AIP-SSM No longer auto updates from cisco.com

gdemaderios · ‎06-17-2010

Up until the 490 signatures, my IPS module auto-updated from cisco.com. It stopped doing that after manually updating the engine and the signature files. Nothing I do will get it to auto-update. Has anyone else seen this behavior?

Justin Teixeira · ‎06-17-2010

gdemaderios,

Are there any error messages in the event store accompanying the failure? Can you post the output of a "show version"?

Best,

JT

gdemaderios · ‎06-17-2010

My IPS version is 7.0(2)E4

I just discovered what I think may be the issue. My current license on the IPS says it doesn't expire until 7/1/11 for this serial number. However, if I try to update the license from cisco.com, I get an error that says, "Failed to update license on sensor. errExpiredLicense-The new license expire date is older than the current license expire date."

Even though I can login to cisco.com and manually download the most current signature updates, I'm wondering if for some reason, it thinks my license is expired when the module tries to automatically update?

Justin Teixeira · ‎06-17-2010

Hmm. As long as the expiration date for the license in the "show version" is showing a date in the future it should not cause an issue retrieving the signature updates. The error from cisco.com in retrieving a new license should also not be causing any issue. It's just indicating that there's a license on the sensor that has as much or more time left on it as the one being offered by cisco.com.

Can you check the URL in the auto update field and copy-paste it here? It's likely that you'll need to open a TAC case to troubleshoot this further as it will be dififcult without collecting a "show tech" (which you do *not* want to post to these forums).

Best,

JT

gdemaderios · ‎06-17-2010

https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl is the URL that I'm pointing to for updates.

Justin Teixeira · ‎06-17-2010

Try replacing the URL with:

https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

the double slash is *not* a typo after the IP.  It's necessary for the auto-update to work properly.

Best,
JT

gdemaderios · ‎06-17-2010

I should have mentioned that in my last reply. Your URL was what I WAS using until it just stopped. The www.cisco.com was what I plugged in to try to get it to work. I will try your URL again and then open a TAC call if that's not successful.

Thanks for your help.

Scott Fringer · ‎06-17-2010

The IPS cannot perform DNS resolution, so the URL Justin provided is the default/expected URL.

Should the update not succeed, please provide the full output of the command sh stat host.

Scott

gdemaderios · ‎06-17-2010

I swear to god that the URL with the IP address is what it was set to when it stopped working. At any rate, setting it back to the IP address instead of the DNS name has now corrected the problem. WTF?

Scott Fringer · ‎06-17-2010

I cannot address what may have been the problem; but when you encounter issues with the auto signature updates, checking the output of sh stat host should provide additional insight.

Scott