Guest

Preview Tool

Cisco Bug: CSCul95220 - IPS: Normalizer Engine Misfiring on Valid TCP Traffic, SIG 1330.14 Fires

Last Modified

Feb 12, 2018

Products (17)

  • Cisco IPS 4200 Series Sensors
  • Cisco ASA 5555-X IPS Security Services Processor
  • Cisco IPS 4260 Sensor
  • Cisco IPS 4255 Sensor
  • Cisco IPS 4345 Sensor
  • Cisco IPS 4270-20 Sensor
  • Cisco IPS 4510 Sensor
  • Cisco ASA 5525-X IPS Security Services Processor
  • Cisco ASA 5545-X IPS Security Services Processor
  • Cisco IPS 4240 Sensor
View all products in Bug Search Tool Login Required

Known Affected Releases

7.1(7)E4 7.1(8)E4

Description (partial)

Symptom:
TCP-based traffic (HTTP most often reported) previously successfully traversing one (1) or more 
Inline pair interfaces or Inline VLAN pair interfaces of an IPS sensor device begins to fail (new 
TCP connections may not establish, existing TCP connections may be dropped or otherwise 
negatively impacted).

Signature 1330.14 (TCP Drop - RST or SYN in Window) begins firing/triggering on traffic for 
affected TCP connections. Signatures 1330.12 (TCP Drop - Segment Out Of Order) and/or 
1330.18 (TCP Drop - Segment out of window) may also be observed to be firing/triggering.

Non-TCP traffic (ex. ICMP) that was successfully traversing the IPS sensor continues to do so 
(unaffected).

This condition/state may persist until the IPS sensor device is rebooted or bypass-mode is 
engaged/disengaged, at which point, affected traffic returns to normal (working) until this defect is 
encountered again.

Conditions:
IPS sensor device running affected version of software configured in Inline or Inline VLAN Pair 
mode.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.