS 4270 is keep rebooting, attached are the logs.
  after entering username and password it again goes into restart cycle
  Appreciate your help
  Muhammad Nasim

  You should try reimageing you sensor. If that doesn't;t fix this issue, you need to RMA the unit to Cisco.
  Cisco might just let you RMA the unit as is if you have a contract, but bringing it is faster.
  - Bob

• IPS-4270 problem with FWSM

  Hi,
  I am facing some strange issue with IPS 4270. As soon as I am connecting one interface of IPS into any free port(default configs) on 7609, after some time FWSM stops forwarding traffic for around 5 to 10 minutes. I have never seen this type of problem before. During the problem I have noticed that MSFC forwards traffic properly to other devices but traffic across FWSM halts for some time.
  FWSM Code: 4.0(1)
  IPS Code: 6.1(2)E3
  FWSM COnfigs: Multiple Context configured
  IPS Config: Only Interface Pairing configured.
  Would appreciate any feedback on this.
  Regards,
  Akhtar

  I will have to get setup to record more data, but I do know the FWSM showed a ping request and a ping reply at the "inside" interface.
  I believe my problem is related to the IOS command "firewall multiple-vlan-interfaces" which I put in place to allow IPX traffic to be brought around the FWSM. The little documentation that there is for this command, states that policy routing may need to be implemented to prevent ip packets from going around the firewall. I do not have any policy routing in place.
  I also do not have any active layer three interfaces defined for any of the vlans assigned to the firewall except the "inside" interface. So my resoning was that I did not need to be concerned about ip packets having a way around the FWSM. My suspicion is that this command and the fact that I have mls on is causing some type of a problem which results in the packet being "lost" when it needs to be going through the MSFC in the switch with the active FWSM to get to the PC. Hopefully that makes some sense.
  Do you have any idea where better documention on using the "firewall multiple-vlan-interfaces" may be, or a better explanation of all that is happening inside the switch when that command is used?
  Thanks.

• IPS 4270 and VSS (Virtual Switch System)

  HI,
  I would like to know whether it is possible to connect just One IPS 4270 to a VSS in etherchannel mode (two IPS interfaces per each 6500 Switch).
  Thanks in advance

  You can re-use the virtual domain ID as long as the the two VSS chassis are not directly connecting to each other. Take a look at this link:
  VVirtual Domain
  Defining the domain identifier (ID) is the first step in creating a VSS from two physical chassis. A unique domain ID identifies two switches that are intended to be part of the same VSS pair that defines the VSS domain. Assignment of a domain ID allows multiple virtual switch pairs to be connected in a hierarchical manner. Only one VSS pair can participate in a particular domain. The domain ID can have a value ranging from 1 to 255 and must be unique when multiple VSS pairs are connected together. See Figure 2-2.
  Figure 2-2 VSS Domain IDs
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/VSS30dg/campusVSS_DG/VSS-dg_ch2.html
  Hope this helps!
  Thanks you for rating useful posts! 

• IPS 4270 placement @ Internet Edge

  Given that I have same topology as shown in Internet Edge Cisco IPS Design Best Practices  and basically inserting 4270 Appliance into an INLINE mode.
  Core and Distribution Switch  = Layer-3 routed links
  Distribution Switch and ASA = Layer-2 access port
  I'm wondering how IPS sensors be configured? I think I understand belows method but since my Core/Distrib is a layer-3 links, not sure which method gonna work since most require two vlans ...
  1. Interface Pairing
  2. VLAN Pairing
  3. VLAN Group
  Anyone has same experience?
  Thanks in advance ...
  Gerard

  I have a 4270-20 positioned at the edge of my network.  It sits between the outside of the firewall and our Internet router.  The only problem with this model is that it makes tracking down threats very difficult, as the only thing you will ever see are the NAT'd public IPs for all your traffic.
  To get around this limitation, we created an addition interface in promiscuous mode and we SPAN the traffic on the link between our core switch and the internal interface of our firewall to it.  This gives us complete outside protection and inside visibility.  This is still not an ideal setup and we are in the process of re-architechting our internal traffic so that we can run two in-line pairs on the IPS.  One internal, and one external.
  The best way to go, is having the IPS in the firewall itself, but throughput on firewalls is often a concern, and unfortunately for Cisco, quite a limitation.

• IPS 4270-20 error codes under the hood 01 and 51

  I have no console access and no mgnt port access... trying to get into a spare box we have ... I turn it on , and I have no access ??? Is there a special or different DB9 cable I need??? Is it possible the console and mgnt ports have been configured to not allow access , or this unit is DEAD   again I have two error codes on the LCD display one reads 01 then flashes 51 and back and forth  any help thanks all

  If your unit has a serial port, you can connect to it in multiple ways. For more details specific to your model, see the following link (steps 5 and 6):
  http://www.cisco.com/en/US/docs/security/ips/7.0/installation/guide/hw_installing_4240_4255.html
  Regards
  Farrukh

• How to check enviroment on IPS 4270

  Hi guys:
  I'm looking for a command that I use on a Router which is SHOW ENVIROMENT and it shows me the temperature and voltage of the device, but I'm trying to see this information on a IPS, as far as I know and I already check all the commands and I can't find anything similar.
  I don't know if that's possible or not so please help me guys.
  Regards

  As I know such commands are not implemented.

• MS-7360 (P35 NEO-F) bios ver 1.10 + INTEL Q8400 CPU

  hello
  i cant find q8400 in the supported cpu list for this mainboard, however the q8300 cpu is in the list
  i just need to make sure what 7360 (1.xx) is supported q8400 cpu, it is really weird - MB support almost all quads, but not q8400
  upd.
  is there any way to get codes of supported processors directly from the MB BIOS? 
  I ordered a processor from the store and until tomorrow I need either pay or cancel my purchase.

  Quote from: Namistai on 20-January-11, 11:25:04
  ok.
  MS-7360 bios ver 1.1A (1.10) supports q8400. Everything fine, thanks. 
  Thanks for reporting back.
   

• K8T Neo-F (ver. 2.0) Unknown CPU Problem!

  Hi all,
  I've a really big problem with two mainboard K8T NEO-F (MS-6702 VER 2.0). I'm trying to build two pcs with these boards and two AMD Sempron64 2800+ Sock754.
  The problem is that when I turn the system on, immediately after all post messages like SATA controller diagnose, Realtek network boot, checking NVRAM, I get this message:
  "Warning unknow CPU type"
  "System halted"
  Then I can't even reboot pressing CTRL+ALT+DEL or getting into bios setup pressing DEL. The system is frozen and I can't reboot.
  I've tried to flash the bios using the recovery feature (CTRL+HOME and floppy disk with bios inserted), it starts flashing and than when I get those four beeps, I rebooted and I get the "system halted" message again.
  I saw that the latest bios for K8T NEO Series is NOT for version 2.0 like these two ones that I've got.
  What can I do? Please someone help me...
  Regards,
  Paolo

  Thanks to everyone who replied...
  The mainboard is not K8T Neo-V it's K8T Neo-F v2.0 infact on the PCB it's exactly signed MS-6702 VER 2.0.
  I really can't update the bios since I can't even boot up my system. The only way to flash the bios seems to be trying to find the correct bios for this mainboard and flash it through the bios recovery procedure (pressing CTRL+HOME during boot).
  Otherwise I've to find some other old CPU that is being supported by this mainboard, but this seems quite incredible to me! In also from my local distributors, new sock754 CPU are just Sempron64 ...
  Someone could help me finding a bios update for Sempron64 support for this mainboard?
  Regards,
  Paolo