Tcp Reset Not Occurring For A Signature - Cisco IPS-4255-K9 - Intrusion Protection Sys 4255 Installation Manual

Troubleshooting the Appliance
Note Make sure that your /etc/syslog.conf has that facility enabled at the proper priority.
The syslog is much slower than logApp (about 50 messages per second as opposed to 1000 or so). We
Caution
recommend that you enable debug severity on one zone at a time.

TCP Reset Not Occurring for a Signature

TCP Resets are not supported over MPLS links or the following tunnels: GRE, IPv4 in IPv4, IPv6 in
Note
IPv4, or IPv4 in IPv6.
If you do not have the event action set to reset, the TCP reset does not occur for a specific signature. To
troubleshoot a reset not occurring for a specific signature, follow these steps:
Log in to the CLI.
Step 1
Make sure the event action is set to TCP reset.
Step 2
sensor# configure terminal
sensor(config)# service signature-definition sig0
sensor(config-sig)# signatures 1000 0
sensor(config-sig-sig)# engine atomic-ip
sensor(config-sig-sig-ato)# event-action reset-tcp-connection|produc-alert
sensor(config-sig-sig-ato)# show settings
atomic-ip
-----------------------------------------------
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0
A-52
severity=warning
drain=main
[zone/IdsEventStore]
severity=debug
drain=main
[drain/main]
type=syslog
The syslog output is sent to the syslog facility local6 with the following correspondence to syslog
message priorities:
LOG_DEBUG, //
LOG_INFO,
LOG_WARNING, // warning
LOG_ERR, //
LOG_CRIT //
event-action: produce-alert|reset-tcp-connection default: produce-alert
fragment-status: any <defaulted>
specify-l4-protocol
-----------------------------------------------
no
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
debug
// timing
error
fatal
Chapter A Troubleshooting
OL-18504-01