Health Status for Failed Applications ---> Red

Diego Armando Cambronero Arias · ‎08-30-2010

Hello experts,

Im actually facing some issues with a 4260.

Health Status for Failed Applications Red

Health Status for Signature Updates Green

Health Status for License Key Expiration Green

Health Status for Running in Bypass Mode Red

Health Status for Interfaces Being Down Green

Health Status for the Inspection Load Green

Health Status for the Time Since Last Event Retrieval Green

Health Status for the Number of Missed Packets Green

Health Status for the Memory Usage Green

Health Status for Global Correlation Green

Health Status for Network Participation Not Enabled

It is in bypass mode as you can see.

I cannot get statistics neither.

IPS1# sh statistics virtual-sensor

Error: getVirtualSensorStatistics : Control transaction cannot be completed at this time

IPS# sh statistics analysis-engine

Error: getAnalysisEngineStatistics : Control transaction cannot be completed at this time

I have beeing looking in the internet for a solution or a reason why this is happening. It seems that this is something not documented.

Can someone please help me. I can restart the IPS right now. Would it be helpful if I restart the MainApp with a service account?

Thanks

Jia Liu · ‎08-30-2010

It looks like the IPS may have crashed. Can you try rebooting the sensor?

Diego Armando Cambronero Arias · ‎08-30-2010

I'm going to try to reboot the sensor tomorrow. I will let you know if it worked.

Christopher Dreier · ‎08-30-2010

Hello,

Can you please attempt to gather a "show tech" from the device? If you have already rebooted the device, the output of a "show tech" will still be useful. You are welcome to email it directly to me.

Thank you,
Blayne Dreier

blayne@cisco.com
Cisco TAC IDS Team

**Please check out our Podcast**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

Diego Armando Cambronero Arias · ‎08-31-2010

Hello,

Blayne I always follow the podcast with White and Magnus.

Thank you for all the information and help.

Christopher Dreier · ‎08-31-2010

Awesome! Thanks for following us. We have also begun work on an IPS specific podcast, the "TAC IPS Media Series."

https://supportforums.cisco.com/docs/DOC-12759

Your 4260 has an incredibly high number of Tuned/Enabled signatures, which is causing sensorApp to run at 99% CPU. Many sequentially numbered signatures are tuned. Did this issue correlate to the enabling of a large amount of signatures?

I suggest reviewing your current configuration and noting those signature tunings that you truly require. Then default your signature configuration and only apply those signature tunings that are needed.

Your sensor also encountered CSCta96144, which is fixed in IPS 7.0(4). You can review the bug w/ the CCO Bug Toolkit: http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

Thank you,
Blayne Dreier
Cisco TAC IDS Team

**Please check out our Podcast**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

Diego Armando Cambronero Arias · ‎08-31-2010

Hello,

Thank you very much for the help. Im actually working with a company that bought 2 4260 and a 4270 They need to tunned the signatures based on their needs that's why there are so many tunned signatures.. In many signatures I only modified the action which change the sig to a tunned signature. I will try to do the upgrade next week to avoid hitting the bug.

Thank you again for the help Blayne.