device - IDSM-2 module in 6500 switch , IPS version 7.0(2)E4 signature - 498.0

Unanswered Question
Jul 2nd, 2010
User Badges:

Hi guys ,



I m facing fwaring errors for device - IDSM-2 module in 6500 switch , IPS version 7.0(2)E4 signature - 498.0


04Jun2010 01:08:40.101 29.551 interface[599] Cid/W errWarning Inline data bypass has stopped.

04Jun2010 01:14:15.350 335.249 interface[599] Cid/W errWarning Inline data bypass has started.

04Jun2010 01:14:44.639 29.289 interface[599] Cid/W errWarning Inline data bypass has stopped.

04Jun2010 12:45:10.961 41426.322 mainApp[547] Cid/E errSystemError No installable auto update package found on server

05Jun2010 01:02:32.680 44241.719 interface[599] Cid/W errWarning Inline data bypass has started.

05Jun2010 01:03:14.443 41.763 interface[599] Cid/W errWarning Inline data bypass has stopped.

05Jun2010 01:08:56.610 342.167 interface[599] Cid/W errWarning Inline data bypass has started.

05Jun2010 01:09:23.977 27.367 interface[599] Cid/W errWarning Inline data bypass has stopped.

05Jun2010 01:30:08.060 1244.083 interface[599] Cid/W errWarning Inline data bypass has started.

05Jun2010 01:30:49.634 41.574 interface[599] Cid/W errWarning Inline data bypass has stopped.

05Jun2010 01:36:28.773 339.139 interface[599] Cid/W errWarning Inline data bypass has started.

05Jun2010 01:37:08.872 40.099 interface[599] Cid/W errWarning Inline data bypass has stopped.

05Jun2010 01:42:46.390 337.518 interface[599] Cid/W errWarning Inline data bypass has started.

05Jun2010 01:43:14.101 27.711 interface[599] Cid/W errWarning Inline data bypass has stopped.

05Jun2010 09:09:50.710 26796.609 interface[599] Cid/W errWarning Inline data bypass has started.




I m new to IPS module , please help me to understand the issue and if this needed any action on this errors .These errors are continuous in nature in logs.


Thanx


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcin Latosiewicz Sat, 07/03/2010 - 02:57
User Badges:
  • Cisco Employee,

Madhu,


I'd open a TAC case, there's quite a few possibilities for which this could happen.


Marci

madhusudhan s Sat, 07/03/2010 - 06:29
User Badges:

HI Marcin ,


Jst want to understand is this is a normal behaviour as one of the document says its normal -


Because the traffic is passing through the sensor in Inline mode, it is a point of failure for the network behind it. To mitigate this risk, a software driver-level Bypass mode option is available. The Bypass mode will unconditionally copy packets from one interface to the other. The Bypass has an Automatic mode that will activate it during sensorApp configuration operations, or if sensorApp is unresponsive. Automatic bypass mode is turned on by default, which is the recommended configuration.


Please suggest ..

Marcin Latosiewicz Sat, 07/03/2010 - 10:55
User Badges:
  • Cisco Employee,

Well the quote is just saying - if things go south, you have this neat bypass feature that will not cause a network outage by copying packets.


There is some investigation to be done for your blade.

Christopher Dreier Sun, 07/04/2010 - 14:08
User Badges:
  • Silver, 250 points or more

A sensor can enter bypass mode for several reasons, including, but not limited to:


1) Analysis Engine reconfiguration
2) Global  Correlation updates
3) Daily Signature DB self purg

4) sensorApp failure


Most of these reasons are benign. I have written Supportability Enhancement CSCtg69012 so that each bypass log will show the reason for entering bypass mode.


The bug is available via the CCO Bug Toolkit: http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs.


You may review the bug and click on the "Save Bug" button at the bottom of the page to receive email updates as changes are made to the bug's state.


To fully diagnose your issue, I suggest opening a TAC case where we will request a "show tech," including debug level logs. This will allow us to see what is triggering the sensor to enter bypass mode.


Thank you,
Blayne Dreier
Cisco TAC IDS Team


**Please check out our Podcast**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

Actions

This Discussion