02-16-2010 06:38 AM - edited 03-10-2019 04:53 AM
I've recently turned on Global Correlation but we've failed to update every 5 minutes.
PL-ASA-IPS# show stat global
Network Participation:
Counters:
Total Connection Attempts = 2
Total Connection Failures = 0
Connection Failures Since Last Success = 0
Connection History:
Connection Attempt on February 16 2010, at 14:28:38 UTC = Successful
Connection Attempt on February 16 2010, at 14:19:06 UTC = Successful
Updates:
Status Of Last Update Attempt = Failed
Time Since Last Successful Update = never
Counters:
Update Failures Since Last Success = 4
Total Update Attempts = 4
Total Update Failures = 4
Update Interval In Seconds = 300
Update Server = update-manifests.ironport.com
Update Server Address = 204.15.82.17
Current Versions:
config = 0
drop = 0
ip = 0
rule = 0
Warnings:
I have a static NAT translation for the IPS, there are no proxy servers in our enviorment and it can ping outside as well as update-manifests.ironport.com (204.15.82.17). DNS is setup as well.
In the logs I see this entry:
16Feb2010 14:13:15.679 265.199 collaborationApp[491] rep/E A global correlation update failed: Failed download of ibrs/1.1/config/default/1236210407 : HTTP connection failed
I guess I'm at a loss for what else I can check. We have no problems sending the Network Participation data but we can't get any data. Any suggestions?
Cisco Intrusion Prevention System, Version 7.0(2)E3
Signature Definition:
Signature Update S469.0 2010-02-11
Virus Update V1.4 2007-03-02
OS Version: 2.4.30-IDS-smp-bigphys
02-16-2010 08:46 AM
A few hours of searching led me to find out that the problem was being caused by an ASA/Websense combo. I has to tell the ASA to not apply filtering rules (HTTP and HTTPS) to the IPS' IP address.
Within minutes this fixed the issue.
02-24-2010 06:18 PM
Thanks Robert. I had a similar configuration (ASA/Websense) and was getting the same errors. The filter url except command fixed it in less than a minute.
02-26-2010 12:41 PM
I received "A global correlation update failed : Failed download of ibrs/1.1/drop/default/1267213766 : URI does not contain a valid IP address messages, like this one, in the category Reputation update failure
any ideas?
It has the default IP : 204.15.82.17
wps-asa-ips2# sh stat global
Network Participation:
Counters:
Total Connection Attempts = 3167
Total Connection Failures = 1
Connection Failures Since Last Success = 0
Connection History:
Connection Attempt on February 26 2010, at 20:24:42 UTC = Successful
Connection Attempt on February 26 2010, at 20:14:39 UTC = Successful
Connection Attempt on February 26 2010, at 20:04:34 UTC = Successful
Connection Attempt on February 26 2010, at 19:54:35 UTC = Successful
Connection Attempt on February 26 2010, at 19:44:40 UTC = Successful
Updates:
Status Of Last Update Attempt = Failed
Time Since Last Successful Update = 609 minutes
Counters:
Update Failures Since Last Success = 121
Total Update Attempts = 4388
Total Update Failures = 123
Update Interval In Seconds = 300
Update Server = update-manifests.ironport.com
Update Server Address = 204.15.82.17
Current Versions:
config = 1236210407
drop = 1267177755
ip = 1267179307
rule = 1267124528
10-06-2011 04:19 AM
I have the same issue, i have no ASA or websense product between this device and the iNet.
Does anyone have a fix or workaround?
I have an AIM-IPS running 7.0(6)E4 with Signature versuon S599.0. All updates to date have been manualy d/l to a local ftp server
the auto update "seems" to run but never gets any updates
This is what i see
# sh stat global
Network Participation:
Counters:
Total Connection Attempts = 127
Total Connection Failures = 127
Connection Failures Since Last Success = 127
Connection History:
Connection Attempt on October 06 2011, at 10:46:32 UTC = Failed
Connection Attempt on October 06 2011, at 09:24:32 UTC = Failed
Connection Attempt on October 06 2011, at 08:03:04 UTC = Failed
Connection Attempt on October 06 2011, at 07:59:52 UTC = Failed
Connection Attempt on October 06 2011, at 06:36:57 UTC = Failed
Updates:
Status Of Last Update Attempt = Failed
Time Since Last Successful Update = never
Counters:
Update Failures Since Last Success = 2702
Total Update Attempts = 2702
Total Update Failures = 2702
Update Interval In Seconds = 300
Update Server = update-manifests.ironport.com
Update Server Address = Unknown
Current Versions:
config = 0
drop = 0
ip = 0
rule = 0
Warnings:
#sh ver
Application Partition:
Cisco Intrusion Prevention System, Version 7.0(6)E4
Host:
Realm Keys key1.0
Signature Definition:
Signature Update S599.0 2011-09-29
OS Version: 2.6.14-Cavium-Octeon
Platform: AIM-IPS-K9
Serial Number: xxx
Licensed, expires: 31-Mar-2012 UTC
Sensor up-time is 9 days.
Using 54726656 out of 454148096 bytes of available memory (12% usage)
system is using 22.4M out of 80.0M bytes of available disk space (28% usage)
application-data is using 46.8M out of 213.0M bytes of available disk space (23% usage)
boot is using 54.4M out of 114.8M bytes of available disk space (50% usage)
application-log is using 61.8M out of 513.0M bytes of available disk space (12% usage)
MainApp B-BEAU_2011_SEP_10_00_30_7_0_5_45 (Ipsbuild) 2011-09-10T00:32:09-0500 Running
AnalysisEngine B-BEAU_2011_SEP_10_00_30_7_0_5_45 (Ipsbuild) 2011-09-10T00:32:09-0500 Running
CollaborationApp B-BEAU_2011_SEP_10_00_30_7_0_5_45 (Ipsbuild) 2011-09-10T00:32:09-0500 Running
CLI B-BEAU_2011_SEP_10_00_30_7_0_5_45 (Ipsbuild) 2011-09-10T00:32:09-0500
Upgrade History:
* IPS-AIM-K9-7.0-6-E4 17:39:07 UTC Sat Sep 10 2011
IPS-sig-S599-req-E4.pkg 07:59:08 UTC Wed Oct 05 2011
Recovery Partition Version 1.1 - 7.0(6)E4
Host Certificate Valid from: 25-Sep-2011 to 25-Sep-2013
>
as seen above there is no ip address listed for "update-manifests.ironport.com"
NS lookup is able to resolve,
why can't the IPS?
I can i hard code the ip address?
>Non-authoritative answer:
>Name: update-manifests.ironport.com
>Address: 204.15.82.17
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: