cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10819
Views
0
Helpful
16
Replies

IPS Auto Update failing

craig-allen
Level 1
Level 1

I've configured the signature auto update via the GUI and CLI but receive the same error:

evError: eventId=1210198298109812431 vendor=Cisco severity=error

originator:

hostId: LON-Sensor

appName: mainApp

appInstanceId: 341

time: Jun 06, 2008 03:00:07 UTC offset=60 timeZone=BST

errorMessage: MainApplication::downloadAndStartUpdate Error status returned with status str Found name=errSystemError

Any ideas? I've rebooted both the IPS & ASA in the hope that would resolve the problem to no avail. I have another ASA/IPS in a different site and that works ok.

16 Replies 16

jamesand
Cisco Employee
Cisco Employee

Send the output from a CLI "show conf" and "show stat host" command.

Hopefully the following sanitised config is what you are looking for:

auto-upgrade

cisco-server enabled

schedule-option calendar-schedule

times-of-day 03:00:00

days-of-week sunday

days-of-week monday

days-of-week tuesday

days-of-week wednesday

days-of-week thursday

days-of-week friday

days-of-week saturday

exit

user-name xxxx

password xxxx

cisco-url https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

exit

exit

exit

Auto Update Statistics

lastDirectoryReadAttempt = 03:00:05 UTC Fri Jun 06 2008

= Read directory: http://xxxx@198.133.219.243//cisco/ciscosecure/ips/6.x/sigup/

= Success

lastDownloadAttempt = 03:00:07 UTC Fri Jun 06 2008

= Download: http://xxxx@198.133.219.243//cisco/ciscosecure/ips/6.x/sigup/IPS-sig-S337-req-E1.pkg

= Error: Error status returned with status str Found

lastInstallAttempt = N/A

nextAttempt = 02:00:00 UTC Sat Jun 07 2008

Does your CCO have a 'Cisco Service for IPS contract' associated with it?

Also if you manually do:

http://user@198.133.219.243//cisco/ciscosecure/ips/6.x/sigup/IPS-sig-S337-req-E1.pkg

does it work?

Regards

Farrukh

We are having same issue, and here is our config.

It is the Cisco.com auto-update functionality. I actually have two customers with this issue.

Version 6.1.1(E2). I know about the bug if your Cisco username has an @ in it but neither of the customers have an @ in their username. The error I am getting is the same as described in this bug, but it is appending @www.cisco.com to the end of the username for some reason!:-

evStatus: eventId=1041464419413853599 vendor=Cisco

originator:

hostId: HD-IPS-1

appName: mainApp

appInstanceId: 336

time: Dec 08, 2008 10:11:04 UTC offset=0 timeZone=GMT00:00

autoUpgradeServerCheck:

uri: https://philsmithcisco@www.cisco.com//cgi-bin/front.x/ida/locator/

packageFileName: IPS-engine-E3-req-6.1-1.pkg

result: status=true

evStatus: eventId=1041464419413853600 vendor=Cisco

originator:

hostId: HD-IPS-1

appName: mainApp

appInstanceId: 336

time: Dec 08, 2008 10:11:04 UTC offset=0 timeZone=GMT00:00

downloadUpgradeFile:

uri: https://philsmithcisco@www.cisco.com//cgi-bin/front.x/ida/locator/IPS-engine-E3-req-6.1-1.pkg

result: URI does not contain a valid ip address status=false

evError: eventId=1041464419413853601 vendor=Cisco severity=error

originator:

hostId: HD-IPS-1

appName: mainApp

appInstanceId: 341

time: Dec 08, 2008 10:11:04 UTC offset=0 timeZone=GMT00:00

errorMessage: MainApplication::downloadAndStartUpdate URI does not contain a valid ip address name=errSystemError

Here is the config from the IPS (I have masked the password):-

service host

network-settings

host-ip 10.1.3.250/24,10.1.3.254

host-name HD-IPS-1

telnet-option disabled

access-list 10.0.0.0/8

access-list 89.21.19.0/26

exit

time-zone-settings

standard-time-zone-name GMT00:00

exit

summertime-option recurring

summertime-zone-name BST

start-summertime

week-of-month fourth

exit

end-summertime

month october

week-of-month fourth

exit

exit

auto-upgrade

cisco-server enabled

schedule-option calendar-schedule

times-of-day 10:11:00

days-of-week monday

days-of-week tuesday

days-of-week wednesday

days-of-week thursday

days-of-week friday

exit

user-name philsmithcisco

password ************

cisco-url https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

exit

exit

exit

This was all working fine, and then stopped which would indicate Cisco have changed something at their end.

Your sensor's autoUpdate is erroring trying to download an engine pkg. The engine pkg requires crypto access (diff from sigupdate pkg). The error msg can be misleading in this case. Try manually downloading the IPS-engine-E3-req-6.1-1.pkg package from the Latest Upgrade link in page:

http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/index.shtml

You will be prompted to accept the crypto agreement. After this, try the autoUpgrade again.

Make sure there are no network devices blocking port 80 / 198.133.219.243

How can I test that?

We tried the following:

telnet 198.133.219.243 443 this was done from the IPS.Did we send it the right way?

By the way I posted the show config and show stat host if you need anything else, please let me know.

Hi:

We are having the same problem.

There is a problem with the link "https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl." I am attaching a screen image.

The customer has in order his contract service. The signatures can be downloaded from cisco.com/support/security/IPS.......

The signatures should be downloaded from "https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl." but when accesing, the url directs me elsewhere...

Mod Card Type Model

--- -------------------------------------------- -------------

0 ASA 5510 Adaptive Security Appliance ASA5510

1 ASA 5500 Series Security Services Module-10 ASA-SSM-10

Can you help us with this issue??

The URL can be directly accessed by users. There is also additional information that the sensor appends to the URL when doing the request.

Can you get the output of "show stat host"

The output might contain the error message being seen from the sensor.

Also is the sensor having to go through any special devices to access the internet. Any web filtering or web accelerating device between the sensor and the internet may be messing up the connection.

I meant to say that the URL can be accessed by users, but a list of files will not be returned. There is additional information that the sensor appends to the URL in order for cisco.com to return the list of files.

OK.

Let me get the information for you

thanx

Hi:

I was reading about that username can't contain a "@" It is that true? Because the username of my customer have a "@"

This is the 6.1(1) defect: CSCsq30139

It is fixed in 6.1(2) and 6.2(1).

Hi, I got the information :)

show stat host

General Statistics

Last Change To Host Config (UTC) = 14-Jan-2009 14:38:43

Command Control Port Device = GigabitEthernet0/0

Network Statistics

= ge0_0 Link encap:Ethernet HWaddr 00:13:C4:80:C3:C1

= inet addr:192.168.1.11 Bcast:192.168.1.255 Mask:255.255.255.0

= UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

= RX packets:25375769 errors:0 dropped:0 overruns:0 frame:0

= TX packets:2411636 errors:0 dropped:0 overruns:0 carrier:0

= collisions:0 txqueuelen:1000

= RX bytes:2570835196 (2.3 GiB) TX bytes:657595036 (627.1 MiB)

= Base address:0xbc00 Memory:f8200000-f8220000

NTP Statistics

status = Not applicable

Memory Usage

usedBytes = 660455424

freeBytes = 372043776

totalBytes = 1032499200

CPU Statistics

Usage over last 5 seconds = 31

Usage over last minute = 40

Usage over last 5 minutes = 36

Memory Statistics

Memory usage (bytes) = 660455424

Memory free (bytes) = 372043776

Auto Update Statistics

lastDirectoryReadAttempt = 08:40:00 GMT-06:00 Wed Feb 04 2009

= Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

= Error: AutoUpdate exception: HTTP connection failed [1,111]

lastDownloadAttempt = N/A

lastInstallAttempt = N/A

nextAttempt = 08:40:00 GMT-06:00 Thu Feb 05 2009

Auxilliary Processors Installed.

! ------------------------------

! Current configuration last modified Mon Jan 19 17:15:14 2009

! ------------------------------

! Version 6.2(1)

! Host:

! Realm Keys key1.0

! Signature Definition:

! Signature Update S379.0 2009-01-30

! Virus Update V1.4 2007-03-02

! ------------------------------

service interface

exit

! ------------------------------

service authentication

exit

! ------------------------------

service event-action-rules rules0

overrides deny-attacker-inline

override-item-status Enabled

risk-rating-range 90-100

exit

exit

! ------------------------------

service host

network-settings

host-ip 192.168.1.11/24,192.168.1.1

host-name sensor

telnet-option disabled

access-list 10.254.254.0/24

access-list 192.168.1.0/24

exit

time-zone-settings

offset -360

standard-time-zone-name GMT-06:00

exit

auto-upgrade

cisco-server enabled

schedule-option calendar-schedule

times-of-day 08:40:00

days-of-week monday

days-of-week tuesday

days-of-week wednesday

days-of-week thursday

exit

user-name ********

password ********

cisco-url https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

exit

exit

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

exit

! ------------------------------

service signature-definition sig0

signatures 9430 1

status

enabled true

exit

exit

signatures 11018 1

status

enabled true

exit

exit

signatures 12000 0

status

enabled true

exit

exit

signatures 12003 0

status

enabled false

exit

exit

signatures 12020 0

status

enabled true

exit

exit

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

exit

! ------------------------------

service anomaly-detection ad0

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service health-monitor

memory-usage-policy

enable true

exit

exit

! ------------------------------

service analysis-engine

virtual-sensor vs0

physical-interface GigabitEthernet0/1

exit

exit

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: