IDSM-2 upgrade in progress...

Answered Question
Sep 6th, 2010
User Badges:

Hi all,

I'm new on this Community and also in the Cisco security. Here is my question for you:

I have a Router Cisco 7600 with a module IDSM-2 and I update it to version IPS-K9-5.1-8-E3. Now I would like to upgrade it with version IPS 7.0(3) E4.

Is that possible? I read that IPS 6.0 denies high risk events by default and you need to create an event action to solve the problem. How can I solve my problem?? I'm afraid to do something wrong because the router is an important one, if I do something wrong I'm afraid to block all the traffic :s

Thanks

G.

Correct Answer by Scott Fringer about 6 years 7 months ago

G;


  You can certainly upgrade your IDSM-2 from 5.1(8)E3 to 7.0(4)E4 directly.


  In regard to your concern over the IDSM-2 denying high risk events (risk ratings of 90 to 100) by default, this holds true if the IDSM-2 is configured to inspect traffic using inline operation.  If the IDSM-2 is configured for promicuous inspection, this will not occur.


  If your IDSM-2 is configured for inline operation, the simplest method to avoid the IDSM-2 denying high risk events, is to disable th default event action override (EAO).  From within IPS Device Manager (IDM):


Configuration>Policies


Highlight the virtual sensor in question (degfault is vs0) and choose edit.


Under Event Action Rule uncheck "Use Event Action Overrides"


  This will disable ALL event actin overrides for the virtual sensor in question.  You can also disable just the default High Risk EAO using the same process above, but instead of unchecking "Use Event Action Overrides":


Highlight the 'HIGHRISK' EAO and click 'Edit'


Next to the 'Deny Packet Inline (Inline)' entry uncheck the box under the "Enable" column (not the "Assigned" column).


Scott

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Scott Fringer Wed, 09/08/2010 - 06:14
User Badges:
  • Cisco Employee,

G;


  You can certainly upgrade your IDSM-2 from 5.1(8)E3 to 7.0(4)E4 directly.


  In regard to your concern over the IDSM-2 denying high risk events (risk ratings of 90 to 100) by default, this holds true if the IDSM-2 is configured to inspect traffic using inline operation.  If the IDSM-2 is configured for promicuous inspection, this will not occur.


  If your IDSM-2 is configured for inline operation, the simplest method to avoid the IDSM-2 denying high risk events, is to disable th default event action override (EAO).  From within IPS Device Manager (IDM):


Configuration>Policies


Highlight the virtual sensor in question (degfault is vs0) and choose edit.


Under Event Action Rule uncheck "Use Event Action Overrides"


  This will disable ALL event actin overrides for the virtual sensor in question.  You can also disable just the default High Risk EAO using the same process above, but instead of unchecking "Use Event Action Overrides":


Highlight the 'HIGHRISK' EAO and click 'Edit'


Next to the 'Deny Packet Inline (Inline)' entry uncheck the box under the "Enable" column (not the "Assigned" column).


Scott

giovanni.sasso8... Wed, 09/08/2010 - 06:54
User Badges:

Hi Scott,

thank you very much...now I'm going to upgrade the signature to the last version and see what happen in the IDM.

I still have some trouble with the Licence, it sayd that is not present....I have to ask to my company if we have an active one.

Thanks again,

G.

Scott Fringer Wed, 09/08/2010 - 07:03
User Badges:
  • Cisco Employee,

Givoanni;


You are quite welcome.


Without a current license file, you will not be able to update the

signatures - that is the purpose of an active license.


If you have not had a trial license previously, you can request a

60-day trial license here:


https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?FormI...


Long-term, you will need to have the serial number of the IDSM-2 added

to an active support contract that also carries IPS Signature Updates.

Your Cisco account team or partner can assist with that.


Scott

hieumit_1604 Wed, 09/15/2010 - 03:55
User Badges:

Hi all,

Me too:

I have a Switch Cisco 6509 with a module IDSM-2 and I updated it to version IPS-K9-7.0(4)E4. So now, Proccess of CPU1 is very high (99%) and sometime IDM can not show something information of IDSM-2 ex: CPU, memory, interface status, License... you can refer to file attached.

I would like to upgrade it with version IPS 7.0(3) E4.

How can I solve my problem??

Pls help me!!!!

Thanks

GL

Attachment: 
Scott Fringer Wed, 09/15/2010 - 04:12
User Badges:
  • Cisco Employee,

GL;


  Since the release of the E3 analysis engine for Cisco IPS sensors, it is not uncommon for one CPU of a multi-CPU sensor (like the IDSM-2) to indicate 100% usage.  This is outlined in bug CSCsu77935.  From the release notes:



The idle time algorithm of the sensor has been modified. Additional CPU has been applied to polling the NICs to decrease the polling interval and reduce latency. The CPU usage is thus reported as higher than in previous releases, including external tools such as top and ps. You will notice the additional CPU load on single-CPU platforms and on the primary CPU of multicore systems.

Because the additional CPU load reported while polling is actually available to process packets, and is reduced as inspection load goes up, it does not negatively affect the overall throughput of the IPS.

Use the show statistics virtual-sensor command to see the sensor load. It is listed under Processing Load Percentage in the output. You can also view the sensor load on the IME Device List pane.


  From your screen-shot, your Inspection Load is roughly 50%, so the sensor should be performing as expected.


  In regard to the time when IDM reports no data, can you verify the IDSM-2 is still reachable from the system running IDM?  Can you connect via SSH and verify sensor status using the following commands:


show version

show statistics virtual-sensor

show statistics analysis-engine


  These commands should provide the current state of the IDSM-2.   These outputs should help verify that all expected processes are running, and the sensor is still operating as expected.  If there is something out of the ordinary in those outputs, it would be best to open a service request with TAC so more direct troubleshooting can be performed.


Scott

giovanni.sasso8... Mon, 09/20/2010 - 08:58
User Badges:

Hi guys,

here I am again.

After install the IDSM-2 version 7 to the module 3 on my router 1 I tryed to do the same to the backup router 2 but I coudn't telnet to the IDS module because the system says:


ROUTER2#session slot 3 processor 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
Trying 127.0.0.31 ...
% Connection timed out; remote host not responding


so I tryed to re-install the system image...


ROUTER2# hw-module module 3 reset cf:1
ROUTER2# session slot 3 processor 1
login: guest 

Password: cisco

[email protected]# upgrade

....


at the end the upgrade didn't complete right and now I've got this power error:

ROUTER2#show module power
Mod Card Type                              Admin Status  Oper Status
--- -------------------------------------- ------------  ------------
3  Intrusion Detection System               on     off (Module  Failed SCP dnld)


I tryed to reload the module...

....
Proceed with reload of module?[confirm]
% module 3 is operationally off (Module  Failed SCP dnld)

Now I can't do anything because of this power error...Can someone help me?? Here all my version installed on the IDS module:


ROUTER2#show module version  
Mod  Port Model              Serial #    Versions
---- ---- ------------------ ----------- -------------------------------------
  3    8  WS-SVC-IDSM-2      SAD093606X8 Hw : 5.0
                                         Fw : 7.2(1)
                                         Sw : 8.6(0.434)BAR6




Thank you in advance,
G.

Scott Fringer Mon, 09/20/2010 - 11:30
User Badges:
  • Cisco Employee,


Giovanni;



  You could attempt to reseat the IDSM-2 to see if that corrects the
issue; but frequently in scenarios like this it is necessary to have the
IDSM-2 replaced by RMA.  This will require opening a service request
with TAC.

Scott
giovanni.sasso8... Tue, 09/21/2010 - 00:47
User Badges:

Thank for your reply Scott.

But the problem now is that now I can't access to the module because the power is off.

I tryed also to power on the module but after a while i get this message: How can I do?


Sep 21 09:22:53.708: %C6KPWR-SP-4-DISABLED:

power to module in slot 3 set off (Module  Failed SCP dnld)



ROUTER#session slot 3 processor 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
Trying 127.0.0.31 ...
% Connection timed out; remote host not responding


By comparing the version of R1 and R2 I noticed this difference:


Router1#show module version
Mod  Port Model              Serial #                Versions

3    8  WS-SVC-IDSM-2      SAD093606VE    Hw : 5.0
                                                                   Fw : 7.2(1)
                                                                   Sw : 7.0(4)E4


Router2#show module version
Mod  Port Model                    Serial #          Versions

  3    8  WS-SVC-IDSM-2      SAD093606X8     Hw : 5.0
                                                                    Fw : 7.2(1)
                                                                    Sw : 8.6(0.434)BAR6


Can be this the problem? How can I fix it?


Thank you,

G.

Scott Fringer Tue, 09/21/2010 - 03:31
User Badges:
  • Cisco Employee,

Giovanni;


  The version difference you note is because the IDSM-2 in Router2 is
not successfully powering on and loading the software from the
application partition or maintenance partition.

  The IDSM-2 in Router2 has most likely encountered a hardware failure.
 There is likely nothing more that can be done in the field to correct
the issue; it would be best to open a service request with TAC so the
IDSM-2 can be replaced by RMA (as long as it is covered under an active
support contract).

Scott

Actions

This Discussion