Global Correlation Update Failures

Unanswered Question
Feb 16th, 2010

I've recently turned on Global Correlation but we've failed to update every 5 minutes.

PL-ASA-IPS# show stat global

Network Participation:

   Counters:

      Total Connection Attempts = 2

      Total Connection Failures = 0

      Connection Failures Since Last Success = 0

   Connection History:

      Connection Attempt on February 16 2010, at 14:28:38 UTC = Successful

      Connection Attempt on February 16 2010, at 14:19:06 UTC = Successful

Updates:

   Status Of Last Update Attempt = Failed

   Time Since Last Successful Update = never

   Counters:

      Update Failures Since Last Success = 4

      Total Update Attempts = 4

      Total Update Failures = 4

   Update Interval In Seconds = 300

   Update Server = update-manifests.ironport.com

   Update Server Address = 204.15.82.17

   Current Versions:

      config = 0

      drop = 0

      ip = 0

      rule = 0

Warnings:

I have a static NAT translation for the IPS, there are no proxy servers in our enviorment and it can ping outside as well as update-manifests.ironport.com (204.15.82.17). DNS is setup as well.

In the logs I see this entry:

16Feb2010 14:13:15.679 265.199 collaborationApp[491] rep/E A global correlation update failed: Failed download of ibrs/1.1/config/default/1236210407 : HTTP connection failed

I guess I'm at a loss for what else I can check. We have no problems sending the Network Participation data but we can't get any data. Any suggestions?

Cisco Intrusion Prevention System, Version 7.0(2)E3

Signature Definition:

    Signature Update    S469.0                   2010-02-11

    Virus Update        V1.4                     2007-03-02

OS Version:             2.4.30-IDS-smp-bigphys

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
barnes001 Tue, 02/16/2010 - 08:46

A few hours of searching led me to find out that the problem was being caused by an ASA/Websense combo. I has to tell the ASA to not apply filtering rules (HTTP and HTTPS) to the IPS' IP address.

Within minutes this fixed the issue.

walkerte Wed, 02/24/2010 - 18:18

Thanks Robert.  I had a similar configuration (ASA/Websense) and was getting the same errors.  The filter url except command fixed it in less than a minute.

JMC N Fri, 02/26/2010 - 12:41

I received "A global correlation update failed : Failed download of ibrs/1.1/drop/default/1267213766 : URI does not contain a valid IP address messages, like this one, in the category Reputation update failure

any ideas?

It has the default IP : 204.15.82.17

wps-asa-ips2# sh stat global
Network Participation:
   Counters:
      Total Connection Attempts = 3167
      Total Connection Failures = 1
      Connection Failures Since Last Success = 0
   Connection History:
      Connection Attempt on February 26 2010, at 20:24:42 UTC = Successful
      Connection Attempt on February 26 2010, at 20:14:39 UTC = Successful
      Connection Attempt on February 26 2010, at 20:04:34 UTC = Successful
      Connection Attempt on February 26 2010, at 19:54:35 UTC = Successful
      Connection Attempt on February 26 2010, at 19:44:40 UTC = Successful
Updates:
   Status Of Last Update Attempt = Failed
   Time Since Last Successful Update = 609 minutes
   Counters:
      Update Failures Since Last Success = 121
      Total Update Attempts = 4388
      Total Update Failures = 123
   Update Interval In Seconds = 300
   Update Server = update-manifests.ironport.com
   Update Server Address = 204.15.82.17
   Current Versions:
      config = 1236210407
      drop = 1267177755
      ip = 1267179307
      rule = 1267124528

walter baziuk Thu, 10/06/2011 - 04:19

I have the same issue, i have no ASA or websense product between this device and the iNet.

Does anyone have a fix or workaround?

I have an AIM-IPS running 7.0(6)E4 with Signature versuon S599.0. All updates to date have been manualy d/l to a local ftp server

the auto update "seems" to run but never gets any updates

This is what i see

# sh stat global

Network Participation:

   Counters:

      Total Connection Attempts = 127

      Total Connection Failures = 127

      Connection Failures Since Last Success = 127

   Connection History:

      Connection Attempt on October 06 2011, at 10:46:32 UTC = Failed

      Connection Attempt on October 06 2011, at 09:24:32 UTC = Failed

      Connection Attempt on October 06 2011, at 08:03:04 UTC = Failed

      Connection Attempt on October 06 2011, at 07:59:52 UTC = Failed

      Connection Attempt on October 06 2011, at 06:36:57 UTC = Failed

Updates:

   Status Of Last Update Attempt = Failed

   Time Since Last Successful Update = never

   Counters:

      Update Failures Since Last Success = 2702

      Total Update Attempts = 2702

      Total Update Failures = 2702

   Update Interval In Seconds = 300

   Update Server = update-manifests.ironport.com

   Update Server Address = Unknown

   Current Versions:

      config = 0

      drop = 0

      ip = 0

      rule = 0

Warnings:

#sh ver

Application Partition:

Cisco Intrusion Prevention System, Version 7.0(6)E4

Host:

    Realm Keys          key1.0

Signature Definition:

    Signature Update    S599.0                 2011-09-29

OS Version:             2.6.14-Cavium-Octeon

Platform:               AIM-IPS-K9

Serial Number:          xxx

Licensed, expires:      31-Mar-2012 UTC

Sensor up-time is 9 days.

Using 54726656 out of 454148096 bytes of available memory (12% usage)

system is using 22.4M out of 80.0M bytes of available disk space (28% usage)

application-data is using 46.8M out of 213.0M bytes of available disk space (23% usage)

boot is using 54.4M out of 114.8M bytes of available disk space (50% usage)

application-log is using 61.8M out of 513.0M bytes of available disk space (12% usage)

MainApp            B-BEAU_2011_SEP_10_00_30_7_0_5_45   (Ipsbuild)   2011-09-10T00:32:09-0500   Running

AnalysisEngine     B-BEAU_2011_SEP_10_00_30_7_0_5_45   (Ipsbuild)   2011-09-10T00:32:09-0500   Running

CollaborationApp   B-BEAU_2011_SEP_10_00_30_7_0_5_45   (Ipsbuild)   2011-09-10T00:32:09-0500   Running

CLI                B-BEAU_2011_SEP_10_00_30_7_0_5_45   (Ipsbuild)   2011-09-10T00:32:09-0500

Upgrade History:

* IPS-AIM-K9-7.0-6-E4       17:39:07 UTC Sat Sep 10 2011

  IPS-sig-S599-req-E4.pkg   07:59:08 UTC Wed Oct 05 2011

Recovery Partition Version 1.1 - 7.0(6)E4

Host Certificate Valid from: 25-Sep-2011 to 25-Sep-2013

>

as seen above there is no ip address listed for "update-manifests.ironport.com"

NS lookup is able to resolve,

why can't the IPS?

I can i hard code the ip address?

>Non-authoritative answer:

>Name:    update-manifests.ironport.com

>Address:  204.15.82.17

Actions

Login or Register to take actions

This Discussion

Posted February 16, 2010 at 6:38 AM
Stats:
Replies:4 Avg. Rating:
Views:4734 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 816
2 668
3 603
4 526
5 367
Rank Username Points
10
5
5
5