cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2090
Views
10
Helpful
9
Replies

IDSM-2 upgrade in progress...

Hi all,

I'm new on this Community and also in the Cisco security. Here is my question for you:

I have a Router Cisco 7600 with a module IDSM-2 and I update it to version IPS-K9-5.1-8-E3. Now I would like to upgrade it with version IPS 7.0(3) E4.

Is that possible? I read that IPS 6.0 denies high risk events by default and you need to create an event action to solve the problem. How can I solve my problem?? I'm afraid to do something wrong because the router is an important one, if I do something wrong I'm afraid to block all the traffic :s

Thanks

G.

1 Accepted Solution

Accepted Solutions

Scott Fringer
Cisco Employee
Cisco Employee

G;

  You can certainly upgrade your IDSM-2 from 5.1(8)E3 to 7.0(4)E4 directly.

  In regard to your concern over the IDSM-2 denying high risk events (risk ratings of 90 to 100) by default, this holds true if the IDSM-2 is configured to inspect traffic using inline operation.  If the IDSM-2 is configured for promicuous inspection, this will not occur.

  If your IDSM-2 is configured for inline operation, the simplest method to avoid the IDSM-2 denying high risk events, is to disable th default event action override (EAO).  From within IPS Device Manager (IDM):

Configuration>Policies

Highlight the virtual sensor in question (degfault is vs0) and choose edit.

Under Event Action Rule uncheck "Use Event Action Overrides"

  This will disable ALL event actin overrides for the virtual sensor in question.  You can also disable just the default High Risk EAO using the same process above, but instead of unchecking "Use Event Action Overrides":

Highlight the 'HIGHRISK' EAO and click 'Edit'

Next to the 'Deny Packet Inline (Inline)' entry uncheck the box under the "Enable" column (not the "Assigned" column).

Scott

View solution in original post

9 Replies 9

Scott Fringer
Cisco Employee
Cisco Employee

G;

  You can certainly upgrade your IDSM-2 from 5.1(8)E3 to 7.0(4)E4 directly.

  In regard to your concern over the IDSM-2 denying high risk events (risk ratings of 90 to 100) by default, this holds true if the IDSM-2 is configured to inspect traffic using inline operation.  If the IDSM-2 is configured for promicuous inspection, this will not occur.

  If your IDSM-2 is configured for inline operation, the simplest method to avoid the IDSM-2 denying high risk events, is to disable th default event action override (EAO).  From within IPS Device Manager (IDM):

Configuration>Policies

Highlight the virtual sensor in question (degfault is vs0) and choose edit.

Under Event Action Rule uncheck "Use Event Action Overrides"

  This will disable ALL event actin overrides for the virtual sensor in question.  You can also disable just the default High Risk EAO using the same process above, but instead of unchecking "Use Event Action Overrides":

Highlight the 'HIGHRISK' EAO and click 'Edit'

Next to the 'Deny Packet Inline (Inline)' entry uncheck the box under the "Enable" column (not the "Assigned" column).

Scott

Hi Scott,

thank you very much...now I'm going to upgrade the signature to the last version and see what happen in the IDM.

I still have some trouble with the Licence, it sayd that is not present....I have to ask to my company if we have an active one.

Thanks again,

G.

Givoanni;

You are quite welcome.

Without a current license file, you will not be able to update the

signatures - that is the purpose of an active license.

If you have not had a trial license previously, you can request a

60-day trial license here:

https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?FormId=1016

Long-term, you will need to have the serial number of the IDSM-2 added

to an active support contract that also carries IPS Signature Updates.

Your Cisco account team or partner can assist with that.

Scott

Hi all,

Me too:

I have a Switch Cisco 6509 with a module IDSM-2 and I updated it to version IPS-K9-7.0(4)E4. So now, Proccess of CPU1 is very high (99%) and sometime IDM can not show something information of IDSM-2 ex: CPU, memory, interface status, License... you can refer to file attached.

I would like to upgrade it with version IPS 7.0(3) E4.

How can I solve my problem??

Pls help me!!!!

Thanks

GL

GL;

  Since the release of the E3 analysis engine for Cisco IPS sensors, it is not uncommon for one CPU of a multi-CPU sensor (like the IDSM-2) to indicate 100% usage.  This is outlined in bug CSCsu77935.  From the release notes:

The idle time algorithm of the sensor has been modified. Additional CPU has been applied to polling the NICs to decrease the polling interval and reduce latency. The CPU usage is thus reported as higher than in previous releases, including external tools such as top and ps. You will notice the additional CPU load on single-CPU platforms and on the primary CPU of multicore systems.

Because the additional CPU load reported while polling is actually available to process packets, and is reduced as inspection load goes up, it does not negatively affect the overall throughput of the IPS.

Use the show statistics virtual-sensor command to see the sensor load. It is listed under Processing Load Percentage in the output. You can also view the sensor load on the IME Device List pane.

  From your screen-shot, your Inspection Load is roughly 50%, so the sensor should be performing as expected.

  In regard to the time when IDM reports no data, can you verify the IDSM-2 is still reachable from the system running IDM?  Can you connect via SSH and verify sensor status using the following commands:

show version

show statistics virtual-sensor

show statistics analysis-engine

  These commands should provide the current state of the IDSM-2.   These outputs should help verify that all expected processes are running, and the sensor is still operating as expected.  If there is something out of the ordinary in those outputs, it would be best to open a service request with TAC so more direct troubleshooting can be performed.

Scott

Hi guys,

here I am again.

After install the IDSM-2 version 7 to the module 3 on my router 1 I tryed to do the same to the backup router 2 but I coudn't telnet to the IDS module because the system says:

ROUTER2#session slot 3 processor 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
Trying 127.0.0.31 ...
% Connection timed out; remote host not responding

so I tryed to re-install the system image...


ROUTER2# hw-module module 3 reset cf:1
ROUTER2# session slot 3 processor 1
login: guest 

Password: cisco

guest@hostname.localdomain# upgrade

....


at the end the upgrade didn't complete right and now I've got this power error:

ROUTER2#show module power
Mod Card Type                              Admin Status  Oper Status
--- -------------------------------------- ------------  ------------
3  Intrusion Detection System               on     off (Module  Failed SCP dnld)


I tryed to reload the module...

....
Proceed with reload of module?[confirm]
% module 3 is operationally off (Module  Failed SCP dnld)

Now I can't do anything because of this power error...Can someone help me?? Here all my version installed on the IDS module:


ROUTER2#show module version  
Mod  Port Model              Serial #    Versions
---- ---- ------------------ ----------- -------------------------------------
  3    8  WS-SVC-IDSM-2      SAD093606X8 Hw : 5.0
                                         Fw : 7.2(1)
                                         Sw : 8.6(0.434)BAR6




Thank you in advance,
G.

Giovanni;


  You could attempt to reseat the IDSM-2 to see if that corrects the
issue; but frequently in scenarios like this it is necessary to have the
IDSM-2 replaced by RMA.  This will require opening a service request
with TAC.

Scott

Thank for your reply Scott.

But the problem now is that now I can't access to the module because the power is off.

I tryed also to power on the module but after a while i get this message: How can I do?

Sep 21 09:22:53.708: %C6KPWR-SP-4-DISABLED:

power to module in slot 3 set off (Module  Failed SCP dnld)

ROUTER#session slot 3 processor 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
Trying 127.0.0.31 ...
% Connection timed out; remote host not responding

By comparing the version of R1 and R2 I noticed this difference:

Router1#show module version
Mod  Port Model              Serial #                Versions

3    8  WS-SVC-IDSM-2      SAD093606VE    Hw : 5.0
                                                                   Fw : 7.2(1)
                                                                   Sw : 7.0(4)E4

Router2#show module version
Mod  Port Model                    Serial #          Versions

  3    8  WS-SVC-IDSM-2      SAD093606X8     Hw : 5.0
                                                                    Fw : 7.2(1)
                                                                    Sw : 8.6(0.434)BAR6

Can be this the problem? How can I fix it?

Thank you,

G.

Giovanni;


  The version difference you note is because the IDSM-2 in Router2 is
not successfully powering on and loading the software from the
application partition or maintenance partition.

  The IDSM-2 in Router2 has most likely encountered a hardware failure.
 There is likely nothing more that can be done in the field to correct
the issue; it would be best to open a service request with TAC so the
IDSM-2 can be replaced by RMA (as long as it is covered under an active
support contract).

Scott
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: