IPS interface statistic reset

hi,
How can I reset theinterface statistic on y IPS devices?
Thanks

Most of the interface statistics in "show interface" are MAC level (hardware) statistics and cannot be reset except by rebooting the sensor.
The higher level statistics, such as "show statistics virtual-sensor" can be reset by appending the keyword "clear" to the request. In that case, the current statistics are displayed and then reset internally. The next invocation will show statistics since the "clear". One of the statistics is "Seconds since last reset" and you can use it to verify that your reset is taking place.

Similar Messages

Cisco AP 1310 interface status "reset"

any idea why the ap 1310 send the interface to "reset" state:
Feb 28 18:03:00.820 -0600: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot1
1Radio0, changed state to up
*Feb 28 18:03:19.870 -0600: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state
to down
*Feb 28 18:03:19.917 -0600: %LINK-5-CHANGED: Interface Dot11Radio0, changed stat
e to reset
*Feb 28 18:03:20.873 -0600: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot1
1Radio0, changed state to down
*Feb 28 18:03:23.519 -0600: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0,
Associated To AP GDL-GDL1-CR001- 001d.a2b0.3910 [None]
*Feb 28 18:03:23.520 -0600: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state
to up

I think it is seems like bug. Upgrade or downgrade the IOS and try.

IPS 4240 : TCP Reset didn't work properly

hello all,
i've created new customer signature to reset for tcp string with testattack.
for testing, i've configured telnet password using testattack on router's line vty.
i've tried to connect to the router with testattack password.
i can see the popup message on the IEV but the telnet session can't disconnect.
i gueess, the telnet sessio shoud be disconnect due to the signature.
how can i configure to accoplish this test?
IPS : Cisco Intrusion Prevention System, Version 5.1(4)S257.0
Decoded Alarm Context on IEV :
Decoded alarm context(signature name='My sig' Evend ID=~~~~
-snip
From attacker : P ANSI testattc
Logg from IPS device Manager :
evIdsAlert: eventId=1177883105267717064 vendor=Cisco severity=high
originator:
hostId: SEIPS
appName: sensorApp
appInstanceId: 347
time: 2007년 4월 29일 (일) 오후 10시 06분 55초 offset=0 timeZone=UTC
signature: description=My Sig id=60000 version=custom
subsigId: 0
sigDetails: My Sig Info
interfaceGroup:
vlan: 0
participants:
attacker:
addr: 192.168.1.100 locality=OUT
port: 2269
target:
addr: 192.168.2.100 locality=OUT
port: 23
actions:
tcpResetSent: true
context:
fromTarget:
000000 FF FB 01 FF FB 03 FF FD 18 FF FD 1F 0D 0A 0D 0A ................
000010 55 73 65 72 20 41 63 63 65 73 73 20 56 65 72 69 User Access Veri
000020 66 69 63 61 74 69 6F 6E 0D 0A 0D 0A 50 61 73 73 fication....Pass
000030 77 6F 72 64 3A 20 FF FA 18 01 FF F0 word: ......
fromAttacker:
000000 FF FD 01 FF FD 03 FF FB 18 FF FB 1F FF FB 1F FF ................
000010 FA 1F 00 50 00 1E FF F0 FF FA 18 00 41 4E 53 49 ...P........ANSI
000020 FF F0 74 65 73 74 61 74 74 61 63 ..testattac
riskRatingValue: 75
interface: ge0_0
protocol: tcp
reagards,
John.

I had this issue when I was preparing for my
CCIE security back in 2006 with IDS version
4.1 so it may or may not apply to your
situation. I was using Cisco IDS 4.1 with
Catalyst 3550s:
RouterA is connected to F0/1 and vlan 4
IDS sensing interface is connected to F0/2
IDS C&C is connected to F0/3 vlan 2
IDS Sensing interface is connected F0/5
RouterX is connected to F0/4 vlan 3
objective: From RouterX, telnet to RouterA.
When prompt for username, type username.
When prompt for password, enter "abcd".
At that time, the IDS will send a tcp reset
to RouterX thus reset the connection.
On the catalyst 3550:
monitor session 1 source vlan 4
monitor session 1 destination interface f0/5 ingress vlan 4
that will do the trick.
what I also found out from my preparation of
the lab is that is that the IDS will send
reset about 80% of the time. It did not work
the other 20% of the time, even though I
clearly saw it sent tcp reset in the IDS
event viewer. I also confirmed this
by running tcpdump on the IDS itself (yes,
with a trick you can do this). I could
not figure out why it behaved this way.
I passed the lab shortly after that so I
never followed up with it. However, if you
see a reset in the IEV but the connection
itself is not reset, probably a bug.

IPS Interface duplex - Half/Full??

i have a IPS 4260, running Version 6.0(5)E2.
I have noticed different duplex on the interface.
My understanding based on the logs below:
The interface below seems to be running in half duplex, but they are configured for full duplex.
-GigabitEthernet2/0
-GigabitEthernet2/3
-GigabitEthernet3/3
Is there any misconfiguration or a problem on my IPS?
extract from "show tech-support" command:
MAC statistics from interface GigabitEthernet2/0
Link Status = Up
Link Speed = 100
Link Duplex = Half
MAC statistics from interface GigabitEthernet2/1
Link Status = Up
Link Speed = 100
Link Duplex = Full
MAC statistics from interface GigabitEthernet2/2
Link Status = Up
Link Speed = 100
Link Duplex = Full
MAC statistics from interface GigabitEthernet2/3
Link Status = Up
Link Speed = 100
Link Duplex = Half
MAC statistics from interface GigabitEthernet3/0
Link Status = Down
Link Speed = N/A
Link Duplex = N/A
MAC statistics from interface GigabitEthernet3/1
Link Status = Down
Link Speed = N/A
Link Duplex = N/A
MAC statistics from interface GigabitEthernet3/2
Link Status = Up
Link Speed = 100
Link Duplex = Full
MAC statistics from interface GigabitEthernet3/3
Link Status = Up
Link Speed = 100
Link Duplex = Half
Oct 29 18:40:04 sensor user.info kernel: e1000: ge2_0 NIC Link is Down
Oct 29 18:40:07 sensor user.info kernel: e1000: ge2_0 NIC Link is Up 100 Mbps Half Duplex
Oct 29 18:40:08 sensor user.info kernel: e1000: ge2_0 NIC Link is Down
Oct 29 18:40:08 sensor user.info kernel: e1000: ge2_1 NIC Link is Down
Oct 29 18:40:15 sensor user.info kernel: e1000: ge2_1 NIC Link is Up 100 Mbps Full Duplex
Oct 29 18:40:37 sensor user.info kernel: e1000: ge2_0 NIC Link is Up 100 Mbps Half Duplex
Oct 29 18:40:37 sensor user.info kernel: e1000: ge2_0 NIC Link is Down
Oct 29 18:40:37 sensor user.info kernel: e1000: ge2_1 NIC Link is Down
Oct 29 18:40:37 sensor user.info kernel: e1000: ge2_1 NIC Link is Up 100 Mbps Full Duplex
Oct 29 18:40:40 sensor user.info kernel: e1000: ge2_0 NIC Link is Up 100 Mbps Half Duplex
Oct 29 18:40:43 sensor user.info kernel: e1000: ge2_0 NIC Link is Down
Oct 29 18:40:43 sensor user.info kernel: e1000: ge2_1 NIC Link is Down
Oct 29 18:40:43 sensor user.info kernel: e1000: ge2_1 NIC Link is Up 100 Mbps Full Duplex
Oct 29 18:40:43 sensor user.debug kernel: Set Affinity to 1
Oct 29 18:42:48 sensor user.info kernel: e1000: ge2_0 NIC Link is Up 100 Mbps Half Duplex
Oct 29 18:42:48 sensor user.info kernel: e1000: ge2_0 NIC Link is Down
Oct 29 18:42:48 sensor user.info kernel: e1000: ge2_1 NIC Link is Down
Oct 29 18:42:48 sensor user.info kernel: e1000: ge2_1 NIC Link is Up 100 Mbps Full Duplex
Oct 29 18:42:49 sensor user.info kernel: e1000: ge2_0 NIC Link is Up 100 Mbps Full Duplex
Oct 29 18:42:49 sensor user.debug kernel: Set Affinity to 1
Oct 29 18:42:49 sensor user.info kernel: e1000: ge2_0 NIC Link is Down
Oct 29 18:43:10 sensor user.info kernel: e1000: ge2_2 NIC Link is Up 100 Mbps Half Duplex
Oct 29 18:43:10 sensor user.info kernel: e1000: ge2_3 NIC Link is Down
Oct 29 18:43:10 sensor user.info kernel: e1000: ge2_2 NIC Link is Down
Oct 29 18:43:10 sensor user.info kernel: e1000: ge2_3 NIC Link is Up 100 Mbps Half Duplex
Physical Config
ID Name Pair Logic Reset Admin Speed Duplex Mode
0 ge0_1 0 0 n/a down Auto Auto Prom
1 ge3_1 2 19 n/a up Auto Auto Pair (HW Bypass)
2 ge3_0 1 19 n/a up Auto Auto Pair (HW Bypass)
3 ge3_3 4 17 n/a up 100 Full Pair
4 ge3_2 3 17 n/a up 100 Full Pair
5 ge2_1 6 18 n/a up 100 Full Pair
6 ge2_0 5 18 n/a up 100 Full Pair
7 ge2_3 8 16 n/a up 100 Full Pair
8 ge2_2 7 16 n/a up 100 Full Pair

Check the interface configuration for Link Duplex configuration as the command "show tech-support" will show the interface parameters as per the configuration done. So the output of this command completely depends on the configuration that has been done and is existing. So when the interface is configured as "full" for link duplex it will show as full and not the other way.

Passive-interface default resets configuration

Hello all,
I would like to run a scenario by you guys and get your input regarding the "passive-interface default" OSPF command. Let's assume I am working on an existing configured OSPF router with the following configuration:
router ospf 1 router-id 10.10.10.1 passive-interface default no passive-interface GigabitEthernet6/1 no passive-interface GigabitEthernet6/2 network 10.10.10.0
If I go and paste the duplicate configuration in as follows what would the expected result be?
router ospf 1 router-id 10.10.10.1 passive-interface default
My thoughts were that there would be no impact to OSPF, routing, or the likes. Unfortunately this is not the case. I have found on my device that when you repaste the "passive-interface default" command in to the config that it actually resets all existing "no passive-interface" commands and enables passive-interface on all interfaces globally.
Router#sh run | sec router ospfrouter ospf 1 router-id 10.10.10.1 passive-interface default no passive-interface GigabitEthernet6/1 no passive-interface GigabitEthernet6/2 network 10.10.10.0Router#config tRouter(config)#router ospf 1Router(config-router)# passive-interface defaultRouter(config-router)#endRouter#sh run | sec router ospfrouter ospf 1 router-id 10.10.10.1 passive-interface default network 10.10.10.0
This is especially bad if you are performing maintenance on the router out of network where your connectivity requires a default route to be learned via OSPF. Has anyone else encountered this or do they feel this behavior to be a bit odd?

Documentation says:
"The default keyword sets all interfaces as passive by default. You can then configure individual interfaces where adjacencies are desired using the nopassive-interface command. The default keyword is useful in Internet service provider (ISP) and large enterprise networks where many of the distribution routers have more than 200 interfaces."
I'm not sure why it doesn't honor the existing no passive-interface commands but maybe it was something in the code that was necessary to put them all passive first.
At least it's good that you tested the behavior so you know what to expect. If you already have passive-interface why would you want to enter it again? If you want to make interfaces passive that were non passive before you could do no no-passive interface x/x.
Daniel Dib
CCIE #37149

Dot11Radio0 Interface in reset/down status

Hi,
I have the next problem.
The interface Dot11radio0 is always in reset / down status.
I can't link both AP.
They both are cisco AIR-AP1252AG-E-K9.
This have been working fine for 18 months, but this week suddenly went down.
I updated yesterday one of the APs to a new version, from the 12.4.10b-JDA3(GD) to the c1250-k9w7-tar.124-25d.JA1.tar but the problem was no fixed.
the other AP has 12.4.21a-JY(ED).
I've changes the role of the APs, the one with was root-bridge changed to non root-bridge and the one with was non root-bridge become root bridge.
Doing this, I changed the status of the interfaces, the AP with had interface dot11radio0 up up, become in reset down, and the AP that previously was in reset down, become in up up.
In the show log I see that the problem is:
Dot11Radio0, cannot associate: Authenticating
Interface Dot11Radio0, cannot associate: No Response
I leave the confs here.
Please, help me.

Hi Surendra,
I'm getting:
The bug ID CSCtc23789ï»¿ does not exist. Please verify the bug ID and try again. If you feel you reached this message in error, please send us
feedback
including the bug ID in question. Thank you.
What's the BugID and I can look it up. I will rate your post!

Cisco 1142AP Autonomous - Radio interface constantly reset and provides crash file

Hello All,
We have 10 Cisco 1142 Access Points currently configured as Autonomous and I'm experiecing very unusual behavior with the 2.4GHz radio interfaces on each of them. The IOS firmware is 15.2.2JB and they're connected to Cisco 2960 PoE switches. I'm not sure what could be causing this problem however it is service impacting and looks bad on me since I don't have a solution for it. One potential fix could be to upgrade the firmware to 15.2.4 but I'm sure if it is a firmware problem. Any advice would help. Here's an excerpt from the AP log:
Aug 18 14:40:16: Writing driver stats to flash:/ap_log_r0_0.log..
Aug 18 14:40:21:
Aug 18 14:40:21: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
Aug 18 14:40:22: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
Aug 18 14:40:23: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
Aug 18 14:40:23: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
Thanks,
Ali Ibrahim

You should be able to go in and view teh R0_0.log file.
there might be something in there that you can do a bug search for.
HTH,
Steve

IPS Interface using SNMP

Hi there,
I am encountering a problem with a number of Cisco IPS 4200 series devices. When we perform a walk using the MIB-II (rfc1213) OID's, the information that is returned is incorrect (interface status, speed, ...)...
After some searching, i found the following on the cisco site for these devices:
The following private MIBs are supported on the sensor:
• CISCO-CIDS-MIB
• CISCO-PROCESS-MIB
• CISCO-ENHANCED-MEMPOOL-MIB
• CISCO-ENTITY-ALARM-MIB
Note MIB II is available on the sensor, but we do not support it. We know that some elements are not correct (for example, the packet counts from the IF MIB on the sensing interfaces). While you can use elements from MIB II, we do not guarantee that they all provide correct information. We fully support the other listed MIBs and their output is correct.
Is there any way that we can correctly read the interface status, speed, etc. I cannot find similar OID's in the supported MIB's.
IPS4240 ver 7.0(4)E4
Thanks

Hi,
Unfortunately, there is currently no way to get the correct interface statistics through SNMP.
An enhancement request has been opened to have parts of MIB-II supported:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk41177
If this feature is important for you, you can contact your account team so that they can work with the IPS folks to have this feature prioritized for the next software release.
Regards,
Nicolas

IPS interface pairs

hi. i have one switch and configurated 2 vlans. switch connect to ips. ips configurated inline interface pairs mode.
i want to ask. in this application the vlan must be same subnet?
if i have two switch then the vlan must be diffrent sunbet?

I want to know that.
i deploy my ips sensor at interface pair mode.
i have one switch and i configutared 2 vlans (vlan 10 20) at this siwtch.ips connected switch two phisical interface at interface pair mode. do i configurate the vlans different subnet in this application?

IPS Interface Pairs vs. Inline VLAN Pairs

       I've got a Cisco IPS 4240 that needs to be configured inline. Right now I've got an ASA 5525-X with two interfaces (inside and DMZ) plugged into our Catalyst 6500 Switch that need to be monitored by the IPS. I also plugged two interfaces from the IPS into the same Catalyst switch hoping that I could use the inline VLAN pairs to monitor that traffic. I've got several VLANs in our DMZ and LAN that need to be monitored. The problem is that I don't understand how the inline VLAN pairs are supposed to work (Cisco's IPS documentation is almost useless), I've been fighting with it for some time with no success.
     I'm now thinking that it might be a better idea to plug the two interfaces from the ASA directly into the IPS and then create Interface Pairs from the IPS to the switch. My concern with doing this is that I am turning the IPS into a single point of failure, if it goes down everything goes down with it.   Also, will the Interface Pairs work with a 802.1q trunk? Would I then need to create VLAN groups for the trunk? Would using inline VLAN pairs also create a single point of failure?
     Basically, I'd like to know the pros and cons to the Interface Pairs vs. the Inline VLAN pairs. Interface Pairs seems like the easiest and most comprehensive way to go, but if I can avoid the single point of failure with the inline VLAN paris I would like to go that route.

Hello Paul,
I want to go with Inline vlan pair,i don't want to go with interface pairing,as this is request by customer,how i can do it,as i m having a IPS-4240 with 4 gig ports,
I have a doubt that if we create a vlan pair then in each pair 1 be a real vlan and the other should be dummy vlan ???? ( for example vlan 2 and vlan 3 in which vlan 3 is the dummy vlan). Please suggest
If i have a 10 vlan than i will configure the 10 pair of vlan on gig0/0 with real and dummy vlan, but what vlan pair i shld configure on gig0/1 i.e (exit interface to ASA DMZ interface.)
Thanks
Message was edited by: adamgibs7

Laserjet Pro 200 color m251n web interface password reset

In past days I changed ip range in my net and when I needed to set the new ip in my printer I discovered I forgot the web interface password.
My printer have not touch display and for security reason I disable uso of menù from display. now I need to reset it. For my is good reset the printer as factory config. could you help me?best regards

Hey , Welcome to the HP Support Forum. I see that you're locked out of your HP LaserJet Pro 200 color Printer M251n's Embedded Web Server (EWS). I would like to help. There is only one way to remedy this issue. I will private message you the steps to complete a reset that will ideally clear out the password. Note that completing this step will reset your printer's wireless configuration, ePrint address, and other customized printer settings. If you have created a custom @hpeprint.com address it will be permanently erased. For more information on custom ePrint addresses, click here. Let me know if this works out for you. I f I have helped you resolve the issue, feel free to give me a virtual high-five by clicking the 'Thumbs Up' icon below and clicking to accept this solution. Thanks for reaching out. Have a great day!

IOS IPS - Reset Conection

Hi,
IOS IPS was configured to only generate alert. During testing it was observed that the IPS was reset in giving connections.
log below:
*Oct 10 14:30:29: %IPS-6-SEND_TCP_PAK: Sending TCP packet:(X.X.X.X:433)=>(y.y.y.y:63170),tcp flag:0x4, pak:0x2166449C, iso:0x3D5C7160,tcp seq:0x0, tcp ack:0x0, tcp_window:8192, ip_checksum:0x44B8, Serial0/0/0.1,feat_flags:0x10000, fast_path(no)
Some time ago cisco identified a bug in earlier versions. After opening some TAC, suggested upgrading the IOS and subscription packages.
Cisco recommendation below:
IOS Version : c2900-universalk9-mz.SPA.153-3.M.bin
Packet sig: OS-S744-CLI.pkg
Configuration Cisco Router
ip ips config location flash:ips retries 1
ip ips notify SDEE
ip ips name iosips
ip ips signature-category
category all
   retired true
category ios_ips basic
   retired false
   event-action produce-alert
Could anyone tell how to solve this problem?
BestRegards
Rodolfo Navero

But it will make the warnings go away, right?
but still see the reset command sh ip ips statics.
It seems the problem is in the subsystem of the feature.
I used up the hidden command on the router, but not solved the problem.
csdb tcp reassembly max-queue-length
Interfaces configured for ips 1
Session creations since subsystem startup or last reset 240
Current session counts (estab/half-open/terminating) [7:17:0]
Maxever session counts (estab/half-open/terminating) [10:59:1]
Last session created 00:00:01
Last statistic reset 00:04:15
TCP reassembly statistics
Out-of-order packets dropped 0
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I performed some tests.
When I make disable all signatures, presents no reset.
However when I enable a single signature, the reset continues.
I believe Cisco has a bug in the compilation of feature
sh ip ips statistics
Interfaces configured for ips 1
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [4:3:0]
Maxever session counts (estab/half-open/terminating) [4:3:0]
Last session created 00:23:36
Last statistic reset 00:15:40
TCP reassembly statistics
Out-of-order packets dropped 0
Regards
Rodolfo Navero

3G interface resets but signal looks good

Hi All,
can anyone explain what this means.I have enabled the following debugs. everytime I look at it there is no issue with the signal. But my guess is the router interface is resetting due to the signal. Can anyone explain if its due to 3G signalling
Router 881G
CELLULAR:
DATA debugging is on
DM debugging is on
ASYNC debugging is on
RDM debugging is on
CALLBACK debugging is on
PPP:
PPP authentication debugging is on
PPP protocol errors debugging is on
PPP protocol negotiation debugging is on
BAP:
BAP negotiation debugging is on
BAP error debugging is on
3688676: Mar 29 08:48:33.641 BRU: Ce0 PPP: Outbound ip packet dropped, line protocol not up
3688677: Mar 29 08:48:33.641 BRU: Ce0 PPP: Outbound ip packet dropped, line protocol not up
3688678: Mar 29 08:48:33.641 BRU: Ce0 PPP: Outbound ip packet dropped, line protocol not up
3688679: Mar 29 08:48:33.641 BRU: Ce0 PPP: Outbound ip packet dropped,
3688700: Mar 29 08:48:36.749 BRU: new DSR value received, 1
3688701: Mar 29 08:48:36.749 BRU: old value: handshakes->DSR= 1
3688702: Mar 29 08:48:38.741 BRU: %LINK-3-UPDOWN: Interface Cellular0, changed state to down
3688703: Mar 29 08:48:38.741 BRU: Ce0 PPP: Sending cstate DOWN notification
3688704: Mar 29 08:48:38.745 BRU: Ce0 PPP: Processing CstateDown message
3688705: Mar 29 08:48:49.326 BRU: new DSR value received, 1
3688706: Mar 29 08:48:49.326 BRU: old value: handshakes->DSR= 1
3688707: Mar 29 08:48:49.758 BRU: new DSR value received, 1
3688708: Mar 29 08:48:49.758 BRU: old value: handshakes->DSR= 1
3688709: Mar 29 08:48:56.582 BRU: %LINK-3-UPDOWN: Interface Cellular0, changed state to up
3688710: Mar 29 08:48:56.590 BRU: %DIALER-6-BIND: Interface Ce0 bound to profile Di1
3688711: Mar 29 08:48:56.590 BRU: Ce0 PPP: Sending cstate UP notification
3688712: Mar 29 08:48:56.594 BRU: Ce0 PPP: Processing CstateUp message
Cellular0 is up, line protocol is up
Hardware is 3G Modem-HSPA/UMTS/EDGE/GPRS-850/900/1800/1900/2100MHz / Global
Description: [cewan-phy]
MTU 1500 bytes, BW 5760 Kbit/sec, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Open: IPCP, loopback not set
Keepalive not supported
Interface is bound to Di1 (Encapsulation PPP)
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters 2d03h
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: Class-based queueing
Output queue: 0/1000/0 (size/max total/drops)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
     53671 packets input, 15696493 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     62119 packets output, 13733542 bytes, 0 underruns
     0 output errors, 0 collisions, 5 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions
     DCD=up DSR=up DTR=up RTS=up CTS=up
Hardware Information
====================
Modem Firmware Version = K2_0_7_19AP C:/WS/F
Modem Firmware built = 10/26/09
Hardware Version = 1.0
International Mobile Subscriber Identity (IMSI) = 206012210378433
International Mobile Equipment Identity (IMEI) = 359109030082750
Integrated Circuit Card ID (ICCID) = 8932002100084586363
Mobile Subscriber International Subscriber
IDentity Number (MSISDN) =
Factory Serial Number (FSN) = D57138003301002
Modem Status = Online
Current Modem Temperature = 46 deg C, State = Normal
PRI SKU ID = 9993165, SKU Rev. = 1.0
Profile Information
====================
Profile password Encryption level: 7
Profile 1 = ACTIVE*
PDP Type = IPv4
PDP address = <ip address masked>
Access Point Name (APN) = internet.proximus.be
Authentication = None
Username: , Password: 02
* - Default profile
Data Connection Information
===========================
Data Transmitted = 10775742 bytes, Received = 12294276 bytes
Profile 1, Packet Session Status = ACTIVE
        IP address = <ip address masked>
Profile 2, Packet Session Status = INACTIVE
        Inactivity Reason = Normal inactivate state
Profile 3, Packet Session Status = INACTIVE
        Inactivity Reason = Normal inactivate state
Profile 4, Packet Session Status = INACTIVE
        Inactivity Reason = Normal inactivate state
Profile 5, Packet Session Status = INACTIVE
        Inactivity Reason = Normal inactivate state
Profile 6, Packet Session Status = INACTIVE
        Inactivity Reason = Normal inactivate state
Profile 7, Packet Session Status = INACTIVE
        Inactivity Reason = Normal inactivate state
Profile 8, Packet Session Status = INACTIVE
        Inactivity Reason = Normal inactivate state
Profile 9, Packet Session Status = INACTIVE
        Inactivity Reason = Normal inactivate state
Profile 10, Packet Session Status = INACTIVE
        Inactivity Reason = Normal inactivate state
Profile 11, Packet Session Status = INACTIVE
        Inactivity Reason = Normal inactivate state
Profile 12, Packet Session Status = INACTIVE
        Inactivity Reason = Normal inactivate state
Profile 13, Packet Session Status = INACTIVE
        Inactivity Reason = Normal inactivate state
Profile 14, Packet Session Status = INACTIVE
        Inactivity Reason = Normal inactivate state
Profile 15, Packet Session Status = INACTIVE
        Inactivity Reason = Normal inactivate state
Profile 16, Packet Session Status = INACTIVE
        Inactivity Reason = Normal inactivate state
Network Information
===================
Current Service Status = Normal, Service Error = None
Current Service = Combined
Packet Service = HSPA (Attached)
Packet Session Status = Active
Current Roaming Status = Home
Network Selection Mode = Automatic
Country = BEL, Network = PROXI
Mobile Country Code (MCC) = 206
Mobile Network Code (MNC) = 1
Location Area Code (LAC) = 2603
Routing Area Code (RAC) = 208
Cell ID = 20324
Primary Scrambling Code = 466
PLMN Selection = Automatic
Registered PLMN = BEL PROXIMUS , Abbreviated = PROXI
Service Provider =
Radio Information
=================
Radio power mode = ON
Current Band = WCDMA 2100, Channel Number = 10588
Current RSSI = -84 dBm
Band Selected = Auto
Number of nearby cells = 1
Cell 1
        Primary Scrambling Code = 0x1D2
        RSCP = -84 dBm, ECIO = -2 dBm
Modem Security Information
==========================
Card Holder Verification (CHV1) = Disabled
SIM Status = OK
SIM User Operation Required = None
Number of Retries remaining = 3

Hi Marco,
    Connection goes down intermittently and it stays up for very long time, more than a day some time or some time certain no of hours. I am not running any ping. I am not sure about the timing it takes between IPCP is completed ("IPCP: State is Open") and the link is closed ("I TERMREQ").
IOS c880data-universalk9-mz.151-1.T1.bin
Model 881G
One of my friend said there is a bug on 881G router IOS not sure about it though, but he hasnt seen my debug output.
This is the bug he was saying but I am not sure if mine is related to that as my CHAT script dont seem to be time out.
Problem Code: Error Messages, Logs, Debugs Software Version: C880DATA-universalk9-mz.151-2. Problem Details: Customer is running traffic over the 3card in a 881G. It fails however I can see from "show cell 0 all" that the modem has 3G coverage and a good signal as the RSSI is good. However the chat script continues to timeout. The configuration has not changed and it has worked and fails intermi
Thanks in Advance for your help
I have attached the debug of the CHAT script when the link goes down and come back.
3706575: Apr 1 08:51:03.995 BRU: Ce0 PPP: Outbound ip packet dropped, line protocol not up
3706576: Apr 1 08:51:03.995 BRU: Ce0 PPP: Outbound ip packet dropped, line protocol not up
3706577: Apr 1 08:51:03.995 BRU: Ce0 PPP: Outbound ip packet dropped, line protocol not up
3706578: Apr 1 08:51:03.995 BRU: Ce0 PPP: Outbound ip packet dropped, line protocol not up
3706579: Apr 1 08:51:03.999 BRU: Ce0 PPP: No remote authentication for call-out
3706580: Apr 1 08:51:03.999 BRU: Ce0 LCP: Event[Timeout-] State[Closing to Closed]
3706581: Apr 1 08:51:03.999 BRU: Ce0 LCP: Event[DOWN] State[Closed to Initial]
3706582: Apr 1 08:51:03.999 BRU: Ce0 PPP: Phase is DOWN
3706583: Apr 1 08:51:04.007 BRU: %LINEPROTO-5-UPDOWN: Line protocol on Interface Cellular0, changed state to down
3706584: Apr 1 08:51:06.007 BRU: %LINK-5-CHANGED: Interface Cellular0, changed state to reset
3706585: Apr 1 08:51:06.011 BRU: Ce0 DDR: has total 0 call(s), dial_out 0, dial_in 0
3706586: Apr 1 08:51:06.011 BRU: %DIALER-6-UNBIND: Interface Ce0 unbound from profile Di1
3706587: Apr 1 08:51:06.011 BRU: Ce0 PPP: Sending cstate DOWN notification
3706588: Apr 1 08:51:06.011 BRU: Ce0 PPP: Processing CstateDown message
3706589: Apr 1 08:51:06.015 BRU: Di1 DDR: No free dialer - starting fast idle timer
3706590: Apr 1 08:51:07.015 BRU: Di1 DDR: No free dialer - starting fast idle timer
3706591: Apr 1 08:51:08.015 BRU: Di1 DDR: No free dialer - starting fast idle timer
3706592: Apr 1 08:51:09.083 BRU: Di1 DDR: No free dialer - starting fast idle timer
3706593: Apr 1 08:51:10.083 BRU: Di1 DDR: No free dialer - starting fast idle timer
3706594: Apr 1 08:51:11.083 BRU: %LINK-3-UPDOWN: Interface Cellular0, changed state to down
3706595: Apr 1 08:51:11.083 BRU: Ce0 PPP: Sending cstate DOWN notification
3706596: Apr 1 08:51:11.083 BRU: Di1 DDR: No free dialer - starting fast idle timer
3706597: Apr 1 08:51:11.087 BRU: Ce0 PPP: Processing CstateDown message
3706598: Apr 1 08:51:12.083 BRU: Di1 DDR: No free dialer - starting fast idle timer
3706599: Apr 1 08:51:13.083 BRU: Di1 DDR: No free dialer - starting fast idle timer
3706600: Apr 1 08:51:14.083 BRU: Di1 DDR: No free dialer - starting fast idle timer
3706601: Apr 1 08:51:15.083 BRU: Di1 DDR: No free dialer - starting fast idle timer
3706602: Apr 1 08:51:16.083 BRU: Di1 DDR: No free dialer - starting fast idle timer
3706603: Apr 1 08:51:17.083 BRU: Di1 DDR: No free dialer - starting fast idle timer
3706604: Apr 1 08:51:18.083 BRU: Di1 DDR: No free dialer - starting fast idle timer
3706605: Apr 1 08:51:19.083 BRU: Di1 DDR: No free dialer - starting fast idle timer
3706606: Apr 1 08:51:20.083 BRU: Di1 DDR: No free dialer - starting fast idle timer
3706607: Apr 1 08:51:21.011 BRU: Ce0 DDR: re-enable timeout
3706608: Apr 1 08:51:21.083 BRU: Ce0 DDR: rotor dialout [best] least recent failure is also most recent failure
3706609: Apr 1 08:51:21.083 BRU: Ce0 DDR: rotor dialout [best] also has most recent failure
3706610: Apr 1 08:51:21.083 BRU: Ce0 DDR: rotor dialout [best]
3706611: Apr 1 08:51:21.083 BRU: Di1 DDR: Nailing up the Dialer profile [attempt 16]
3706612: Apr 1 08:51:21.083 BRU: Di1 DDR: Dialer dialing - persistent dialer profile
3706613: Apr 1 08:51:21.083 BRU: Ce0 DDR: Dialing cause Persistent Dialer Profile
3706614: Apr 1 08:51:21.083 BRU: Ce0 DDR: Attempting to dial cellprofile1
3706615: Apr 1 08:51:21.083 BRU: CHAT3: Attempting async line dialer script
3706616: Apr 1 08:51:21.083 BRU: CHAT3: Dialing using Modem script: cellprofile1 & System script: none
3706617: Apr 1 08:51:21.083 BRU: CHAT3: process started
3706618: Apr 1 08:51:21.083 BRU: CHAT3: Asserting DTR
3706619: Apr 1 08:51:21.087 BRU: CHAT3: Chat script cellprofile1 started
3706620: Apr 1 08:51:21.087 BRU: CHAT3: Sending string: ATDT*99***1#
3706621: Apr 1 08:51:21.087 BRU: CHAT3: Expecting string: CONNECT
3706622: Apr 1 08:51:21.091 BRU: CHAT3: Completed match for expect: CONNECT
3706623: Apr 1 08:51:21.091 BRU: CHAT3: Chat script cellprofile1 finished, status = Success
3706624: Apr 1 08:51:23.171 BRU: %LINK-3-UPDOWN: Interface Cellular0, changed state to up
3706625: Apr 1 08:51:23.171 BRU: Ce0 DDR: Dialer statechange to up
3706626: Apr 1 08:51:23.175 BRU: %DIALER-6-BIND: Interface Ce0 bound to profile Di1
3706627: Apr 1 08:51:23.175 BRU: Ce0 DDR: Dialer call has been placed
3706628: Apr 1 08:51:23.175 BRU: Ce0 PPP: Sending cstate UP notification
3706629: Apr 1 08:51:23.179 BRU: Ce0 PPP: Processing CstateUp message
3706630: Apr 1 08:51:23.183 BRU: PPP: Alloc Context [852C2C68]
3706631: Apr 1 08:51:23.183 BRU: ppp23 PPP: Phase is ESTABLISHING
3706632: Apr 1 08:51:23.183 BRU: Ce0 PPP: Using dialer call direction
3706633: Apr 1 08:51:23.183 BRU: Ce0 PPP: Treating connection as a callout
3706634: Apr 1 08:51:23.183 BRU: Ce0 PPP: Session handle[AE000017] Session id[23]
3706635: Apr 1 08:51:23.183 BRU: Ce0 LCP: Event[OPEN] State[Initial to Starting]
3706636: Apr 1 08:51:23.183 BRU: Ce0 PPP: No remote authentication for call-out
3706637: Apr 1 08:51:23.183 BRU: Ce0 LCP: O CONFREQ [Starting] id 1 len 20
3706638: Apr 1 08:51:23.183 BRU: Ce0 LCP:    ACCM 0x000A0000 (0x0206000A0000)
3706639: Apr 1 08:51:23.183 BRU: Ce0 LCP:    MagicNumber 0xE74DCDE6 (0x0506E74DCDE6)
3706640: Apr 1 08:51:23.183 BRU: Ce0 LCP:    PFC (0x0702)
3706641: Apr 1 08:51:23.183 BRU: Ce0 LCP:    ACFC (0x0802)
3706642: Apr 1 08:51:23.183 BRU: Ce0 LCP: Event[UP] State[Starting to REQsent]
3706643: Apr 1 08:51:23.191 BRU: Ce0 LCP: I CONFREQ [REQsent] id 7 len 25
3706644: Apr 1 08:51:23.191 BRU: Ce0 LCP:    ACCM 0x00000000 (0x020600000000)
3706645: Apr 1 08:51:23.191 BRU: Ce0 LCP:    AuthProto CHAP (0x0305C22305)
3706646: Apr 1 08:51:23.191 BRU: Ce0 LCP:    MagicNumber 0x813CA39C (0x0506813CA39C)
3706647: Apr 1 08:51:23.191 BRU: Ce0 LCP:    PFC (0x0702)
3706648: Apr 1 08:51:23.191 BRU: Ce0 LCP:    ACFC (0x0802)
3706649: Apr 1 08:51:23.191 BRU: Ce0 LCP: O CONFACK [REQsent] id 7 len 25
3706650: Apr 1 08:51:23.191 BRU: Ce0 LCP:    ACCM 0x00000000 (0x020600000000)
3706651: Apr 1 08:51:23.191 BRU: Ce0 LCP:    AuthProto CHAP (0x0305C22305)
3706652: Apr 1 08:51:23.191 BRU: Ce0 LCP:    MagicNumber 0x813CA39C (0x0506813CA39C)
3706653: Apr 1 08:51:23.191 BRU: Ce0 LCP:    PFC (0x0702)
3706654: Apr 1 08:51:23.191 BRU: Ce0 LCP:    ACFC (0x0802)
3706655: Apr 1 08:51:23.191 BRU: Ce0 LCP: Event[Receive ConfReq+] State[REQsent to ACKsent]
3706656: Apr 1 08:51:23.191 BRU: Ce0 LCP: I CONFACK [ACKsent] id 1 len 20
3706657: Apr 1 08:51:23.191 BRU: Ce0 LCP:    ACCM 0x000A0000 (0x0206000A0000)
3706658: Apr 1 08:51:23.191 BRU: Ce0 LCP:    MagicNumber 0xE74DCDE6 (0x0506E74DCDE6)
3706659: Apr 1 08:51:23.191 BRU: Ce0 LCP:    PFC (0x0702)
3706660: Apr 1 08:51:23.191 BRU: Ce0 LCP:    ACFC (0x0802)
3706661: Apr 1 08:51:23.191 BRU: Ce0 LCP: Event[Receive ConfAck] State[ACKsent to Open]
3706662: Apr 1 08:51:23.199 BRU: Ce0 PPP: Queue CHAP code[1] id[1]
3706663: Apr 1 08:51:23.211 BRU: Ce0 PPP: Phase is AUTHENTICATING, by the peer
3706664: Apr 1 08:51:23.211 BRU: Ce0 CHAP: Redirect packet to Ce0
3706665: Apr 1 08:51:23.211 BRU: Ce0 CHAP: I CHALLENGE id 1 len 35 from "UMTS_CHAP_SRVR"
3706666: Apr 1 08:51:23.211 BRU: Ce0 PPP: Sent CHAP SENDAUTH Request
3706667: Apr 1 08:51:23.211 BRU: Ce0 LCP: State is Open
3706668: Apr 1 08:51:23.211 BRU: Ce0 PPP: Received SENDAUTH Response FAIL
3706669: Apr 1 08:51:23.211 BRU: Ce0 CHAP: Using hostname from interface CHAP
3706670: Apr 1 08:51:23.211 BRU: Ce0 CHAP: Using password from interface CHAP
3706671: Apr 1 08:51:23.211 BRU: Ce0 CHAP: O RESPONSE id 1 len 41 from
3706672: Apr 1 08:51:23.219 BRU: Ce0 CHAP: I SUCCESS id 1 len 4
3706673: Apr 1 08:51:23.219 BRU: Ce0 PPP: Phase is FORWARDING, Attempting Forward
3706674: Apr 1 08:51:23.223 BRU: Ce0 PPP: Phase is ESTABLISHING, Finish LCP
3706675: Apr 1 08:51:23.223 BRU: Ce0 PPP: Phase is UP
3706676: Apr 1 08:51:23.223 BRU: Ce0 IPCP: Protocol configured, start CP. state[Initial]
3706677: Apr 1 08:51:23.223 BRU: Ce0 IPCP: Event[OPEN] State[Initial to Starting]
3706678: Apr 1 08:51:23.223 BRU: Ce0 IPCP: O CONFREQ [Starting] id 1 len 22
3706679: Apr 1 08:51:23.223 BRU: Ce0 IPCP:    Address 0.0.0.0 (0x030600000000)
3706680: Apr 1 08:51:23.223 BRU: Ce0 IPCP:    PrimaryDNS 0.0.0.0 (0x810600000000)
3706681: Apr 1 08:51:23.223 BRU: Ce0 IPCP:    SecondaryDNS 0.0.0.0 (0x830600000000)
3706682: Apr 1 08:51:23.223 BRU: Ce0 IPCP: Event[UP] State[Starting to REQsent]
3706683: Apr 1 08:51:23.227 BRU: %LINEPROTO-5-UPDOWN: Line protocol on Interface Cellular0, changed state to up
3706684: Apr 1 08:51:24.223 BRU: Ce0 IPCP: I CONFNAK [REQsent] id 1 len 16
3706685: Apr 1 08:51:24.223 BRU: Ce0 IPCP:    PrimaryDNS (0x81060A0B0C0D)
3706686: Apr 1 08:51:24.223 BRU: Ce0 IPCP:    SecondaryDNS (0x83060A0B0C0E)
3706687: Apr 1 08:51:24.223 BRU: Ce0 IPCP: O CONFREQ [REQsent] id 2 len 22
3706688: Apr 1 08:51:24.223 BRU: Ce0 IPCP:    Address 0.0.0.0 (0x030600000000)
3706689: Apr 1 08:51:24.227 BRU: Ce0 IPCP:    PrimaryDNS (0x81060A0B0C0D)
3706690: Apr 1 08:51:24.227 BRU: Ce0 IPCP:    SecondaryDNS (0x83060A0B0C0E)
3706691: Apr 1 08:51:24.227 BRU: Ce0 IPCP: Event[Receive ConfNak/Rej] State[REQsent to REQsent]
3706692: Apr 1 08:51:25.231 BRU: Ce0 IPCP: I CONFNAK [REQsent] id 2 len 16
3706693: Apr 1 08:51:25.231 BRU: Ce0 IPCP:    PrimaryDNS (0x81060A0B0C0D)
3706694: Apr 1 08:51:25.231 BRU: Ce0 IPCP:    SecondaryDNS (0x83060A0B0C0E)
3706695: Apr 1 08:51:25.231 BRU: Ce0 IPCP: O CONFREQ [REQsent] id 3 len 22
3706696: Apr 1 08:51:25.231 BRU: Ce0 IPCP:    Address 0.0.0.0 (0x030600000000)
3706697: Apr 1 08:51:25.231 BRU: Ce0 IPCP:    PrimaryDNS (0x81060A0B0C0D)
3706698: Apr 1 08:51:25.231 BRU: Ce0 IPCP:    SecondaryDNS (0x83060A0B0C0E)
3706699: Apr 1 08:51:25.231 BRU: Ce0 IPCP: Event[Receive ConfNak/Rej] State[REQsent to REQsent]
3706700: Apr 1 08:51:25.423 BRU: Ce0 IPCP: I CONFREQ [REQsent] id 2 len 4
3706701: Apr 1 08:51:25.423 BRU: Ce0 IPCP AUTHOR: Done. Her address 0.0.0.0, we want 0.0.0.0
3706702: Apr 1 08:51:25.423 BRU: Ce0 IPCP: O CONFACK [REQsent] id 2 len 4
3706703: Apr 1 08:51:25.427 BRU: Ce0 IPCP: Event[Receive ConfReq+] State[REQsent to ACKsent]
3706704: Apr 1 08:51:25.427 BRU: Ce0 IPCP: I CONFNAK [ACKsent] id 3 len 22
3706705: Apr 1 08:51:25.427 BRU: Ce0 IPCP:    Address (0x0306B2904FF3)
3706706: Apr 1 08:51:25.427 BRU: Ce0 IPCP:    PrimaryDNS (0x810651A93C6B)
3706707: Apr 1 08:51:25.427 BRU: Ce0 IPCP:    SecondaryDNS (0x830651A93C6B)
3706708: Apr 1 08:51:25.427 BRU: Ce0 IPCP: O CONFREQ [ACKsent] id 4 len 22
3706709: Apr 1 08:51:25.427 BRU: Ce0 IPCP:    Address (0x0306B2904FF3)
3706710: Apr 1 08:51:25.427 BRU: Ce0 IPCP:    PrimaryDNS (0x810651A93C6B)
3706711: Apr 1 08:51:25.427 BRU: Ce0 IPCP:    SecondaryDNS (0x830651A93C6B)
3706712: Apr 1 08:51:25.427 BRU: Ce0 IPCP: Event[Receive ConfNak/Rej] State[ACKsent to ACKsent]
3706713: Apr 1 08:51:25.443 BRU: Ce0 IPCP: I CONFACK [ACKsent] id 4 len 22
3706714: Apr 1 08:51:25.475 BRU: Ce0 IPCP:    Address (0x0306B2904FF3)
3706715: Apr 1 08:51:25.475 BRU: Ce0 IPCP:    PrimaryDNS (0x810651A93C6B)
3706716: Apr 1 08:51:25.475 BRU: Ce0 IPCP:    SecondaryDNS (0x830651A93C6B)
3706717: Apr 1 08:51:25.475 BRU: Ce0 IPCP: Event[Receive ConfAck] State[ACKsent to Open]
3706718: Apr 1 08:51:25.475 BRU: Ce0 IPCP: State is Open
3706719: Apr 1 08:51:25.475 BRU: Di1 IPCP: Install negotiated IP interface address
3706720: Apr 1 08:51:25.479 BRU: Ce0 DDR: dialer protocol up
3706721: Apr 1 08:51:25.479 BRU: Di1 DDR: Persistent Dialer Profile nailed up successfully
Cheers
Raj

IPS 1304 & IPS-6-OOO_FULL

Hello - I am seeing a whole bunch of the below messages in my logs. Can anyone tell my why this is happening and how I can resolve the issue. I have tried tunning the setting below with no luck.
Dec 16 08:55:47.195 WA: %IPS-4-SIGNATURE: Sig:1304 Subsig:0 Sev:25 TCP Session Packet Queue Overflow [23.59.190.106:80 -> 10.0.1.215:54067] VRF:NONE RiskRating:25
Dec 16 09:05:45.212 WA: %IPS-6-OOO_FULL: Out-of-Order reached its maximum queue size! Drop this packet
Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.3(2)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Thu 28-Mar-13 13:45 by prod_rel_team
ROM: System Bootstrap, Version 15.1(4r)M, RELEASE SOFTWARE (fc1)
parameter-map type ooo global
tcp reassembly timeout 60
tcp reassembly queue length 1024
tcp reassembly memory limit 256000
Signature statistics [process switch:fast switch]
signature 6009:0: packets checked [0:8160] alarmed [0:0] dropped [0:0]
signature 1304:0: packets checked [0:4474] alarmed [0:3544] dropped [0:0]
signature 3653:0: packets checked [0:3] alarmed [0:0] dropped [0:0]
Interfaces configured for ips 1
Session creations since subsystem startup or last reset 5752
Current session counts (estab/half-open/terminating) [22:0:0]
Maxever session counts (estab/half-open/terminating) [179:68:7]
Last session created 00:00:18
Last statistic reset 15:09:08
TCP reassembly statistics
Out-of-order packets dropped 4474
Thanks -
gm

Your post is quite old now. I have the same problem with a router I am using in a lab. Did you a find a solution for this problem? I assume you may :-)
Thanks

IPS + CBAC problem

Hi guys,
I've got a strange problem here - I activated IOS IPS on both internal and external interfaces in incoming direction and also had to run CBAC on the incoming direction of the external interface. The result of all these things is that the IPS is counting connections from the internal network and it's overwriting for some reason the statistics generated by CBAC, no matter that CBAC is enabled only on the external interface in incoming direction. I'm using 1812 router with 12.4(2)XA IOS. Searched for bugs in the Bug Toolkit, nothing showed up. Here are the outputs:
interface FastEthernet0
description WAN
bandwidth 6000
ip address xxx
ip access-group 102 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
ip inspect Web in
ip ips IPS in
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
duplex auto
speed auto
service-policy output TrafficPolicy-OUT
end
interface Vlan1
description LAN
bandwidth 6000
ip address xxx
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow egress
ip nat inside
ip ips IPS in
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
service-policy output TrafficPolicy-IN
end
ip inspect name Web http alert on audit-trail off
sh ip inspect statistics
Packet inspection statistics [process switch:fast switch]
tcp packets: [1315:117238]
udp packets: [4681:36103]
packets: [12:54]
packets: [4747:119509]
http packets: [0:829]
Interfaces configured for inspection 1
Session creations since subsystem startup or last reset 5024
Current session counts (estab/half-open/terminating) [739:78:0]
Maxever session counts (estab/half-open/terminating) [815:96:8]
Last session created 00:00:00
Last statistic reset 00:10:08
Last session creation rate 487
Last half-open session total 78
sh ip ips statistics
Signature statistics [process switch:fast switch]
signature 3050:0 packets checked: [4:0]
signature 3173:0 packets checked: [18:0]
signature 5477:2 packets checked: [0:3]
signature 6253:0 packets checked: [0:159]
signature 6064:0 packets checked: [1:0]
signature 6056:0 packets checked: [1:0]
signature 5170:1 packets checked: [0:11]
signature 5322:1 packets checked: [0:2013]
signature 4620:0 packets checked: [0:339822]
signature 2157:1 packets checked: [1:37077]
signature 2157:0 packets checked: [0:2]
signature 1102:0 packets checked: [50:0]
Interfaces configured for ips 2
Session creations since subsystem startup or last reset 5153
Current session counts (estab/half-open/terminating) [744:72:0]
Maxever session counts (estab/half-open/terminating) [815:96:8]
Last session created 00:00:00
Last statistic reset 00:10:26
Any idea about that? I'm pretty sure it's a bug but still can't prove it. As you can see I'm monitoring only http traffic entering the internal network with CBAC (they have a single web server which for sure cannot handle that much connections). I'll be glad if you can help but anyway if we can't find the truth behind this I'll simply disable the IPS on the internal interface and I think I'll get statistics pretty closer to the reality (I need them to tune CBAC TCP Intercept values). Besides that it's pretty nasty that you can't see separate statistics for each interface but anyway - I can live with that if I manage to get accurate statistics with limited security in that case. Thanks in advance!
Best Regards,
Stefan

Latest update: I found a bug for IPS 5.0 which I think is related to my problem, but I'm using IPS v4 signatures cause I need something like 12.4(15)T for IPS 5.0 signatures so I'm not sure that's my case.
Headline IPS5.0 : Signature statistics not displayed correctly
Product IOS
Feature OTHERS Components Duplicate of
Severity 3 Severity help Status Resolved Status help
First Found-in Version 12.4(10.8)T01 All affected versions First Fixed-in Version 12.4(12.15)T Version help
Release Notes
Symptoms:
This is a CLI display bug
Conditions:
idConf/IPS 5.0 is configured on the IOS router
Workaround:
None
Further Problem Description:
None
First thing that disturbs me - it's for 5.0, second thing - sounds like IPS statistics are not correct and in my case we are talking about CBAC statistics. Any idea?

IPS interface statistic reset

Similar Messages

Maybe you are looking for