IPS 7.0 - global correlation not updating

Unanswered Question
Jun 10th, 2009

Hello,

I am having issues with the IPS sensor not doing the global correlation updates. The IPS module has access to the internet and I can ping the server which serves the updates. Anything else to be checked?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
George Thomas Wed, 06/10/2009 - 07:52

To add to the previous post, I am seeing the following error:

08Jun2009 collaborationApp[465] rep/E A global correlation update failed: openConnection: Caught IpAddrException badAddrString

Messages, like this one, in the category - Reputation update failure - were logged 24 times in the last 7200 seconds.

abinjola Wed, 06/10/2009 - 23:54

the issue that you are experiencing is due to a new feature that is turned on by default in the 7.0(1)E3 called Global Correlation. You are receiving the health critical messages because the IPS is not setup to allow the Global Correlation updates. You can turn this

Global Correlation feature off in IME by going to Configuration->Policies->Global

Correlation and turning off the Inspection/Reputation and Network Participation settings.

If you want to use this feature you will need to setup a proxy or DNS on the

IPS

George Thomas Thu, 06/11/2009 - 05:24

Hi Ashish,

I understand that Global Correlation is a new feature. I am trying to get it to work so that it can go fetch updates but it doesnt work. The IPS module has the required DNS servers listed and also Internet connection. But still it doesnt work.

Thanks,

G

George Thomas Thu, 06/11/2009 - 06:15

Hi Ashish,

I have configured the DNS servers and the IPS module can ping the DNS server. I can also ping the IP address to which IPS is going to go to download the updates from.

Thanks,

G

abinjola Mon, 06/22/2009 - 05:06

sorry for the late response...

You may be hitting CSCsy29617 Sensor unable to download global correlation update files

Bill CARTER Mon, 06/22/2009 - 05:56

You need to setup a static NAT for the IPS address. That is kind of left out/hidden in the configuration documents.

George Thomas Mon, 06/22/2009 - 05:59

Hi guys,

Thanks for your responses. I figured out what the issue was. I didnt have Network Participation turned on. As soon as I turned it on and restarted the module, everything seems to work fine. I dont have static NAT entry for it.

Thanks,

G

MARK BAKER Mon, 08/24/2009 - 08:55

I was having issues updating the Global Correlation feature as well. From a packet capture, I found that the sensor was trying to open an http connection to two IP addresses (97.65.135.170 and 97.65.135.137). After I allowed this in addtion to the update-manifest.ironport.com IP address for https, the updates started working.

I do not have Network Participation enabled.

Mark

Actions

This Discussion