Reg. upgrading Cisco IDS 4.0 Version to 5.0

Answered Question
Jul 8th, 2008

Dear happs / marcabal

I have one of the IDS 4215 4.1(1) Version having the details as attached .I want to upgrade the same to 5.0 and then to 6.0 .Hence i will be installing the 5.0(1e)S149 major update for upgrading it to 5.0 first

The following is written in the read me file of the service package IPS-K9-maj-5.0-1e-S149.rpm.pkg

"For IDS-4215, you should also ensure that you have upgraded the BIOS to version

5.1.7 and the ROMMON to version 1.4"

Hence i have downloaded the Upgrade utility mentioned above ; however i need to know following

1) how to check the current BIOS and ROMMON Version in IDS

2) To upgrade the BIOS and ROMMON Version , can i make my dekstop (Windows XP ) as TFTP Server as we are remotely managing (LEASE LINE) the customer IDS or do i need to have a local desktop at the customers place itself (in the cisco IDS Network range only) which can be made as TFTP Server

3) Also please let me know how to see the license details in IDS 4.0 and if there is no license available then , can we still upgrade it to version 5.0 ?

Attachment: 
I have this problem too.
0 votes
Correct Answer by rhermes about 8 years 5 months ago

There is no license in version 4.x, licensing only started in version 5.0.

You can upgrade your 4215 to version 5.1 or version 6.0 without a license.

Minimum BIOS versions to upgrade and proceedures are easily searched on CCO.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (4 ratings)
Loading.
rhermes Tue, 07/08/2008 - 07:24

The BIOS version is shown when you boot the box. You may need to be on the console to see the boot messages.

You can use any host with IP connectivity as your TFTP server. Make sure you specify your Gateway if your host is not on the same subnet.

You can always apply software upgrades (up to the limits of the sensor of course, the 4215 won't take 6.1 for example) without a valid license. Each upgrade, update and patch contains the latest (at time of release) signature file.

ankurs2008 Tue, 07/08/2008 - 12:10

hi rhermes

thanks for the update.Please let me know

1)how to see if license is applied or not in IDS 4.0 as i am not getting any details of it via GUI or via CLI

2) Can i upgrade it to software version 5.0 first AT LEAST (consider i dont have a license renewed as of now )

3) Please guide as to how to upgrade ROMMON and BIOS Version .

Correct Answer
rhermes Tue, 07/08/2008 - 13:31

There is no license in version 4.x, licensing only started in version 5.0.

You can upgrade your 4215 to version 5.1 or version 6.0 without a license.

Minimum BIOS versions to upgrade and proceedures are easily searched on CCO.

ankurs2008 Thu, 07/17/2008 - 03:04

Dear rhermes

Thanks for the responses ! However I have a query . I will be upgrading the BIOS and ROMMON of the IDS 4215 Version 4.1 sensor first to the one mentioned in the read me file i.e via IDS-4215-bios-5.1.7-rom-1.4 which is a BIN File .For this i will be using a Windows XP machine (correct me here if i should not use this and rather use a server ?) and i will install a TFTP Utiliy on the same for upgradation

Note :Here please consider the sensor and the desktop will be in same network

2) Once ROMMON and BIOS are upgraded , i will use the same desktop as a FTP Server installing any of the FTP Server utlities available in the internet .Here i want to ask you that in the URL mentioned below there are some recommendations provided for the "Supported HTTP and FTP Server " ( i have attached a snapshot too for quick reference); does that means that i cannot install utility such as "Winftp server" which is a free utility .If i can install this utility then what does this snapshot say?

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/idm/dmImage.html#wp1142501

Ankur

rhermes Thu, 07/17/2008 - 12:06

Yes, you can use the same PC as an FTP and TFTP server to upgrade your BIOS (if needed, you would have to have a pretty OLD sensor to need a BIOS upgrade, check the version you have).

Just about any FTP server should work, I've been using a free FTP server (Serv-U) on a windows box without any problems.

ankurs2008 Wed, 09/24/2008 - 04:03

hi rhermes

Just a slight change .

I am having a IDS 4215 sensor in the network 192.168.0.92 and my windows xp m/c ( on which tftp and ftp is installed for upgrading the rommon/bios and software version respectively) IP is 172.16.39.177 .I have connected the windows xp m/c with the sensor via console cable and got the hyperterminal access via XP Desktop

Now my query is dueing the activity will i face any issue if my sensor and XP Desktop (from where i am taking hyperterminal) are in diff n/ws?.Just for your info , IDS Devcie is pinging from the desktop

Ankur

ankurs2008 Thu, 09/25/2008 - 00:29

hi rhermes / marcabal / happs

Please reply to my query . its urgent

Thanks

Ankur

marcabal Thu, 09/25/2008 - 05:55

The tftp server, and the sensor are allowed to be on different networks. When you configure the settings in ROMMON you have to give the sensor an IP Address, and because your sensor is in a different network than your tftp server you will also need to give the sensor a default gateway IP. So long as the sensor can get to your tftp server by routing through the default gateway you will be fine.

NOTE: The ROMMON IP address for the sensor has to be separately configured from the IP Address you would normally give the sensor through the CLI setup command. But you CAN use the same address for both the ROMMON configuration and the setup configuration.

ankurs2008 Thu, 09/25/2008 - 22:35

Thanks marcabal.The information helped a lot .However i have a query.

1) The IP Address of desktop is 172.16.39.177 , subnet is /24 and gateway is 192.168.0.198

2) From the XP desktop (on which FTP , TFTP is there ) , Sensor IP Address (192.168.0.92) is pinging

3) From the sensor , the desktop gateway is pinging ; howeevr not the XP Desktop

Hence please let me know that whether i should give the gateway to the sensor as 192.168.0.198 or not while doing the BIOS and ROMMON Upgradation

Attached is the snapshot

marcabal Fri, 09/26/2008 - 06:40

Your 172.16.39.177 dekstop is misconfigured.

With your dekstop having 172.16.39.177 with /24, and you sensor being 192.168.0.92 and assuming /24, then there needs to be a router that can route between these 2 networks (or a series of routers).

So we will assume one router with an interface on the 172.16.39.0/24 network and an interface on the 192.168.0.0/24 network.

You've provided the 192.168.0.198 as the router address for the 192.168.0.0/24 network, but you haven't said what the 172.16.39.0/24 address would be for your router.

The 192.168.0.198 address as the gateway address in your sensor's ROMMON configuration.

But in your desktop you need to use the router's 172.16.39.0/24 address (whatever it is) as the Default Gateway address (not the 192.168.0.198 address).

ankurs2008 Tue, 09/30/2008 - 11:17

Thanks a ton marcabal !

1) Please find attached the new properties for desktop .The gateway and IP for desktop is 192.168.0.177 and 192.168.0.198 respectively.Also from sensor (192.168.0.92) , IP Address of the desktop is pinging .Therefore please let me know what IP Address should i use for rommon and do i have to give the gateway as 192.168.0.198 (gateway of sensor and desktop is same now ) while ROMMON and BIOS upgradation

2) As of now the monitoring interface (eth0) of the IDS is connected to a hub (having 4 interfaces) . 2 of the hub interfaces are connected to firewall , one for monitoring IDS interface and 1 for router (192.168.0.198).

As IDS is connected to HUB and as you know that IDS will monitor all the HUB Traffic (i.e no port mirroring configured) .Hence please let me know that when IDS will be upgraded to IPS , do we need to continue keep the monitoring interface connected to HUB or do you recommend to replace HUB with a switch

3) Also , how many interfaces on IDS will be required to configure upgraded IPS into promiscous mode(initially).

Regards

Ankur

marcabal Wed, 10/01/2008 - 13:40

If the desktop and the sensor ROMMON IP addresses are in the same subnet then a gateway will not need to be configured in the sensor ROMMON.

When changing from Promiscuous to InLine you can also change to a switch.

There are 2 deployment types for inline monitoring with an appliance.

1) Inline interface pairs. In this scenario 2 interfaces of the sensor are paired together. A basic example would be to plug one interface into the inside interface of your firewall, and a second interace into the vlan where your inside machines are connected. Then create an inline interface pair with the 2 interfaces.

2) Inline vlan pair. In this scenario only a single interface is used. Instead of pairing 2 interfaces, a pair of vlans is created instead. A basic example here would be to plug you inside interface of your firewall into your switch using vlan 10. Plug all of your inside machines into vlan 11. Then plug your sensor port also into the switch and trunk both vlans 10 and 11. Then in the IPS configuration make an inline vlan pair of vlans 10 and 11.

ankurs2008 Fri, 10/03/2008 - 04:49

Dear marcabal

Thanks again ,theres one more query.The IDS 4215 is showing the recovery partition version 4.1(1) S47.Hence please let me know if while upgrading sensor to 5.0 version , will recovery partition also gets automatically upgraded to new version or it will remain same . Else please let me know if we have to seperately upgrade the recovery partition version .

The point what i am trying to make here is if it is really required to keep the recovery partition version also intact with the latest sensor software version or even if we dont upgrade recovery partition version , it is alright to go ahead with only upgrading to IPS software 5.0 version

Regards

Ankur

marcabal Fri, 10/03/2008 - 06:27

In the upgrade from 4.x to 5.0 the recovery partition will upgraded automatically as part of the upgrade.

The following upgrades will upgrade both the application partition and the recovery partition:

Major upgrades (first number changes: 4.x to 5.x or 5.x to 6.x)

Minor upgrades (second number changes: 5.0 to 5.1, or 6.0 to 6.1)

Service Packs (third number chanegs: 5.1(x) to 5.1(8) or 6.0(x) to 6.0(5) )

The following types of updates do Not update the recovery partition and Only upgrade the application partition:

Engine Updates ( only the E level changes: 5.1(7)E1 to 5.1(7)E2 or 6.0(4)E1 to 6.0(4)E2 )

Signature Updates (only the S level changes: 5.1(8)E2 S358 to 5.1(8)E2 S359 )

So during small updates like Engine Updates and Signature Updates the Recovery Partition will not be updated.

We do not release new Recovery Partitions for Signature Updates since they happen so often.

We Do release new Recovery Partitions that correspond to Engine Updates but it is optional to install them.

The Major, Minor, and Service Pack updates are technically all the same type of update. They are all large, and all contain a complete image. They replace/upgrade both the recovery partition and application partition. In fact they actually first install the new recovery partition, then boot to the recovery partition with special options. The special options cause the recovery partition to re-image the application partition, but then to also copy on a new configuration that resulted from a conversion of the old configuration to work with the new version.

So with these types of upgrades the recovery partition gets automatically upgraded as well so there is no additional work for the customer.

We do deliver new recovery partitions when new major, minor, and service pack upgrades are released, but customers do not need to install them.

The recovery partitions in these cases are only needed in case their recovery partition gets corrupted (which is extremely rare), or when a customer wants to load a Prior versions recovery partition inorder to "downgrade" by recovering back to the older version (the config is not converted so you would have needed to have saved a copy of the old config)

ankurs2008 Tue, 10/07/2008 - 13:40

Dear marcabal

Thanks for the update .As of now the current version is IDS 4.1(1) S47 and recovery partition version is also same .As i will be first upgrading the sensor ROMMON/BIOS , followed by 5.0-1e , hence please let me know as to from where i can download the current recovery partition image so that if by chance the image gets corrupted , i should be able to recover sensor to the original image.

Also , please let me know if my sequence and order of upgradn procedure is correct(mentoned below) before i go for final activity

1) Upgrade BIOS and ROMMON

2) Once i have upgraded to 5.0-1e by using the file IPS-K9-maj-5.0-1e-S149.rpm.pkg , i will upgrade the sensor to 5.1(5) E1 by using the file IPS-K9-engine-E1-req-5.1-5.pkg.

3)Once it is done , i will apply IPS-K9-5.1-7-E1.pkg for 5.1(7) followed by IPS-K9-6.0-5-E2.pkg for 6.0(5) E2 .

Regards

Ankur

marcabal Tue, 10/07/2008 - 13:57

First issue to be aware of is that the "recovery partition" can not be used to downgrade from 5.x or 6.x Back to a 4.x version.

This is because of major differences in how partitions are handled.

The "recovery partition" can be used for downgrading from 5.x or 6.x versions back to an earlier 5.x version, or from a 6.x version to an earlier 6.x version.

As for your upgrade procedure here should be your steps:

1) Upgrade BIOS and ROMMON

2) Install IPS-K9-maj-5.0-1e-S149.rpm.pkg

3) Install IPS-K9-6.0-5-E2.pkg

There is no reason to install any other 5.0 or 5.1 updates. You can go straight from 5.0 to 6.0(5)E2.

If for some reason you feel you really want to install these in between 5.1 versions, then instead of IPS-K9-engine-E1-req-5.1-5.pkg you need to instead install IPS-K9-5.1-5-E1.pkg. The "engine" file is only used if you were already at 5.1(5) and just wanted to add the E1.

ankurs2008 Wed, 10/08/2008 - 00:21

Dear marcabal

Thanks for the inputs provided . I want to ask you if i should take a TFTP image backup of the sensor as there is no recovery partition image to go back to for version 4.0 (in case the sensor fails to upgrade to 5.0)

Please let me know if it is possible to take a tftp image backup for the sensor .If yes , how can i achieve that .If sensor upgrade fails can i revert back to the old version with the image backup ?

Regards

Ankur

marcabal Wed, 10/08/2008 - 05:14

If I remember right you are using an IDS-4215.

If you need to get back to 4.1 you would need to install a System Image through ROMMON.

The System Image for 4.1(4) for the IDS-4215 is available here:

http://www.cisco.com/cgi-bin/tablebuild.pl/ids4-app-recovr

IDS-4215-K9-sys-4.1-4-S91a.img

You will need to save off your 4.1 configuration before upgrading to 5.0.

If you need to get back to 4.1, then you would load the 4.1(4) System Image file, install any other updates you need, and then re-apply your 4.1 configuration.

ankurs2008 Wed, 10/08/2008 - 06:01

Hi marcabal

Thanks a ton ! However i could not download the file as it was giving a particular error (attached) while doing so .Please try using your CCO Login and let me know if ur facing the same issue

Ankur

Attachment: 
marcabal Wed, 10/08/2008 - 06:10

I see the same error.

You will need to contact the TAC (Cisco help desk) to see if they can get someone to look into the issue.

ankurs2008 Wed, 10/08/2008 - 07:12

Hi marcabal

I do have CCO Login ; however i donot have the privileges to log a ticket with TAC .Is there any other alternative to providethem the feedback for the same

Ankur

ankurs2008 Thu, 10/09/2008 - 23:17

hi marcabal

I just want to know if the IDS is rebooted whether the traffic will pass through (keep on going uninterrupted) just like it happens in IPS?

Note : Management interface is connected to a switch which inturn connected to user LAN ; Monitoring interface connected to a hub which inturn connected to router and firewalls

Ankur

marcabal Fri, 10/10/2008 - 06:48

When operatining in promiscuous mode the sensor is receiving Copies of the packets.

Anythin done to the sensor will only affect the Copies of the packets. The original packets should continue to pass just fine through your network.

(In your case you can consider it as the hub copying the packets to the sensor).

Only in inline mode are the original packets passed through the sensor. And in inline mode, yes, the network traffic will be affected. You can design in alternate routes/paths into your network (like a second sensor) in order to ensure packets continue passing through your network when a sensor goes down.

Version 4.x only supported promiscuous mode. So upgrading from 4.x to 5.x to 6.x should not affect your network.

Actions

This Discussion