IPS Module no longer processing traffic following signature update?

Unanswered Question
Jun 12th, 2009
User Badges:

Our AIP-SSM-20 module no longer seems to be processing any traffic from our ASA5540.


I have it set-up to log to our CSMARS system. A few days ago, I noticed the CSMARS was showing “inactive CSMARS reporting device” and when I checked the IPS events from the module using IME there were no events at all - not even low or informational.


Similarly, if I use show stat virtual-sensor vs0 on the IPS module the number of packets processed is no longer incrementing.


When I checked when I last received an event successfully, it coincided with when the IPS had auto-updated with signature S406. It has since also auto-updated with S407. Apart from this, nothing has changed config-wise on either the IPS module or the ASA itself so I cannot understand why the traffic no longer seems to be getting processed.


Any suggestions on what the problem could be? Is it possible something has gone wrong with the auto signature update and, if so, is there any way I can remove the last 2 signature updates to see if traffic is processed again?


Any advice would be welcome!


Thanks.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mitchen Fri, 06/12/2009 - 07:42
User Badges:

I should have guessed - a reboot of the IPS sensor seems to have solved this particular problem.


Traffic is being processed again following the sensor reboot.


Problem resolved.

robertson.michael Thu, 06/18/2009 - 10:36
User Badges:
  • Silver, 250 points or more

Hi Neil,


I know you mentioned this was resolved with a reboot, but what version of code are you running on the module? I had the same problem on one of my two SSMs and upgrading to 7.0(1)E3 seems to have resolved it. I have not had another failure following a signature update since.


-Mike

rhermes Fri, 06/19/2009 - 08:45
User Badges:
  • Gold, 750 points or more

We have experienced signature updates locking up a sensor on just about every hardware platform and most (if not all) software versions. This is one of the reasons why we do not perform automatic signature or software updates. We also watch for sensors going silent with a heartbeat sig.

Actions

This Discussion