IPS Auto update

Answered Question
Sep 8th, 2010
User Badges:

I have configured the internal IDSM cards for auto update, and I see hits against our firewall ACL for this traffic but the update seems out of date on the IPS.. can anyone tell me how to troubleshoot this?


many thanks

Correct Answer by praprama about 6 years 8 months ago

Hi,


yes once you have HTTP also allowed, you should see auto update working.


The way you have configured the ACL is interesting :-) and i dont see any reason why it should not work. Lets wait for the next auto-update attempt by the IPS and see what happens. let me know how it goes!!


regards,

prapanch

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
praprama Wed, 09/08/2010 - 06:39
User Badges:
  • Cisco Employee,

Hi,


On the IDSM, can enter the command "show statistics host" and it should tell you all details regarding auto-update and the reason for failure as well. Please paste the entire output over here and we can have a look.


Regards,

Prapanch

networker99 Wed, 09/08/2010 - 07:07
User Badges:

Error: autoUpdate successfully selected a package (http:[email protected]//swc/esd/04/273556262/contract/IPS-sig-S511-req-E4.pkg) from the cisco.com locator service, however, package download failed: HTTP connection failed


I only had https allowed, I have allowed http also now.. should this fix it?


Also all my IPS's are 10.x.1.10 (with x being the subnet).. can you write an ACL in the format:


access-list inside_in permit ip 10.0.1.10 255.0.255.255 any


Thanks in advance

Correct Answer
praprama Wed, 09/08/2010 - 20:42
User Badges:
  • Cisco Employee,

Hi,


yes once you have HTTP also allowed, you should see auto update working.


The way you have configured the ACL is interesting :-) and i dont see any reason why it should not work. Lets wait for the next auto-update attempt by the IPS and see what happens. let me know how it goes!!


regards,

prapanch

praprama Fri, 09/17/2010 - 01:07
User Badges:
  • Cisco Employee,

Hi,


Was wondering if you managed to get the Auto Update working. If so, please do mark this thread as Answered.


Regards,

Prapanch

networker99 Fri, 09/17/2010 - 05:23
User Badges:

Well, yes and no.  Enabling http did not solve the issue, but if I permit ip they update.. so I am not quite sure what other ports are needed.  I will have to create a packet capture to find out.

praprama Fri, 09/17/2010 - 08:19
User Badges:
  • Cisco Employee,

Hmmm. That's interesting. What did the access-list look like when you ocnfigured it to allow HTTP alone? The captures will certainly help.


Regards,

Prapanch

Actions

This Discussion