cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2163
Views
8
Helpful
19
Replies

Network Security Gadget on Dashboard not displaying events

Daniela Herrera
Level 1
Level 1

Hello,

We are noticing a strange behavior with several IPS AIM modules and IPS Appliances. Events are generated and can be seen from the event viewer but nothing is displayed on the Network Security Gadget on the Dashboard.

We've verified and compared configurations with other working Appliances and can't find why the count event on the dashboard is 0 while the event viewer is showing several events. We've tested from different computers with different Java versions to rule out a problem with the viewer, but the result is the same.

IPS is working and denying traffic if configured, the event action overrides are configured to produce alert for all severities (to test).

We've seen this on Appliances and ASA IPS modules running 7.0(1)3, 6.0(5)E3 and other 6.x versions, the only common denominator we can see is the E3.

It's a difficult event to troubleshoot and I haven't found any reports from similar behavior, has anyone noticed something similar?

Any ideas on where to look will be greatly appreciated.

Regards,

19 Replies 19

suschoud
Cisco Employee
Cisco Employee

Hi,

Question : the virtual sensor configured in all the cases u mentioned in default vs0 or did you create a new one ?

There is a known issue with non-vs0 sensor events not reported in net sec. gad.

hTh

Sushil

No, all of them have the default vs0.

But it's good to know that, thank you. Do you have any related documentation??

Any other ideas will be greatly appreciated.

Thanks!

How often are your alerts being generated?

If I remember right the counts are based on the alerts within the past 10 seconds.

If your sensor hasn't seen any signature triggers in the last 10 seconds, then the counts will be 0.

If your sensor is monitoring a fairly clean network (few attacks), or you've highly tuned your sensor to only monitor for a subset of signatures; then it is possible your sensor may only be triggering signatures every few seconds, or even every few minutes. In which case seeing counts of 0 for the past 10 seconds would be normal.

In addition if I remember right there was a bug introduced in some of the versions back when E3 was released.

And instead of counting based on the last 10 seconds, I think it incorrectly counted only base on the last 1/10th of a second.

This was fixed in the 6.1(2)E3 Service Pack, and I think was fixed for 7.0(1)E3 before it was released so I don't think you are running into this with your 7.0(1)E3 sensors.

Thanks for the reply, any other ideas?

Regards,

We are testing with a continuous ping and have the signature 2004 (ICMP request) enabled. This and other events are constantly showing on the event viewer, but nothing on the Dashboard.

Same configuration with version 6.1(1)E3 shows events on the Dashboard, but nothing if running version 7.0(1)E3.

Thanks!

Daniela Herrera
Level 1
Level 1

I tested 6.0(5) and I'm having no problem with that one. 6.1(1)E3 is running fine. 7.0(1)E3 is not showing events on the Network security gadget on the dashboard.

I'm running tests with other versions to try to catch the issue.

Thanks

I am having a similiar issue.

i was running IDM 6.0 and Network Security Gadget was seeing all of the Events and displaying the Risk vs Threat Graph and # of Events Graph perfectly.  The I upgraded to 7.0 and IPS Version 7.0(2)E3, and everything works except the Network Security Gadget.  It scrolls Zero accross both Graphs.  I have attached a snapshot:

Hi!

We could never find an answer or reported issues on that.

We ended up installing the IPS Manager Express for our customer and it seems to be working fine for them since then, maybe you can try that.


Regards,

Thank you for the quick response Daherrer.

I tried loading the Express software, which is great by the way, but it also has the exact same problem.  Am i right in thinking that all events that show up under the event monitoring tool, should show up on the Network Security Graph?

We have found that using the older version of IME (6.1.1)  will show all events from sensors running the 7.0 release, unfortunately you cannot make configuration changes.  Anyone who has upgraded to the new 7.0.2 client cannot see the events from the sensor in real-time, but can make configuration changes.

FYI -   I downgraded from the 7.0.2 client to the 7.0.1 client today and the event reporting began working again.

Thanks for the response.

Did you downgrade the IPS sensor software or the IME software?  I dowgraded the IME to 7.0.1 and still have the IPS running 7.0(2)E3 and it still does not work.

Gino

I downgraded the IME software to 7.0.1 and left the sensor at 7.0.2 E3.  Since you are still having difficulties.....maybe more detail of what I did will help?  I uninstalled the IME 7.0.2, rebooted, then installed 7.0.1.  IME didn't pickup the events right away, so I restarted the MySQL-IME service.  I opened IME and choose realtime events, clicked apply and the events began appearing.....  Hope that helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: