I have a 6500 IDSM-2 blade which is configured to create a blocking ACL in the 6500 for a few signatures. It's been working for a couple of years but recently stopped. The IDSM detects attacks and thinks it's updating the 6500, but the 6500's ACLs are not updated and the 6500 shows no login from the IDS. I am not seeing any error msgs anywhere. When I manually insert an IP to block via the IDM client, it shows up in the sensor with no error, but the 6500 is not updated. This seems to have started about the time I installed S324 (3/26/08). The sensor is now S329. I have rebooted the IDS with no effect in behavior.
Can someone suggest what I might look at to narrow down the problem? Thanks.
Are you running version 6.0(4)?
There is a known problem during upgrade from earlier version to 6.0(4). The passwords for blocking on routers, firewalls, and switches, as well as the passwords for auto updates were not converted properly.
CSCso31217 encrypted passwords not decrypted after upgrade
For users who already loaded 6.0(4), to fix the porblem the user needs to re-enter these passwords.
For users still on older versions and wanting to upgrade to 6.0(4), they should instead upgrade to 6.0(4a). The 6.0(4a) will properly convert the passwords.
NOTE: Users already at 6.0(4) can Not upgrade to 6.0(4a), and will need to re-enter the passwords on the sensors.
This problem has only been seen with the 6.0(4) upgrade package when upgrading from older 5.1 and 6.0 versions.
NOTE: The System Images and Recovery Images for 6.0(4) are all fine.
So if you are running a 6.0(4) version, then that is likely where your problem originated rather than a signature update.
IF you are not running version 6.0(4), then there is a small possibility you might have discovered a new bug that Cisco is unaware of.