IDSM-2 Signature Updates from Cisco.com URL?

Answered Question
Jun 3rd, 2010

THE IDSM-2 IPS Sensor in my 6509 switch was not auto updating from version 6.1(1)E3 S297, so I manually updated it to 7.0(2)E4 S480.  Unfortunately it still won't auto update from cisco.com and I think the url it is using is not correct.  My IDSM-2 Configuration has the url of:

https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

Is there a more current URL I should be using?

Jim

I have this problem too.
0 votes
Correct Answer by Scott Fringer about 6 years 7 months ago

Jim;

  The URL you provided is the correct URL.

  You can see what might be occurring by reviewing the output of the command sh stat host from the CLI.  The very end of the output will display the auto-update status.

  With that output you can either post here, and time permitting we can try to work through the issue, or you can open a service request with TAC for directed assistance.

Scott

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (8 ratings)
Loading.
Correct Answer
Scott Fringer Fri, 06/04/2010 - 04:13

Jim;

  The URL you provided is the correct URL.

  You can see what might be occurring by reviewing the output of the command sh stat host from the CLI.  The very end of the output will display the auto-update status.

  With that output you can either post here, and time permitting we can try to work through the issue, or you can open a service request with TAC for directed assistance.

Scott

NPT_2 Fri, 06/04/2010 - 08:55

Ok, the strange thing is that last night the latest signature update installed without issue automatically.  Strange, oh well, all is working now.  Thanks for the info, if it reoccurs I'll either post again or open a TAC case.

Jim

Scott Fringer Fri, 06/04/2010 - 09:00

Jim;

  Glad to hear it was successful.

  There is a known issue when the signature update is scheduled to occur on the hour boundary (i.e. 03:00) that it can fail to update fequently but not always.  Skewing the update check time off the boundary (i.e. 03:06) corrects the issue.

  Again, you can receive a quick view of a potential issue in the 'sh stat host' output.

Scott

NPT_2 Fri, 06/04/2010 - 09:07

That could have very well been the problem.  I just switched it to update

offset from the exact hour.  Thanks Again.

Hi,

Auto update of signatures are not happening.

output of sh stat host:- Auto Update Statistics

   lastDirectoryReadAttempt = 08:25:45 UTC Wed Apr 06 2011

    =   Read directory: http://www.cisco.com/cisco/software/download.html#

    =   Error: AutoUpdate exception: HTTP connection failed [1,0]

   lastDownloadAttempt = 10:00:51 UTC Wed Dec 22 2010

   lastInstallAttempt = N/A

   nextAttempt = 09:25:00 UTC Wed Apr 06 2011

Auxilliary Processors Installed

OS Version:             2.4.30-IDS-smp-bigphys
Recovery Partition Version 1.1 - 6.2(3)E4
Scott Fringer Wed, 04/06/2011 - 03:55

Abhishek;

  The automatic IPS signature update process does not perform DNS lookups.  Your system is configured to use the following update URL:

http://www.cisco.com/cisco/software/download.html#

  This is invalid.

  The correct URL is:

https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

  This is the only valid URL; the double-forward slash (//) after the IPS address is not a typographical error.

Scott

Hello Scott,

I change the URL to https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl  still the IDSM not updating the signature automatically.

output of sh stat host: Auto Update Statistics

   lastDirectoryReadAttempt = 14:43:19 GMT+05:30 Thu Apr 07 2011

    =   Read directory: http:[email protected]//swc/esd/04/273556262/guest/

    =   Success

   lastDownloadAttempt = 14:43:19 GMT+05:30 Thu Apr 07 2011

    =   Download: http:[email protected]//swc/esd/04/273556262/guest/IPS-sig-S557-req-E4.pkg

    =   Error: autoUpdate successfully selected a package (http:[email protected]//swc/esd/04/273556262/guest/IPS-sig-S557-req-E4.pkg) from the cisco.com locator service, however, package download failed: HTTP status : 403 -  Webcat Access denied

   lastInstallAttempt = 15:46:59 GMT+05:30 Wed Dec 22 2010

   nextAttempt = 15:41:00 GMT+05:30 Thu Apr 07 2011

Auxilliary Processors Installed

Scott Fringer Thu, 04/07/2011 - 03:32

Abhishek;

  The new output indicates that the IDSM-2 is successfully connecting to the update website.

  The IDSM-2 is encountering issue when attempting to retrieve the actual update package.  Is there a firewall, proxy server or URL filter (i.e. WebSense) between the IDSM-2 management IP address and the Internet?  If so, you will need to create an exception for the IDSM-2's management IP address so it can access the Internet without restriction.

Scott

vpersaud001 Tue, 05/31/2011 - 07:31

Hello,

Any update on this issue? I see the same behavior on two IDSM-2s. I didn't see any traffic being blocked on the firewall but still opened all IP traffic from the sensors to 198.133.219.25 and there was already an exception from Websense for anything to 198.133.219.0 /24.

This behavior only started recently. A while ago they had stopped updating then started up again without any intervention. Now they've stopped again. My last update is 566.

Thanks.

Vincent

Scott Fringer Tue, 05/31/2011 - 07:37

Vincent;

  What does the output of 'sh stat host' show about the last attempts to update signatures?

Scott

vpersaud001 Tue, 05/31/2011 - 07:50

Hi Scott,

Same thing as for Abhishek Kala:

Auto Update Statistics
   lastDirectoryReadAttempt = 10:24:05 UTC Tue May 31 2011
    =   Read directory: http:[email protected]//swc/esd/05/273556262/guest/
    =   Success
   lastDownloadAttempt = 10:24:05 UTC Tue May 31 2011
    =   Download: http:[email protected]//swc/esd/05/273556262/guest/IPS-sig-S570-req-E4.pkg
    =   Error: autoUpdate successfully selected a package (http:[email protected]//swc/esd/05/273556262/guest/IPS-sig-S570-req-E4.pkg) from the cisco.com locator service, however, package download failed: Failed to receive the HTTP response
   lastInstallAttempt = 14:11:02 UTC Sat May 14 2011
   nextAttempt = 10:24:00 UTC Wed Jun 01 2011

Thanks.

Scott Fringer Tue, 05/31/2011 - 07:53

Vincent;

  It looks as if the IDSM-2's managment IP address does not have access to 72.163.7.55, or the Websense is intercepting that access and causing issue. The 198.133.219.25 address is used to determine if a new update is available. If an update is available, the IDSM-2 is redirected to another server to retrieve the actual signature update.

Scott

vpersaud001 Tue, 05/31/2011 - 08:12

Scott,

I allowed all IP access from the sensors out to the Internet and excepted all traffic from them to websense. They both updated. However, I'd like to restrict traffic to specific hosts or subnets. Do you know what server IPs are accessed for the updates? Bearing in mind this worked fine for about three years and only started having problems recently. Did something change on Cisco's side?

Thanks very much for your help.

Vincent

Scott Fringer Tue, 05/31/2011 - 08:15

Vincent;

  I do not have a list of specific IP addresses that are used for signature updates. At this time, the initial IP address for the check is hard-coded as 198.133.219.25. The servers hosting the signature updates were relocated; this apparently resulted in new IP addresses being assigned. I do not know the full range currently in use, but certainly adding an exception for the 72.163.7.0/24 should cover this new range.

Scott

Todd Pula Mon, 04/29/2013 - 10:51

The following document discusses the IPS auto-update feature in more detail.  Please note that the auto-update locator server IP recent changed from 198.133.219.25 to 72.163.4.161.  The second document covers the steps required to change the IPS configuration to reflect the new IP address.

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2113/products_tech_note09186a0080bd008f.shtml

https://supportforums.cisco.com/docs/DOC-27693

Actions

This Discussion