IPS Manager Express not showing proper sig for SSM

Unanswered Question
May 27th, 2008

Even though my sensor is up to date on 334 it's showing 333 in the Home tab in the console. I've tried removing the device and adding it back to no avail.

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
stleary Wed, 05/28/2008 - 17:09

I was not able to recreate this error. I started with S329 and upgraded to S335. The IME home tab sig column, license gadget and sensor CLI all showed the new sig version after the upgrade. I don't think this could be an SSM platform-specific bug. Although it might be a sig upgrade bug, this seems unlikely. Are you sure your sensor was upgraded? Does the problem persist when you upgrade to S335?

Farrukh Haroon Thu, 05/29/2008 - 01:37

I faced a similar issue, upgraded IDSM-2 from 6.0.2 to 6.0.4a, IME kept thinking that this was a 6.0.2 device. However unlike the original poster, I was able to get it fixed by deleted and re-adding the sensor(s) into IME. It happened for four differnt IDSM-2 modules. I cannot confirm the signature tab not updating, because that is not supported on 6.0.x

Regards

Farrukh

mcvosi Thu, 05/29/2008 - 07:49

Yes, my sensor has been upgraded twice now 333 -> 334 -> 335. The updates were configured as automatic updates, and IME still shows 333.

rhoud Thu, 05/29/2008 - 10:33

After sensors from unsupported release are installed in IME, IME doesn't have a way to refresh the sensor information. The sensor will continue to show the release from when it was first installed and will not be updated in the Home Page Device List. The only workaround is to uninstall the sensor and re-add it after each upgrade.

If you go to the Configuration tab in IME for that sensor, it will show the correct version but the Device List will not be updated. I have filed a bug CSCsq50814 for this issue.

stleary Thu, 05/29/2008 - 10:58

Agree with this DDTS, except that I think it only applies to major/minor/service pak upgrades, not sig updates, since the sig version is obtained via the getHealthAndSecurityStatus response which is sent every 10 seconds. One way to suppress the response is to configure the sensor to disable health monitoring. Can you check your health service configuration settings? Use these CLI commands:

sensor# conf t

sensor(config)# service health-monitor

sensor(config-hea)# show settings | include monitoring

enable-monitoring: true default: true

sensor(config-hea)#

Also, please confirm what IPS version is installed on the sensor - I have been assuming that it is 6.1.

mcvosi Thu, 05/29/2008 - 11:16

Yes, 6.1.

I had problems with the 6.1 update from 6.0 so the sensor was recovered. I have since tried numerous times to remove the sensor and add it back but it still says it's on sig 333.

sensor(config-hea)# sh set | inc monitoring

enable-monitoring: true

stleary Thu, 05/29/2008 - 11:40

Can you verify that the sig updates have been successful and that the sensor is reporting the version consistently? In IME, navigate to the Home panel, select the SSM row and the Devices tab, then click the Licensing tab on the lower pane. Make sure your license is not expired and check which sig version is reported there.

Next, navigate to Config > (SSM Tab) > Sensor Monitoring > System Information. Look for this information in the response:

Booted Partition: application

Partition: application

Build Version: 6.1(1)E1

Host:

Realm Keys key1.0

Signature Definition:

Signature Update S336.0 2008-05-29

mcvosi Thu, 05/29/2008 - 11:47

Sig updates are successful.

IME reports sig 333

sensor reports:

Cisco Intrusion Prevention System, Version 6.1(1)E1

Host:

Realm Keys key1.0

Signature Definition:

Signature Update S336.0 2008-05-29

Virus Update V1.2 2005-11-24

OS Version: 2.4.30-IDS-smp-bigphys

Platform: ASA-SSM-10

Serial Number: xxx

Licensed, expires: 01-Apr-2009 UTC

stleary Thu, 05/29/2008 - 12:50

The developers think that IME stopped receiving the healthAndSecurityStatus responses before the first sig version upgrade. This is a widely used response, so you should also be seeing inaccurate values for the sensor health gadget, sensor information gadget and license gadget.

You can check for this by restarting IME. IME does not cache the sig version between restarts, so the only sig version value you will see on the home page after restarting is what is reported by healthAndSecurityStatus.

mcvosi Thu, 05/29/2008 - 13:08

Well, I've tried uninstalling IME and re-installing. It still shows 333.

mcvosi Fri, 05/30/2008 - 06:33

Just an update. I've resolved the issue by doing a recovery on the sensor. IME now properly reports the sig.

stleary Fri, 05/30/2008 - 07:03

Thanks for the update. I have filed DDTS CSCsq53214 to track this problem. If you

see these symptoms again, please open a

TAC case and reference this DDTS.

mcvosi Wed, 06/11/2008 - 07:07

Well, the issue has come back. IME is reporting 337 when the sensor is running 338.

stleary Wed, 06/11/2008 - 07:33

Please open a TAC case and reference DDTS CSCsq53214 and myself (stleary) to the TAC engineer. I think we will need a detailed analysis to identify and fix the root cause.

Actions

This Discussion