IPS Signature Update - CSM v3.3 SP1

Unanswered Question
Jul 22nd, 2010
User Badges:


I am getting the following error message when deploying IPS signature updates to some of my sensors via the CSM deployment tool:

"Failed to generate edit config delta  for host component. Detail: Error while processing the host component with DNS,access-list or http-proxy"

The signature update actually deploys, but I am wondering what is causing this message.  I get this with some 4240, 4255 and IDSM-II blades, but not with others and I can't see any config variances.

Does anyone have any ideas what is causing this message?  The access ACLs are the same for each sensor.

Many thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Scott Fringer Thu, 07/22/2010 - 04:50
User Badges:
  • Cisco Employee,


  Are you making use of shared policy on these devices?

  If these sensors are running IPS release 7.0, have you ensured that at least one DNS server is configured?


liamwalk1971 Thu, 07/22/2010 - 05:27
User Badges:

Thanks for the reply Scott....

Yes, I am using shared policies and also v7 (since when the problem has occured).  I've added a DNS shared policy and will check with the next signature application (already did 502 earlier today).



liamwalk1971 Thu, 07/29/2010 - 01:55
User Badges:

Many thanks for your assistance Scott.  The application of S503 worked without error.



Stijn Vanveerdeghem Thu, 07/22/2010 - 06:59
User Badges:

Hi Liam,

As you mentioned you are using a shared policy, and the access ACLs for all sensors are the same, I assume that you may be using an "Allowed Hosts" shared policy.

In that case, how did you create that policy ?

Did you create the policy from the policy view page, or did you right click on the "Allowed Hosts" setting of a device in device view and select "share policy" ?

If you did the first, you may be running into a known issue. You can read more about this on the bug toolkit:


This is the workaround that should work for you in case you are indeed running into this issue:

1. Rediscover or newly add any one IPS device running 7.x version

2. Create entries for "Allowed Hosts" according to requirements.

3. Right click on "Allowed Hosts", select "Share Policy..." and specify a name for shared policy.

4. Assign this "Allowed Hosts" shared policy to one or more devices.

5. Deployment should now be successful for "Allowed Hosts".


This Discussion