IDSM-2 not updating 6500 ACL

Answered Question
Apr 28th, 2008
User Badges:

I have a 6500 IDSM-2 blade which is configured to create a blocking ACL in the 6500 for a few signatures. It's been working for a couple of years but recently stopped. The IDSM detects attacks and thinks it's updating the 6500, but the 6500's ACLs are not updated and the 6500 shows no login from the IDS. I am not seeing any error msgs anywhere. When I manually insert an IP to block via the IDM client, it shows up in the sensor with no error, but the 6500 is not updated. This seems to have started about the time I installed S324 (3/26/08). The sensor is now S329. I have rebooted the IDS with no effect in behavior.


Can someone suggest what I might look at to narrow down the problem? Thanks.

Correct Answer by marcabal about 8 years 11 months ago

Are you running version 6.0(4)?


There is a known problem during upgrade from earlier version to 6.0(4). The passwords for blocking on routers, firewalls, and switches, as well as the passwords for auto updates were not converted properly.


CSCso31217 encrypted passwords not decrypted after upgrade



For users who already loaded 6.0(4), to fix the porblem the user needs to re-enter these passwords.


For users still on older versions and wanting to upgrade to 6.0(4), they should instead upgrade to 6.0(4a). The 6.0(4a) will properly convert the passwords.


NOTE: Users already at 6.0(4) can Not upgrade to 6.0(4a), and will need to re-enter the passwords on the sensors.



This problem has only been seen with the 6.0(4) upgrade package when upgrading from older 5.1 and 6.0 versions.

NOTE: The System Images and Recovery Images for 6.0(4) are all fine.


So if you are running a 6.0(4) version, then that is likely where your problem originated rather than a signature update.


IF you are not running version 6.0(4), then there is a small possibility you might have discovered a new bug that Cisco is unaware of.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
csthomas Mon, 04/28/2008 - 12:22
User Badges:

Found problem using IDM Show Events. Password was wrong. Don't know why sig update apparently changed it (?). Resetting pw to previous value fixed updating.

Correct Answer
marcabal Mon, 04/28/2008 - 12:43
User Badges:
  • Cisco Employee,

Are you running version 6.0(4)?


There is a known problem during upgrade from earlier version to 6.0(4). The passwords for blocking on routers, firewalls, and switches, as well as the passwords for auto updates were not converted properly.


CSCso31217 encrypted passwords not decrypted after upgrade



For users who already loaded 6.0(4), to fix the porblem the user needs to re-enter these passwords.


For users still on older versions and wanting to upgrade to 6.0(4), they should instead upgrade to 6.0(4a). The 6.0(4a) will properly convert the passwords.


NOTE: Users already at 6.0(4) can Not upgrade to 6.0(4a), and will need to re-enter the passwords on the sensors.



This problem has only been seen with the 6.0(4) upgrade package when upgrading from older 5.1 and 6.0 versions.

NOTE: The System Images and Recovery Images for 6.0(4) are all fine.


So if you are running a 6.0(4) version, then that is likely where your problem originated rather than a signature update.


IF you are not running version 6.0(4), then there is a small possibility you might have discovered a new bug that Cisco is unaware of.


csthomas Mon, 04/28/2008 - 14:04
User Badges:

Yes, I am on 6.0.4. I think I put that on right before the sig update. In any case, this sounds exactly like my problem.

Actions

This Discussion