IPS Auto update

Answered Question
Sep 8th, 2010

I have configured the internal IDSM cards for auto update, and I see hits against our firewall ACL for this traffic but the update seems out of date on the IPS.. can anyone tell me how to troubleshoot this?

many thanks

I have this problem too.
0 votes
Correct Answer by praprama about 6 years 4 months ago

Hi,

yes once you have HTTP also allowed, you should see auto update working.

The way you have configured the ACL is interesting :-) and i dont see any reason why it should not work. Lets wait for the next auto-update attempt by the IPS and see what happens. let me know how it goes!!

regards,

prapanch

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
praprama Wed, 09/08/2010 - 06:39

Hi,

On the IDSM, can enter the command "show statistics host" and it should tell you all details regarding auto-update and the reason for failure as well. Please paste the entire output over here and we can have a look.

Regards,

Prapanch

networker99 Wed, 09/08/2010 - 07:07

Error: autoUpdate successfully selected a package (http:[email protected]//swc/esd/04/273556262/contract/IPS-sig-S511-req-E4.pkg) from the cisco.com locator service, however, package download failed: HTTP connection failed

I only had https allowed, I have allowed http also now.. should this fix it?

Also all my IPS's are 10.x.1.10 (with x being the subnet).. can you write an ACL in the format:

access-list inside_in permit ip 10.0.1.10 255.0.255.255 any

Thanks in advance

Correct Answer
praprama Wed, 09/08/2010 - 20:42

Hi,

yes once you have HTTP also allowed, you should see auto update working.

The way you have configured the ACL is interesting :-) and i dont see any reason why it should not work. Lets wait for the next auto-update attempt by the IPS and see what happens. let me know how it goes!!

regards,

prapanch

praprama Fri, 09/17/2010 - 01:07

Hi,

Was wondering if you managed to get the Auto Update working. If so, please do mark this thread as Answered.

Regards,

Prapanch

networker99 Fri, 09/17/2010 - 05:23

Well, yes and no.  Enabling http did not solve the issue, but if I permit ip they update.. so I am not quite sure what other ports are needed.  I will have to create a packet capture to find out.

praprama Fri, 09/17/2010 - 08:19

Hmmm. That's interesting. What did the access-list look like when you ocnfigured it to allow HTTP alone? The captures will certainly help.

Regards,

Prapanch

Actions

This Discussion