cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
746
Views
0
Helpful
3
Replies

>NeedHelp< Is it bug at IDSM-2 with IPS-K9-7.0-2-E3.pkg??

arikawahyono
Level 1
Level 1

Dear All,

i have idsm with IPS-K9-7.0-2-E3.pkg installed,
i use inline mode for this idsm, and idsm place is front on server farm

but i have some problem that one segment in my network cant access the server
but another segment can access that server,
that server is oracle database aplication (real time)

in this is happend only for that server.

when i filter the traffic with idsm, the result that transaction match with
signature number 7000, evenly that signature dont have action to deny the traffic,
the traffic still cannot bypass, then ill try to disable but nothing impact to that segment
evenly other segment can access that server normally.
anyone can explain to me why this happen??

ill try to downgrade to IPS-K9-7.0-2-E3.pkg with IME but always error..
anyone can help me please..

3 Replies 3

jobordel
Cisco Employee
Cisco Employee

Arika,

First off, you cannot downgrade the version  without a re-image.  You can only downgrade signatures.  Second, you  mention 7.0(2)E3 as the version you are on and the version you want to  downgrade to.  Can you verify what version you are running?

On  the traffic not passing issue, if you put the sensor in bypass does  that resolve the issue.  That will eliminate any signature related  actions from impacting the traffic.  If you are still unable to access  the servers then you should look for a routing or network layer issue.   If that clears things up, the next step would be to create an Event  Action Override to produce alert for all signatures.  Then you can  review IME for any signatures firing related to these servers.  Please  remove the Override once you are done testing as this can have a  performance impact on the sensor over time and should only be used  temporarily to troubleshoot a specific issue.

If you  are still having trouble, if may help to get some info about the config  of the sensor and the switch.  Specifically, how the VLAN or Interface  Pairs are setup, etc.

Good Luck,

JoshB

Hi Josh..

This is my answer

First off, you cannot downgrade the version  without a re-image.  You can only downgrade signatures.  Second, you  mention 7.0(2)E3 as the version you are on and the version you want to  downgrade to.  Can you verify what version you are running?

Im not yet  downgrade to 7.0(2) because I don’t have yet permission from my bos . And now my isdm still use 7.0(2)E3

This is capture from my isdm

OTIDSM# sh ver

Application Partition:

Cisco Intrusion Prevention System, Version 7.0(2)E3

Host:                                                        

    Realm Keys          key1.0                               

Signature Definition:                                        

    Signature Update    S425.0                   2009-08-17  

    Virus Update        V1.4                     2007-03-02  

OS Version:             2.4.30-IDS-smp-bigphys               

Platform:               WS-SVC-IDSM-2                        

Serial Number:          SAD132802TL                          

Licensed, expires:      20-Oct-2010 UTC                      

Sensor up-time is 2 days.

Using 1415421952 out of 1983504384 bytes of available memory (71% usage)

system is using 17.4M out of 38.5M bytes of available disk space (45% usage)

application-data is using 38.6M out of 166.8M bytes of available disk space (24% usage)

boot is using 41.5M out of 68.6M bytes of available disk space (64% usage)

MainApp            B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running  

AnalysisEngine     B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running  

CollaborationApp   B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running  

CLI                B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500            

Upgrade History:

  IPS-K9-7.0-2-E3   07:43:07 UTC Thu Oct 15 2009  

Maintenance Partition Version 2.1(3)

Recovery Partition Version 1.1 - 7.0(2)E3

Host Certificate Valid from: 27-Apr-2010 to 27-Apr-2012

On  the traffic not passing issue, if you put the sensor in bypass does  that resolve the issue. That will eliminate any signature related  actions from impacting the traffic.  If you are still unable to access  the servers then you should look for a routing or network layer issue

What you mean about bypass? Is it to released the idsm from network? If that so, I had do that and the server can access from segment that before cant access it. I had done to check the network layer problem but everything is ok,

And I want to clarify the other segment that cant access the server only for some application (real time application) in that server but the server can ping and telnet from that segment ( I think this is to clarify the network issue problem)

If that clears things up, the next step would be to create an Event  Action Override to produce alert for all signatures.  Then you can  review IME for any signatures firing related to these servers.  Please  remove the Override once you are done testing as this can have a  performance impact on the sensor over time and should only be used  temporarily to troubleshoot a specific issue.

Well, I will try your suggestion, But I will wait permission to execute it. I hope this is work for my idsm-2

If you  are still having trouble, if may help to get some info about the config  of the sensor and the switch.  Specifically, how the VLAN or Interface  Pairs are setup, etc.


Oke,  I will…

Btw, thanks for your help boss

GBU …

This is really strange,.
IDSM now is work properly after im erase the configuration, reload the module and reconfigure again with same configuration like before..,
why with this methode the IDSM is work properly???

evenly before i write my case in this forum, i had try with the same methode but thats not work..

is it bug or something??

Thanks...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: