IPS Signature Update - CSM v3.3 SP1

Unanswered Question
Jul 22nd, 2010

Hi,

I am getting the following error message when deploying IPS signature updates to some of my sensors via the CSM deployment tool:

"Failed to generate edit config delta  for host component. Detail: Error while processing the host component with DNS,access-list or http-proxy"

The signature update actually deploys, but I am wondering what is causing this message.  I get this with some 4240, 4255 and IDSM-II blades, but not with others and I can't see any config variances.

Does anyone have any ideas what is causing this message?  The access ACLs are the same for each sensor.

Many thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Scott Fringer Thu, 07/22/2010 - 04:50

Liam;

  Are you making use of shared policy on these devices?

  If these sensors are running IPS release 7.0, have you ensured that at least one DNS server is configured?

Scott

liamwalk1971 Thu, 07/22/2010 - 05:27

Thanks for the reply Scott....

Yes, I am using shared policies and also v7 (since when the problem has occured).  I've added a DNS shared policy and will check with the next signature application (already did 502 earlier today).

Regards

Liam

liamwalk1971 Thu, 07/29/2010 - 01:55

Many thanks for your assistance Scott.  The application of S503 worked without error.

Regards

Liam

Stijn Vanveerdeghem Thu, 07/22/2010 - 06:59

Hi Liam,

As you mentioned you are using a shared policy, and the access ACLs for all sensors are the same, I assume that you may be using an "Allowed Hosts" shared policy.

In that case, how did you create that policy ?

Did you create the policy from the policy view page, or did you right click on the "Allowed Hosts" setting of a device in device view and select "share policy" ?

If you did the first, you may be running into a known issue. You can read more about this on the bug toolkit:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtg02063

This is the workaround that should work for you in case you are indeed running into this issue:

1. Rediscover or newly add any one IPS device running 7.x version

2. Create entries for "Allowed Hosts" according to requirements.

3. Right click on "Allowed Hosts", select "Share Policy..." and specify a name for shared policy.

4. Assign this "Allowed Hosts" shared policy to one or more devices.

5. Deployment should now be successful for "Allowed Hosts".

Actions

Login or Register to take actions

This Discussion

Posted July 22, 2010 at 3:07 AM
Stats:
Replies:4 Avg. Rating:5
Views:511 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard