My company has recently purchased a Cisco 2801 router with IDS support. We're starting to test IDS and are noticing that when it is enabled, even with only 1 signature turned on, web browsing is significantly slowed down. Can anyone shed some light on this subject or provide any suggestions, besides disabling IDS, to solve the problem? When we turn IDS off completely, web traffic flows at a much higher rate.
I'm happy to explain any details further if necessary. Thank you.
-- Tony
I had the same issue, webex was pretty much useless while others were frustratingly slow. All layer 3-4 testing showed no issues though. I had a TAC case open because of it crashing the router for various reasons as well. I just disabled IPS and told TAC to close the case after 2 months :)
IPS is NOT ready for production yet, IMHO.
Wil my 3¢
Wil -
Thank you greatly for your response. When I was doing initial testing, with one PC behind the router, all traffic but web browsing worked just like expected. But as soon as I would try to browse the web or download someting from a web page, average speed was about 9K/sec if I recall correctly. It was like port 80 was the only traffic that was being effected and all I did was turn IPS on and didn't even touch the signatures. I was using the
128MB.sdf file at the time. Most other reports I'm seeing on the web seem to end with disablin IPS alltogether as well unfortunately.I'm curious... How was your experience with TAC on this particular issue? Were they willing to help or were they resistant because it's so new? Did it seem like they were just fumbeling around in the dark? Did the tech happen to express any of his/her views on the state of IPS? I only ask because we'll most likely be opening up a ticket soon.
Thanks again.
-- Tony
I was using the 256.sdf file, 3845 router. The reason that I originally opened a TAC case was because I caught the bugger crashing in my logs, I just so happened to be on the console while it dumped.
Once I opend the case they asked me to send them the 256.dsf file, they couldn't locate it because it was so new. No problem, they found the problem signiture and had me disable it, then later delete it. I left the case open planning to update the 256.sdf file, or image, or whatever the recommended fix was and viola, started to get crashes again two weeks later. Deleted another recommended signiture.
Users were complaining about slowness that I had wrongly attributed to distance (since I couldn't see any problems at L2-4), so one day I figured that I would strip the config to see if things got better for them, and it did! Reapplied features one at a time and found that it was the IPS that was slowing everything down. I asked TAC about it and they told me it was a different issue, open another case, etc. Instead I just closed the current one and turned off IPS, logs are a little lighter but my users aren't complaining. Still running with ACL's and CBAC, no problems.
Wil my 3¢
Fantastic. Thanks for your replies Wil. Have a great weekend!
-- Tony
Which protocols are you running in your Inspection rule?
I've experienced the exact same slowness issues using IDS/IPS on both the 1700 and 2800 router platforms. In the case of the 2800 router, we were not able to resolve the issue even after repeated calls to the TAC. It seemed pretty clear to us that slowness was directly related to high NAT and IPS utilization. We were never able to get satisfactory answers from the TAC even after providing very specific details. Eventually, we went with a different topology as the customers in this particular building were fed up with performance issues.
That said, I have had luck resolving HTTP slowness on the 1700 platform. In fairness, the location used by the 1700 doesn't contain many hosts so there's not much load on NAT or IPS even though the bandwidth utilization is quite high. In this particular case, I found that removing the HTTP inspection rule and replacing it with the generic TCP rule made an immediate and dramatic improvement on the end-user browsing experience.
Hence my original question about the type of rule you're using.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.