cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2319
Views
15
Helpful
10
Replies

IPS 7.0 - global correlation not updating

George Thomas
Level 10
Level 10

Hello,

I am having issues with the IPS sensor not doing the global correlation updates. The IPS module has access to the internet and I can ping the server which serves the updates. Anything else to be checked?

Please rate useful posts.
10 Replies 10

George Thomas
Level 10
Level 10

To add to the previous post, I am seeing the following error:

08Jun2009 collaborationApp[465] rep/E A global correlation update failed: openConnection: Caught IpAddrException badAddrString

Messages, like this one, in the category - Reputation update failure - were logged 24 times in the last 7200 seconds.

Please rate useful posts.

the issue that you are experiencing is due to a new feature that is turned on by default in the 7.0(1)E3 called Global Correlation. You are receiving the health critical messages because the IPS is not setup to allow the Global Correlation updates. You can turn this

Global Correlation feature off in IME by going to Configuration->Policies->Global

Correlation and turning off the Inspection/Reputation and Network Participation settings.

If you want to use this feature you will need to setup a proxy or DNS on the

IPS

Hi Ashish,

I understand that Global Correlation is a new feature. I am trying to get it to work so that it can go fetch updates but it doesnt work. The IPS module has the required DNS servers listed and also Internet connection. But still it doesnt work.

Thanks,

G

Please rate useful posts.

Have you configured DNS or proxy server as per

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli

_setup.html#wpxref67214

Hi Ashish,

I have configured the DNS servers and the IPS module can ping the DNS server. I can also ping the IP address to which IPS is going to go to download the updates from.

Thanks,

G

Please rate useful posts.

sorry for the late response...

You may be hitting CSCsy29617 Sensor unable to download global correlation update files

You need to setup a static NAT for the IPS address. That is kind of left out/hidden in the configuration documents.

Hi guys,

Thanks for your responses. I figured out what the issue was. I didnt have Network Participation turned on. As soon as I turned it on and restarted the module, everything seems to work fine. I dont have static NAT entry for it.

Thanks,

G

Please rate useful posts.

I was having issues updating the Global Correlation feature as well. From a packet capture, I found that the sensor was trying to open an http connection to two IP addresses (97.65.135.170 and 97.65.135.137). After I allowed this in addtion to the update-manifest.ironport.com IP address for https, the updates started working.

I do not have Network Participation enabled.

Mark

Try adding some or all the following IP addresses for access to the device:

204.15.82.17

207.15.82.17

97.65.135.170

97.65.135.137

208.90.57.73

209.107.213.40

198.133.219.25

77.67.85.33

77.67.85.9

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: