×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IPS - Disruption in service

Answered Question
Aug 30th, 2012
User Badges:

Hey all thanks for reading my post.

Can someone either tell me or point me to a doc that tells me 100% for sure what upgrades in regards to the ips are disruptive. IE: Signatures, Engine, Software.


Thanks guys for all your help.


Rodney


Sent from Cisco Technical Support iPad App

Correct Answer by Karsten Iwen about 4 years 11 months ago

For Signature-Updates: (from the conf-guide, same link that turnera posted):

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_sensor_management.html#wp2016113



Signature Updates and Installation Time

There is a short period of time that traffic is not inspected while you are performing signature updates. However, traffic continues to flow if you have bypass enabled.

When a signature update adds or modifies signatures that contain regular expressions, the regular expression cache tables used by SensorApp have to be recompiled. The amount of recompile time varies by platform, number of signatures modified and/or added, and type of signatures modified and/or added.

If a signature update only adds one or two new signatures on a high-end platform, for example, IPS 4255 or IPS 4260, the recompile can be as fast as a few seconds.

The recompile takes several minutes and even up to a half hour under the following conditions:

When a signature update adds a large number of signatures, for example, when you are skipping several signature levels to install a newer one, for example, installing S258 on top of S240.

When a signature update modifies a large number of signatures, for example when a large number of older signatures is disabled and/or retired.

During the recompile, SensorApp stops monitoring packets. The interface driver detects this when the packet buffers begin filling up on the way to SensorApp and the driver stops receiving packets from SensorApp. If the sensor is in inline mode, the driver either turns on bypass if the bypass option is set to Auto, or brings down the interface links if bypass is set to Off.


Note Some packets can be dropped before the bypass setting begins operating. Once SensorApp completes the recompile of the regular expression cache files, SensorApp reconnects to the driver and begins monitoring again, and the driver begins passing packets to SensorApp for analysis, and if necessary, also brings the interface links back up.




And this is for all other updates:

Note The IDM and CLI connections are lost during the following updates: service pack, minor, major, and engineering patch. If you are applying one of these updates, the installer restarts the IPS applications. A reboot of the sensor is possible. You do not lose the connection when applying signature updates and you do not need to reboot the system.






-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Correct Answer by sawgupta about 4 years 11 months ago

IPS would enter in Bypass state when a signature update is happening. Bypass will get triggered during an upgrade as well.


http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bd008f.shtml#caveats


Regards,

Sawan Gupta

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
Rodney Mothersbaugh Fri, 08/31/2012 - 18:04
User Badges:

Turnera,


Thanks for the info however i still dotn see anywhere that is states that it will be disruptive or it will not be disrutptive during a sugnature and or engine update. I did however see this which i already knew.



Major updates, minor updates, and service packs may force a restart of the IPS processes or even force a reboot of the sensor to complete installation.



Still unanswered. But again thanks for the help.

Correct Answer
Karsten Iwen Sat, 09/01/2012 - 01:24
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

For Signature-Updates: (from the conf-guide, same link that turnera posted):

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_sensor_management.html#wp2016113



Signature Updates and Installation Time

There is a short period of time that traffic is not inspected while you are performing signature updates. However, traffic continues to flow if you have bypass enabled.

When a signature update adds or modifies signatures that contain regular expressions, the regular expression cache tables used by SensorApp have to be recompiled. The amount of recompile time varies by platform, number of signatures modified and/or added, and type of signatures modified and/or added.

If a signature update only adds one or two new signatures on a high-end platform, for example, IPS 4255 or IPS 4260, the recompile can be as fast as a few seconds.

The recompile takes several minutes and even up to a half hour under the following conditions:

When a signature update adds a large number of signatures, for example, when you are skipping several signature levels to install a newer one, for example, installing S258 on top of S240.

When a signature update modifies a large number of signatures, for example when a large number of older signatures is disabled and/or retired.

During the recompile, SensorApp stops monitoring packets. The interface driver detects this when the packet buffers begin filling up on the way to SensorApp and the driver stops receiving packets from SensorApp. If the sensor is in inline mode, the driver either turns on bypass if the bypass option is set to Auto, or brings down the interface links if bypass is set to Off.


Note Some packets can be dropped before the bypass setting begins operating. Once SensorApp completes the recompile of the regular expression cache files, SensorApp reconnects to the driver and begins monitoring again, and the driver begins passing packets to SensorApp for analysis, and if necessary, also brings the interface links back up.




And this is for all other updates:

Note The IDM and CLI connections are lost during the following updates: service pack, minor, major, and engineering patch. If you are applying one of these updates, the installer restarts the IPS applications. A reboot of the sensor is possible. You do not lose the connection when applying signature updates and you do not need to reboot the system.






-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Actions

This Discussion