IDS 4255 reboots daily at same time

Unanswered Question
Aug 5th, 2010
User Badges:

I have a 4255 IDS/IPS sensor running v7.04, everyday at 2pm it is doing something that causes it to either reboot or stop passing traffic long enough for my firewalls to think that I am no longer passing traffic which forces them to fail-over.  I have looked at the auto updates and they are not scheduled to run, I have tried to look to see if there are any events that are happening during that time and I can find nothing.  I do not know if there are more comprehenisve logs that I should be looking at but if someone can offer suggestions I would be greatly appreciative.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jtaliafe Mon, 08/09/2010 - 15:01
User Badges:
  • Cisco Employee,

Torsten,


The things that could potentially cause the IPS to go into bypass which could in turn potentially cause the ASA's to failover are as follows:


Configuration Changes

Auto Updates

Global Correlation Updates (5 minute intervals)

Anomaly Detection


As a test you might want to turn off global correlation and anomaly detection and see if the issue persists. Below are the instructions to turn these options off:


Next is an example by using CLI to turn GC and AD off:   
   
# -------------- To turn off global correlation inspection   
   
sensor-43# config t   
sensor-43(config)# service global-correlation    
    
sensor-43(config-glo)# global-correlation-inspection off   
    
sensor-43(config-glo)# exit   
Apply Changes?[yes]: yes   
    
    
#-------------- To turn off network-participation   
    
sensor-43(config)# service global-correlation    
sensor-43(config-glo)# network-participation off   
sensor-43(config-glo)# exit   
Apply Changes?[yes]: yes   
    
#-------------- To turn off AD    
    
sensor-43(config)# service analysis-engine    
sensor-43(config-ana)#virtual-sensor 0   
sensor-43(config-ana-vir)# anomaly-detection    
sensor-43(config-ana-vir-ano)#operational-mode inactive   
sensor-43(config-ana-vir-ano)# exit   
sensor-43(config-ana-vir)# exit   
sensor-43(config-ana)# exit  


If the issue still persists after ensuring that all the above is off you might want to gather a show tech output. In the show tech output search for the word "main.log" and start searching via the time stamp for any messages around 2:00pm. Also what is your bypass mode set to (auto,on,or off)?


I hope the above helps!


Thanks,


Justin T.

Christopher Dreier Mon, 08/09/2010 - 15:12
User Badges:
  • Silver, 250 points or more

Hello Torsten,


You mention that the IPS inline with the active firewall reboots, or stops passing traffic. Do you mean that you are not sure which? If so, you can check the sensor up-time in the output of a "show version."


Would you mind forwarding a "show tech" for us to review?


Thank you,
Blayne Dreier

[email protected]
Cisco TAC IDS Team


**Please check out our Podcast**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

Actions

This Discussion