Filter
Top Products
E-50
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
OL-24002-01
Appendix E Troubleshooting
Troubleshooting the Appliance
TCP Reset Not Occurring for a Signature
If you do not have the event action set to reset, the TCP reset does not occur for a specific signature.
Note
TCP Resets are not supported over MPLS links or the following tunnels: GRE, IPv4 in IPv4, IPv6 in
IPv4, or IPv4 in IPv6.
To troubleshoot a reset not occurring for a specific signature, follow these steps:
Step 1
Log in to the CLI.
Step 2
Make sure the event action is set to TCP reset.
sensor# configure terminal
sensor(config)# service signature-definition sig0
sensor(config-sig)# signatures 1000 0
sensor(config-sig-sig)# engine atomic-ip
sensor(config-sig-sig-ato)# event-action reset-tcp-connection|produc-alert
sensor(config-sig-sig-ato)# show settings
atomic-ip
-----------------------------------------------
event-action: produce-alert|reset-tcp-connection default: produce-alert
fragment-status: any <defaulted>
specify-l4-protocol
-----------------------------------------------
no
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
specify-ip-payload-length
-----------------------------------------------
no
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
specify-ip-header-length
-----------------------------------------------
no
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
specify-ip-tos
-----------------------------------------------
--MORE--
Step 3
Exit signature definition submode.
sensor(config-sig-sig-ato)# exit
sensor(config-sig-sig)# exit
sensor(config-sig)# exit
Apply Changes:?[yes]:
Step 4
Press Enter to apply the changes or type
no
to discard them.
Step 5
Make sure the correct alarms are being generated.
sensor# show events alert
evAlert: eventId=1047575239898467370 severity=medium
originator:
hostId: sj_4250_40
appName: sensorApp