Cannot browse to IPS

Unanswered Question
May 24th, 2010

Hi all,

I have some issues about IPS-4260 appliance with management. I used Cisco IPS Event Viewer 5.2 but no activity was shown to it and i cannot browse to IPS box through Https. i tried to reload box but issues still occured.

Please give me an idea to check or fix this case.

Thanks!!

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Scott Fringer Tue, 05/25/2010 - 04:29

Can you access the sensor via SSH?  If not, can you get a direct console connection to the sensor?  If so, please ensure you have an appropriate access-list entry configured to allow your host to access the sensor.

Also, IPS Event Viewer (IEV) has been replaced by IPS Manager Express (IME).  IME provides improved event monitoring for current versions of Cisco IPS software (5.1, 6.0, 6.1, 6.2, 7.0) and configuration management for IPS versions 6.1, 6.2 and 7.0.  You may want to consider upgrading.  You can find out more about IME by visiting:

http://www.cisco.com/go/ime

Scott

HELPDESK THAILAND Tue, 05/25/2010 - 04:47

Hi Scott,

Thanks for reply

Yes, i can shell to the box. However i found that when i issued with 'show health'


Overall Health Status                                                Red
Health Status for  Failed Applications                          Green
Health Status for Signature  Updates                          Yellow
Health Status for License Key  Expiration                     Green
Health Status for Running in Bypass  Mode                  Green
Health Status for Interfaces Being  Down                     Green
Health Status for the Inspection  Load                         Green
Health Status for the Time Since Last Event  Retrieval   Red
Health Status for the Number of Missed Packets           Green
Health Status for the Memory Usage                           Not  Enabled

Security Status for Virtual Sensor vs0                         Green

Please clarify me about the status 'Red', Could it be related to my issues?

Scott Fringer Tue, 05/25/2010 - 04:54

The red status reported for "Health Status  for the Time Since Last Event  Retrieval" indicates a SDEE-based client (IME, CS-MARS, etc) has not contacted the sensor to retrieve events in the configured time period.  As you are running a version of IPS software that supports health metrics, you will need to use IME for your event monitoring as IEV does not support the more recent versions of IPS software.

Another cause for failed event retrieval is an expired TLS certificate on the sensor.  You can check the valid date range for the current TLS certificate by issuing 'show version' on the CLI of the sensor; the TLS certificate details will be listed on the last lineo f the output:

Host Certificate Valid from: 14-Apr-2010 to 14-Apr-2012

Scott

HELPDESK THAILAND Tue, 05/25/2010 - 20:18

Hi Scott,

This is output of show version, host cert still valid date

Cisco  Intrusion Prevention System, Version 6.1(1)E3

Host:
    Realm Keys          key1.0
Signature  Definition:
    Signature Update    S479.0                    2010-03-19
    Virus Update        V1.4                     2007-03-02
OS  Version:             2.4.30-IDS-smp-bigphys
Platform:                IPS-4260-K9
Sensor up-time is 25 min.
Using 1886916608 out of  4100345856 bytes of available memory (46% usage)
system is using 17.7M out of  29.0M bytes of available disk space (61% usage)
application-data is using  45.3M out of 166.8M bytes of available disk space (29% usage)
boot is  using 40.5M out of 69.5M bytes of available disk space (61%  usage)


MainApp          M-2008_APR_24_19_16    (Release)    2008-04-24T19:49:05-0500   Running
AnalysisEngine    ME-2008_OCT_17_00_32   (Release)   2008-10-17T00:58:23-0500    Running
CLI              M-2008_APR_24_19_16    (Release)    2008-04-24T19:49:05-0500


Upgrade History:

*  IPS-sig-S476-req-E3       07:07:30 UTC Wed Mar 10 2010
   IPS-sig-S479-req-E3.pkg   07:07:17 UTC Sun Apr 11 2010

Recovery Partition Version 1.1 -  6.1(1)E2

Host Certificate Valid from: 13-Jul-2008 to  14-Jul-2010

Do you have any an idea to check or verify to get me to access through the box via https?

Scott Fringer Wed, 05/26/2010 - 03:33

Can you connect to the sensor's IDM interface?

https://

If you are using IPS Event Viewer (IEV) as previously indicated, it cannot monitor IPS version 6.1 and higher.  You need to use IPS Manager Express (IME).

Also, IPS release 6.1(1)E3 is no longer receiving signature updates or software maintenance support:

http://www.cisco.com/en/US/partner/prod/collateral/vpndevc/ps5729/ps5713/ps2113/end_of_life_notice_c51-543022.html

You should consider upgrading your sensor to at least version 6.2(2)E4, if not 7.0(2)E4 (which adds a feature for global correlation and reputation scoring of potentially malicious IP addresses).

Scott

bimalnp4me Sun, 09/22/2013 - 23:55

i have the same issue and after install compatible version of IPS Manager Express issue resolved.

Thanks for the help..

Actions

This Discussion