RVS 4000 Email responses that need addressing

Unanswered Question
Aug 14th, 2009

I have been bounced around between Cisco and Linksys for months….

I have two simple questions… One I know the answer on… the second, I haven’t a clue…

I have corresponded with 12-15 people at Linksys, and Cisco…


Their last answer is I should contact you….  So… Here goes…. The 16th person I’m requesting this information from….. (I can’t believe that Linksys/Cisco can’t answer these simple questions!)

Seeing that I've been checking for new firmware and IPS downloads from the Cisco site for months now, and not seeing any new downloads......

And Seeing that I'm getting nagging emails that my IPS Signature is too old, Please Update it!!!!

And Seeing that I'm still getting emails that I don't understand from the RVS 4000: -IPSEC EVENT: KLIPS device ipsec0 shut down

and I can't seem to understand How or Why it is happening, and have read manual cover to cover, and all the FAQ's, and can't upgrade it because there is no current software......

I sent the following email to [email protected] :

Hello. Have an RVS4000 Router, being used as a Gateway...

I have emails enabled, so that I'll be informed whenever there is greater than a set level of threats.... However...
If I check the logs, there are no threats... Yet....

I keep getting the following emails:
Your Signature Version is beyond 143 days. Please Update it!

I've also been getting the following emails:
-IPSEC EVENT: KLIPS device ipsec0 shut down

I'm using V1.40 IPS signature, and V1.2.11 firmware....

Yet I keep getting these emails...

I can't update the IPS Signature Version if you don't provide it!!! And you aren't!

Secondly, WHAT THE HECK DOES: "-IPSEC EVENT: KLIPS device ipsec0 shut down" MEAN????

May I suggest that the next version of firmware have options to disable the IPS "Nags" if you are not planning on writing any more code?

And, What the Heck does: "-IPSEC EVENT: KLIPS device ipsec0 shut down" mean?

Sincerely

Jan Janowski

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JanJanowski Fri, 08/14/2009 - 09:29

And in case you don't believe that I haven't tried for a long while to get an answer to this.....

Please visit this link:  http://www.dslreports.com/forum/r22733060-RVS-4000-Support-email-to-Cisco

This is only the last half of the communications I've had with Cicso/Linksys on this..

The last information I received was to log in here, and another user would respond to my questions with suggestions....

So, here I am.... With the same two questions I've had for months, after being ignored multiple times by both Linksys and Cisco... Yeah, my attitude stinks right now.... do you fault me for that? 

Steven DiStefano Fri, 08/14/2009 - 14:20

Hello,

I can address the one question.

We  do have new signature file for RVS4000, it’s under testing , we should be able  to post as soon as it is approved.

The other issue I am not aware of and have not seen, but you can call the Small Business Support COmmunity on 1-866-606-1866 and open a case.

Steve D

SE

Field Channel Sales team

JanJanowski Fri, 08/14/2009 - 20:34

Thank you, Steve.... Obviously, I knew it would take something like this to fix the "Please Update IPS" emails...

Maybe on next firmware you can make this message an option... ??

Other than these two emails, system is working fine.

More information:

RVS4000 Being used as Gateway, not Router. with Wan being 10.x.x.x and Lan being 192.x.x.x Router is BEFSX41

No VPN

Blocking all but skype

Mix of Gigabit and 100Mb connections

No IP, Mac, or time blocks.

Emails set to send email after 3 threats.  Both Incoming and Outgoing logs are empty.  I've checked logs prior to and after

this email,  and always found them  empty.

at another forum, I posted asking what -IPSEC EVENT: KLIPS device ipsec0 shut down  ---means

and someone found reference to this being a 'VPN related command' for Linux kernel 2.4

Again, I don't know Linux, nor am I using VPN in either RVS4000 or BEFSX41 (both  are locked off).

JanJanowski Sat, 08/15/2009 - 07:35

Email just received from RVS4000:

Aug 14 23:02:31 - IPSEC EVENT: KLIPS device ipsec0 shut down.

At that time, no computers were on. We were in bed...

I've received these emails with, and without computers being on.

Steven DiStefano Mon, 08/17/2009 - 06:34

Jan,

While we are waiting for a new IPS sign. file, can you try reinstalling the existing signature file? It will be the same version you already have.   This is a test to see if the message will stop (it may).

Steve

JanJanowski Mon, 08/17/2009 - 15:27

Will reloading V1.40 IPS fix this email?

Aug 17 21:03:16 - IPSEC EVENT: KLIPS device ipsec0 shut down.

or are you thinking it  will reset the timer on the:

Your Signature Version is beyond 186 days. Please Update it!  Email?

Steven DiStefano Tue, 08/18/2009 - 06:02

Hi Jan,

Thanks for the feedback.  I also checked with the Product Engineering and test team and they told me that message you see is a message from the underlying Kernel that the VPN session was restarted.    This could be due to any interruption of service on the WAN. 

Steve

JanJanowski Tue, 08/18/2009 - 11:37

Thanks very much....  So this service starts even when VPN is not used?

JanJanowski Sun, 08/23/2009 - 07:01

I've let a few days go by since the last answer..... To see if anyone would post answers to my origional questions.... and now it begs to be asked again...

My first post contained questions still un-answered....

Why is there not a software switch to turn off nag emails about IPS signature date?

Why is cryptic email messages being sent at all, seeing that I've told the system NOT to email me until there is 3 or more simultaneous threats?

Seeing that both incoming and outgoing logs are EMPTY, Why am I getting emails at all?

Why is it that it took MONTHS and MONTHS of Emailing Linksys, Cisco, and now Cisco Small Business the above question, and instead of answering the questions, everybody seems content with just suggesting I contact someone else?

Yes, I could reload existing IPS file, and that may shut up the emails....But:  WHY SHOULD I HAVE TO DO THIS?

I'm  still patiently awaiting an updated IPS file..... WHEN will it be released?

And Finally, When will new Firmware be released for the RVS4000 that will contain software swtiches to turn off "Nag" emails?

JanJanowski Sun, 09/06/2009 - 07:53

It's been a month since I've been told that a new IPS file for the RVS4000 was "immanent"

Is it "Immanent"  YET?????

kpawson Sun, 09/06/2009 - 22:43

Yes common Cisco/Linksys this is starting to be a joke, when will the IPS update file be released?

I have been patiently watching this thread the website IPS file section for an update for some time and it's now beyond frustrating :(

This product is supposed to be for small business and my client is starting to question why I recommended this product.

If you can't provide a regular signature file then at least offer a service for this or don't bother selling the product with a IPS feature/function.

Can you advise if this file is going to be released on a regular basis so I can inform my client and put his mind to rest?

Thanks.

David Hornstein Mon, 09/07/2009 - 06:14

hi Kpawson,

If you customers are really concerned or serious  about security,   one service that was introduced to allow you as a VAR to make some more money off the RVS4000 was the resale of the protectlink functionality.  This is something that you can manage for your customers. Check out the URL below and the  functionality of using protectlink within the RVS4000.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps5723/ps9952/ps9953/data_sheet_c78-502732.html

Hope you find this interesting.

regards Dave

JanJanowski Mon, 09/07/2009 - 08:00

Actually, it sounds like you are passing the buck to someone else...

Please note, it took MONTHS to get a simple answer from anyone, and the answer I received wasn't an answer at all, but a side-step of the entire issue.

One of the side-steps was a promise of a new IPS file...  Where is it?

Second answer didn't tell me how to get the emails to stop, or idicate how I could mask them... just explained that a service that I don't even USE, (VPN)

was causing it!


Come on!   How about some support!

JanJanowski Thu, 09/10/2009 - 06:23

I see that V1.3.0.5 Firmware has been Posted!!!

I'm printing out information on it, and looking at my notes, and printouts from prior (1.2.11) settings.... so that I can do a smooth upgrade, when the time comes...

I've not found any information indicating that V1.40 IPS file should be used with the new V1.3.0.5 firmware..... 

Would someone please confirm this, or suggest to wait for updated IPS file?

Thanks!

kpawson Thu, 09/10/2009 - 19:51

Nice Job Cisco and it works great... now just the IPS file and it's happy times again :)

My client is not interested in the Trend Additional subscription at this stage, he has not been happy with the lack of attention to the basic unit and is still considering using another product. He will need to spend more on another product, however it may equal out if he has to pay for the Trend component.

Thanks

William Childs Thu, 09/10/2009 - 21:21

Gentlemen,

Here is a link to the IPS signature and firmware.

http://tools.cisco.com/support/downloads/go/Model.x?mdfid=282414013&mdfLevel=Model&treeName=Routers&modelName=Cisco%20RVS4000%204-port%20Gigabit%20Security%20Router%20-%20VPN&treeMdfId=268437899

They are independent of each other, meaning just because you update one does not mean you must update the other. There is not currently a way to turn off the notification emails that are sent when your IPS signature is too old. The trend subscription is designed to help you filter (by web address) the locations your users can go, and it can also filter your email. The administration guide for the product (88 pages/7MB in size) explains each of these features and how to activate them.

As you can see when you download the IPS signature, it was released back in February of this year. I understand how difficult it can sometimes be to navigate the Cisco site as there are multiple ways to find the same information. I hope this helps.

Bill

JanJanowski Thu, 09/10/2009 - 21:57

The IPS signature is the same one, not new..... V1.40

I'm all set to upgrade to the new V1.3.0.5     Until I heard on DSLReports that V1.3.0.5 is not compatable with Firefox V3.5

I need Firefox for my beta work...

Can you please confirm or deny that this firmware works with Firefox V3.5, Please?

William Childs Thu, 09/10/2009 - 22:09

When you hear that it is not compatible with Firefox, what that really means is when you open the web interface of the router you should use internet explorer. The web pages display differently in browsers other than IE. I have even heard bug reports about the url filtering only working when the users are using IE. Meaning when the users open Firefox they can get to web sites they were not able to get to in IE.

Generally, we recommend using IE for configuring your router. Firefox will work with our devices but they were built to be compatible with the masses and it has only been the past year or two that Firefox and other browsers have made a run on windows machines. Actually it was only recently that Microsoft even acknowledged that Linux was actually a competitor of theirs.

When performing your upgrade, I recommend exporting the current configuration. Then perform the upgrade to the firmware. Once the firmware has upgraded successfully, reset the unit back to factory defaults (via the button on the unit/ hold for 30 seconds) and then MANUALLY reconfigure the unit. I have experienced issues importing old configs when moving to a new firmware. Sometimes with firmware upgrades they change the location (file tree) of some items which causes problems importing an old config.

Bill

kpawson Thu, 09/10/2009 - 22:14

Thanks for the post and info Bill, however I think Jan and I already know the IPS signature file is downloaded from another link and not with the firmware.

What we are saying is that it's not very acceptable to have an IPS signature with a date of Feb 2009 and it's now Sep 2009 and in addition to this the unit itself is complaining about the lack of updates.

It would be good if Cisco could release these on a regular basis and even better if the unit itself could download and apply the signature like most other firewall/IPS devices on the market.

Jan I actually used FF 3.5 just before to manage the device with no problems.

Thanks

William Childs Thu, 09/10/2009 - 22:28

I can definitley appreciate the idea of automatic updates! I also don't see why this has not been something we have tried to take adavantage of (maybe a hardware limitation?). I do know that any time a company designs software it has to go through a legal process and be approved to be released. Often times that is the hold up on our firmware and such (quick vpn client, IPS signatures, etc..). It is good to hear that you were able to successfully use FF 3.5, I will pass this on to the rest of my team.

Bill

JanJanowski Fri, 09/11/2009 - 05:46

If it's just Config that FF isn't working with, I can certainly live with that... Usually I configure the router off-line,replacing it with a BEFSX41 set for same settings... and once configured offline, swap it back into the location where it will be used.... 

I understand configuring manually, as I ran into issues with the SX41 not remembering exported settings after upgrade... So that has always been my operation here.

In the convoluted bunch of emails that went on for 3-4 months prior to me finding this location....  One of the emails indicated a month or more ago that a New IPS for the RVS4000 was in final test, and would be released "Real Soon Now"....  That same person was un-aware of new firmware being evident....

Is a New IPS signature file forthcoming, and Should we wait for it prior to the V1.3.0.5 upgrade?

David Carr Fri, 09/11/2009 - 08:09

I would go ahead and back up your configs and do the upgrade, then factory reset the router and reload the firmware and signature files.

daviddun Tue, 09/15/2009 - 12:04

Good Afternoon,

The IPS update was released last week to the following link.  They also posted the newest firmware at the same time.  I have had this firmware and signature installed since the day of release with no problems.

I hope this fixes any issues or questions for you

http://tools.cisco.com/support/downloads/go/Model.x?mdfid=282414013&mdfLevel=Model&treeName=Routers&modelName=Cisco%20RVS4000%204-port%20Gigabit%20Security%20Router%20-%20VPN&treeMdfId=268437899

Have a great day

JanJanowski Tue, 09/15/2009 - 13:57

The link you posted still shows V1.40 as the IPS file.... Does someone see something else?

daviddun Tue, 09/15/2009 - 14:20

1.4 is the newest IPS for the RVS4000, it went from 1.3 to 1.4

Are you having problems with ver 1.4.  If so what is your case # at the SBSC so I can escalate the issue if needed

kpawson Tue, 09/15/2009 - 16:45

David

In your post before you are saying that the IPS update was released last week with the firmware, however the version on the website that I see is Version 1.4 dated 3rd February 2009 as listed below.

ciscoipsfile.JPG

I don't understand, is it that the file was updated but not posted to the site or has the release date text not been updated?

Thanks

Keith

JanJanowski Tue, 09/15/2009 - 18:46

I was going to post the same thing... A month ago, during one if the emails that led me here, I was informed that a new IPS was in "Final Test"..

Is there an impending new IPS?

daviddun Wed, 09/16/2009 - 10:30

I will have to contact the PE for the RVS4000, we currently do not have any pending IPS update that I have been told about.

I will post when I get the feedback from the engineering group

Have a great day :)

JanJanowski Wed, 09/16/2009 - 18:57

Please check on the IPS file...

Tonight I upgraded from V1.2.11 to V1.3.0.5 and re-loaded IPS V1.40...

My findings:

As with V1.2.11, I had an issue trying to move LAN IP from 192.168.1.1  Eventually it allowed a save (Had this same issue in V1.2.11).

Logs are obviously now working, and were not in V1.2.11, as I'm not getting inundated with emails with same settings... Incoming, Outgoing, and log level 0,1,2,3,4.

So I'm going to have to re-check the manual for more info on log level settings...  Maybe I should ask, has there been any update to the manual, from the file that was there 3 months ago???

One thing I DIDN'T LIKE.....  Whereas the new HTTP/Cisco/Vista Look is fancier to look at......   IT'S A INK CARTRIDGE DRAINER!!!!!  Got no Blue Ink Left!!!

In this aspect (amount of Ink Needed to print out all pages)  I like the 'old' Linksys pages a lot better... The new printouts are not as sharp or easy to read, and don't fit the page at times, also....

I did the firmware update (after reset to defaults)  and loaded the same V1.40 IPS file that was dated as: 7/28/2008 in V1.2.11 IPS INFO Page (IPS file wasn't even released until February of 2009), reports as 12/31/1969 in V1.3.0.5 IPS INFO Page !!    (Doublechecked clock on computer used to configuration... wasn't that!)

So.... It's up (I'm typing through it now)... and we'll just have to see how it works!!

Thanks for the new code.... It will be interesting to see if I start getting either of the old emails.... (But I obviously need to read up on the Log Levels.....)

Jan

JanJanowski Wed, 09/16/2009 - 19:47

Here's another suggestion.... Now that logs are working.....

When you get an email of logs.... It's not clear Which Level threat you're reading....

In other words.... here's some lines from an email I just received:

Sep 16 20:58:28  - [Access Log]O TCP Packet - 192.168.12.119:49319 --> 209.123.109.175:80
Sep 16 20:58:48  - [Access Log]O TCP Packet - 192.168.12.119:49320 --> 209.123.109.175:80
Sep 16 20:58:55  - [Access Log]O TCP Packet - 192.168.12.119:49321 --> 63.111.74.129:80

If I want to eliminate this type of entry, so that it doesn't email to me..... Wouldn't it be nice if in this line it would indicate WHICH LOG LEVEL it tripped?

For example....using the above example.... Let's assume these were Log Level 4.... Therefore.....

Sep 16 20:58:28  - LOG4 [Access Log]O TCP Packet - 192.168.12.119:49319 --> 209.123.109.175:80
Sep 16 20:58:48  - LOG4 [Access Log]O TCP Packet - 192.168.12.119:49320 --> 209.123.109.175:80
Sep 16 20:58:55  - LOG4 [Access Log]O TCP Packet - 192.168.12.119:49321 --> 63.111.74.129:80

This way, I could tell which log entry belongs to which Log Level.....

Does this make sense??

JanJanowski Thu, 09/17/2009 - 11:49

So I took my printouts from V1.3.0.5 and RVS4000 Manual to work today, to read and learn more during lunch..... and discovered another issue with new firmware...

The printouts on about half of the pages are cutoff... The data should have been on 2nd page printout, but second page is basically just a header line and blank page....

You folks should look at the way V1.2.11 printouts were done... Each page fits nicely on one piece of paper, and had a nice Logo too...  and doesn't eat Ink Un-necessarily!

I see some changes in the program compared to the manual..... Is there a plan for an updated RVS4000 manual so as to more correctly match the new firmware settings?

Is there any FAQ (I haven't found one yet) that gives more In-Depth information on setting up Logs, what works, what doesn't, and information on Log Levels control, as illuded to in the above post???

Thanks

David Hornstein Mon, 09/21/2009 - 17:10

Hi Jan.

I must admit I like the new software and haven't look at the manual, usually things within this product are pretty self explainatory. :)

I will pass on your very constructive posting  and feedback to the RVS4000 product manager.

Thank you again for your post.

regards Dave

JanJanowski Sat, 09/26/2009 - 18:24

Dave and Steve..... Please ask the RVS4000 person to check code on IPS update nags....

Now remember that I upgraded firmware and re-loaded IPS Signature a week or two ago......

A couple days ago I received the following email....

Your Signature Version is beyond 14511 days. Please Update it!

David Hornstein Sun, 09/27/2009 - 17:47

Hi Jan,

I will forward a low priority TAC case to my level 3 technicians in Irvine in California. It's obviously not affecting operation, just saying it's been 39 years since you last performed a signature file update

.

Would you be so kind as to spare some time and paste a copy of that screen shot in reply.

Thank you for this excellent feedback.

regards Dave

JanJanowski Sun, 09/27/2009 - 18:24

Here is how it reports....   PS.. I did check the date and time of computer that was used to config router.... It was Sept 2009 on that one....

Attachment: 
daviddun Mon, 09/28/2009 - 07:03

Good Morning,

I updated a RVS4000 from my lab bench to the newest firmware, did the factory reset and set it up with basic configuration.  I then update the IPS Signature file to ver 1.40 and was unable to duplicate the error.

Information

Signature Version:1.40
Last Time Upload:2009/09/09 04:30:44
Protect Scope:Worm
DoS / DDoS
Buffer Overflow
Web Attack
Scan
Trojan Horse
IM / P2P

I had ver 1.2.11 firmware on the router before the upgrade.  I would look at the NTP server you have the router pointing to.

I use 132.163.4.107 for my time server

JanJanowski Mon, 09/28/2009 - 07:17

If you look up a few posts, please note that when I upgraded to V1.2.11 (from 1.0.7 I believe).... It was done with a different computer than the one I used for this last upgrade, and it, too, also mis-logged the date and time.... To sometime in 2008. Note that V1.40 IPS didn't become available till Feb of 2009.

So I guess the RVS can prove the Theory of Relativity!!

Prior to any upgrade, I would reset to factory defaults, then, using a computer set for DHCP, connect to it, and upgrade firmware, and configure.

The last thing I would do is change the IP from Factory default to the planned useage IP.   Then walk the unit back to where it would be used, install it,

then power cycle the Router, modem, and other swtiches.. 

I'm using this as a Gateway, and though 4 DHCP are alowed, all devices are Static IP.

I'll post the NTP Server I use later tonight....  But I've never had an issue with it...

Good luck.

kpawson Mon, 09/28/2009 - 22:46

Hi David

Is there any news on an updated IPS file?

Perhaps I'm not understanding  what the purpose of the IPS signature file is, or how Cisco/Linksys have designed it to be with this product, perhaps it's only to be updated annually?

My assumption is that the IPS signature file is similar to a Antivirus or Antimalware file that should be updated to detect known threats or abnormal traffic patterns that would indicate a worm, malware or a known traffic pattern that is malicious.

In the past I've worked on IPS systems from other manufactures and they have been designed with a IPS or IDS signature detection file to be updated  to keep up with detecting and preventing the latest known threats.

As the product is emailing us about the file being out of date, I'm therefore assuming that the RVS 4000 built in IPS is designed like these others I've worked with?

Thanks

Keith

JanJanowski Tue, 10/06/2009 - 16:06

V1.41 IPS file has been released!!!

Version: 1.41     Total Rules: 1098

In this signature, we addressed the exploits/vulnerabilities and applications
as below:

-EXPLOIT MS Video ActiveX Control Stack Buffer Overflow
  A buffer overflow vulnerability exists in Microsoft DirectShow.
  The flaw is due to the way Microsoft Video ActiveX Control parses image files.
  An attacker can persuade the target user to open a malicious web page to exploit
  this vulnerability.  

-EXPLOIT Oracle Database Workspace Manager SQL Injection 
  Multiple SQL injection vulnerabilities exist in Oracle Database Server product.
  The vulnerabilities are due to insufficient sanitization of input parameters
  in the Oracle Workspace Manager component. A remote attacker with valid user
  credentials may leverage these vulnerabilities to inject and execute SQL code
  with escalated privilegesof SYS or WMSYS account.

  Support P2P application named uTorrent up to version 1.7.2.


Signature content for 1.41
========================================================================
New Added signature(s):
1053635 EXPLOIT MS Video ActiveX Control Stack Buffer Overflow -1
1053636 EXPLOIT MS Video ActiveX Control Stack Buffer Overflow -2
1053632 EXPLOIT Oracle Database Workspace Manager SQL Injection -1
1053633 EXPLOIT Oracle Database Workspace Manager SQL Injection -2
1053634 EXPLOIT Oracle Database Workspace Manager SQL Injection -3


Modified signature(s):
1051783 P2P Gnutella Connect
1051212 P2P Gnutella Get file
1051785 P2P Gnutella UDP PING 2
1051997 P2P Gnutella Bearshare file transfer with UDP
1052039 P2P Gnutella OK
1052637 P2P Foxy Get file

Deleted signature(s):
1050521 Worm.Klez.E1 - 1
1050522 Worm.Klez.E1 - 2
1050523 Worm.Klez.E1 - 3
1050524 Worm.Klez.E2 - 1
1050525 Worm.Klez.E2 - 2
1050526 Worm.Klez.E2 ¡V 3
1050536 Worm.Blaster.B - 1
1050537 Worm.Blaster.B - 2
1050538 Worm.Blaster.B - 3
1050539 Worm.Blaster.C - 1
1050540 Worm.Blaster.C - 2
1050541 Worm.Blaster.C - 3


Number of rules in each category:
========================================================================
DoS/DDoS  51
Buffer Overflow: 241
Access Control:  92
Scan:   41
Trojan Horse:  62  
Misc:   3
P2P:   40
Instant Messenger: 121
Vrus/Worm:  410
Web Attacks:  37

No Problem updating it, and the date reports Correctly!!!

THANK YOU!!!

kpawson Tue, 10/06/2009 - 16:54

Thank you Cisco/Linksys!!!

Am I pushing it if I ask how often this is going to updated from now on



Actions

This Discussion