09-06-2010 02:30 AM - edited 03-10-2019 05:06 AM
Hi all,
I'm new on this Community and also in the Cisco security. Here is my question for you:
I have a Router Cisco 7600 with a module IDSM-2 and I update it to version IPS-K9-5.1-8-E3. Now I would like to upgrade it with version IPS 7.0(3) E4.
Is that possible? I read that IPS 6.0 denies high risk events by default and you need to create an event action to solve the problem. How can I solve my problem?? I'm afraid to do something wrong because the router is an important one, if I do something wrong I'm afraid to block all the traffic :s
Thanks
G.
Solved! Go to Solution.
09-08-2010 06:14 AM
G;
You can certainly upgrade your IDSM-2 from 5.1(8)E3 to 7.0(4)E4 directly.
In regard to your concern over the IDSM-2 denying high risk events (risk ratings of 90 to 100) by default, this holds true if the IDSM-2 is configured to inspect traffic using inline operation. If the IDSM-2 is configured for promicuous inspection, this will not occur.
If your IDSM-2 is configured for inline operation, the simplest method to avoid the IDSM-2 denying high risk events, is to disable th default event action override (EAO). From within IPS Device Manager (IDM):
Configuration>Policies
Highlight the virtual sensor in question (degfault is vs0) and choose edit.
Under Event Action Rule uncheck "Use Event Action Overrides"
This will disable ALL event actin overrides for the virtual sensor in question. You can also disable just the default High Risk EAO using the same process above, but instead of unchecking "Use Event Action Overrides":
Highlight the 'HIGHRISK' EAO and click 'Edit'
Next to the 'Deny Packet Inline (Inline)' entry uncheck the box under the "Enable" column (not the "Assigned" column).
Scott
09-08-2010 06:14 AM
G;
You can certainly upgrade your IDSM-2 from 5.1(8)E3 to 7.0(4)E4 directly.
In regard to your concern over the IDSM-2 denying high risk events (risk ratings of 90 to 100) by default, this holds true if the IDSM-2 is configured to inspect traffic using inline operation. If the IDSM-2 is configured for promicuous inspection, this will not occur.
If your IDSM-2 is configured for inline operation, the simplest method to avoid the IDSM-2 denying high risk events, is to disable th default event action override (EAO). From within IPS Device Manager (IDM):
Configuration>Policies
Highlight the virtual sensor in question (degfault is vs0) and choose edit.
Under Event Action Rule uncheck "Use Event Action Overrides"
This will disable ALL event actin overrides for the virtual sensor in question. You can also disable just the default High Risk EAO using the same process above, but instead of unchecking "Use Event Action Overrides":
Highlight the 'HIGHRISK' EAO and click 'Edit'
Next to the 'Deny Packet Inline (Inline)' entry uncheck the box under the "Enable" column (not the "Assigned" column).
Scott
09-08-2010 06:54 AM
Hi Scott,
thank you very much...now I'm going to upgrade the signature to the last version and see what happen in the IDM.
I still have some trouble with the Licence, it sayd that is not present....I have to ask to my company if we have an active one.
Thanks again,
G.
09-08-2010 07:03 AM
Givoanni;
You are quite welcome.
Without a current license file, you will not be able to update the
signatures - that is the purpose of an active license.
If you have not had a trial license previously, you can request a
60-day trial license here:
https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?FormId=1016
Long-term, you will need to have the serial number of the IDSM-2 added
to an active support contract that also carries IPS Signature Updates.
Your Cisco account team or partner can assist with that.
Scott
09-15-2010 03:55 AM
Hi all,
Me too:
I have a Switch Cisco 6509 with a module IDSM-2 and I updated it to version IPS-K9-7.0(4)E4. So now, Proccess of CPU1 is very high (99%) and sometime IDM can not show something information of IDSM-2 ex: CPU, memory, interface status, License... you can refer to file attached.
I would like to upgrade it with version IPS 7.0(3) E4.
How can I solve my problem??
Pls help me!!!!
Thanks
GL
09-15-2010 04:12 AM
GL;
Since the release of the E3 analysis engine for Cisco IPS sensors, it is not uncommon for one CPU of a multi-CPU sensor (like the IDSM-2) to indicate 100% usage. This is outlined in bug CSCsu77935. From the release notes:
The idle time algorithm of the sensor has been modified. Additional CPU has been applied to polling the NICs to decrease the polling interval and reduce latency. The CPU usage is thus reported as higher than in previous releases, including external tools such as top and ps. You will notice the additional CPU load on single-CPU platforms and on the primary CPU of multicore systems.
Because the additional CPU load reported while polling is actually available to process packets, and is reduced as inspection load goes up, it does not negatively affect the overall throughput of the IPS.
Use the show statistics virtual-sensor command to see the sensor load. It is listed under Processing Load Percentage in the output. You can also view the sensor load on the IME Device List pane.
From your screen-shot, your Inspection Load is roughly 50%, so the sensor should be performing as expected.
In regard to the time when IDM reports no data, can you verify the IDSM-2 is still reachable from the system running IDM? Can you connect via SSH and verify sensor status using the following commands:
show version
show statistics virtual-sensor
show statistics analysis-engine
These commands should provide the current state of the IDSM-2. These outputs should help verify that all expected processes are running, and the sensor is still operating as expected. If there is something out of the ordinary in those outputs, it would be best to open a service request with TAC so more direct troubleshooting can be performed.
Scott
09-20-2010 08:58 AM
Hi guys,
here I am again.
After install the IDSM-2 version 7 to the module 3 on my router 1 I tryed to do the same to the backup router 2 but I coudn't telnet to the IDS module because the system says:
ROUTER2#session slot 3 processor 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
Trying 127.0.0.31 ...
% Connection timed out; remote host not responding
so I tryed to re-install the system image...
ROUTER2# hw-module module 3 reset cf:1ROUTER2# session slot 3 processor 13 Intrusion Detection System on off (Module Failed SCP dnld)login: guest
Password: ciscoguest@hostname.localdomain# upgrade
....
at the end the upgrade didn't complete right and now I've got this power error:
ROUTER2#show module power
Mod Card Type Admin Status Oper Status
--- -------------------------------------- ------------ ------------
I tryed to reload the module...
....
Proceed with reload of module?[confirm]
% module 3 is operationally off (Module Failed SCP dnld)
Now I can't do anything because of this power error...Can someone help me?? Here all my version installed on the IDS module:
ROUTER2#show module version
Mod Port Model Serial # Versions
---- ---- ------------------ ----------- -------------------------------------
3 8 WS-SVC-IDSM-2 SAD093606X8 Hw : 5.0
Fw : 7.2(1)
Sw : 8.6(0.434)BAR6
Thank you in advance,
G.
09-20-2010 11:30 AM
Giovanni;
You could attempt to reseat the IDSM-2 to see if that corrects the
issue; but frequently in scenarios like this it is necessary to have the
IDSM-2 replaced by RMA. This will require opening a service request
with TAC.
Scott
09-21-2010 12:47 AM
Thank for your reply Scott.
But the problem now is that now I can't access to the module because the power is off.
I tryed also to power on the module but after a while i get this message: How can I do?
Sep 21 09:22:53.708: %C6KPWR-SP-4-DISABLED:
power to module in slot 3 set off (Module Failed SCP dnld)
ROUTER#session slot 3 processor 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
Trying 127.0.0.31 ...
% Connection timed out; remote host not responding
By comparing the version of R1 and R2 I noticed this difference:
Router1#show module version
Mod Port Model Serial # Versions
3 8 WS-SVC-IDSM-2 SAD093606VE Hw : 5.0
Fw : 7.2(1)
Sw : 7.0(4)E4
Router2#show module version
Mod Port Model Serial # Versions
3 8 WS-SVC-IDSM-2 SAD093606X8 Hw : 5.0
Fw : 7.2(1)
Sw : 8.6(0.434)BAR6
Can be this the problem? How can I fix it?
Thank you,
G.
09-21-2010 03:31 AM
Giovanni;
The version difference you note is because the IDSM-2 in Router2 is
not successfully powering on and loading the software from the
application partition or maintenance partition.
The IDSM-2 in Router2 has most likely encountered a hardware failure.
There is likely nothing more that can be done in the field to correct
the issue; it would be best to open a service request with TAC so the
IDSM-2 can be replaced by RMA (as long as it is covered under an active
support contract).
Scott
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: