×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

cisco vms 2.3 can't query to IDSM-2

Unanswered Question
Jan 23rd, 2007
User Badges:

Hi all,

I use Catalyst 6513 (Router IOS) + IDSM-2 and use Cisco VMS 2.3 to manage IDSM-2. I upgrade IDSM-2 from version 4 to version 5. However, after updating completely, I use Cisco VMS 2.3 to query to IDSM-2, I see a error:

"status: Error importing configuration files from the sensor - Unable to get sensor version from the sensor. Possible reason: X.509 certificate is invalid or sensor version was downgraded. "


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
edwakim Tue, 01/23/2007 - 18:02
User Badges:
  • Cisco Employee,

Hi,


Normally doing the following fixes the problem.


You need to regenerate the IDSMC Certificate and add the VMS as the trusted host to the sensor.


To generate the certificate do the following.


c:\progra~1\cscopx\mdc\apache\gencert.bat


where c: drive is the drive you installed your VMS.


After this is done, please restart the CiscoWorks Daemon Manager.


You will also need to generate tls key as well as manually re-install the TLS certificate on your sensor.


tls trusted-host from the IPS CLI and specify your VMS's IP address.



tls generate-key

no tls trusted-host ip-address (vms server ip)

tls trusted-host ip-address (vms server ip)



Thanks.



Edward

mylove142 Tue, 01/23/2007 - 18:17
User Badges:

Thank you for your answer, however, I can't do that because when I type:


E:\>CSCOpx\MDC\Apache\gencert.bat


E:\>\openssl.exe req -config \conf\ssl\openssl.conf -new -nodes -out \conf\ssl\s

erver.csr -keyout \conf\ssl\server.key

'\openssl.exe' is not recognized as an internal or external command,

operable program or batch file.


E:\>\openssl.exe x509 -in \conf\ssl\server.csr -out \conf\ssl\server.cert -req -

signkey \conf\ssl\server.key -days 365

'\openssl.exe' is not recognized as an internal or external command,

operable program or batch file.


If you know the cause, please answer me early.


Thanks

edwakim Tue, 01/23/2007 - 18:25
User Badges:
  • Cisco Employee,

Hi,


Could you search your drives to see where the 'openssl.exe' file is?


Thank you.



Edward

mylove142 Tue, 01/23/2007 - 18:29
User Badges:

I see openssl in

1) E:\CSCOpx\MDC\apache

2) E:\CSCOpx\lib\web

openssl.exe-CSCec43722-1 in E:\CSCOpx\MDC\apache


Now, what I must do ?


Thanks,

Duy Khang


edwakim Tue, 01/23/2007 - 18:35
User Badges:
  • Cisco Employee,

Could you look at the gencert.bat file?


If the batch file does not have correct path, please correct them.


Thank you.



Edward

edwakim Tue, 01/23/2007 - 18:43
User Badges:
  • Cisco Employee,

Could you post the batch file content?


Thank you.



Edward

mylove142 Tue, 01/23/2007 - 18:52
User Badges:

The content of batch file:

%1\openssl.exe req -config %1\conf\ssl\openssl.conf -new -nodes -out %1\conf\ssl\server.csr -keyout %1\conf\ssl\server.key


%1\openssl.exe x509 -in %1\conf\ssl\server.csr -out %1\conf\ssl\server.cert -req -signkey %1\conf\ssl\server.key -days 365

edwakim Tue, 01/23/2007 - 18:56
User Badges:
  • Cisco Employee,

Hi,


Try to build another batch file with this content and try the batch file. Please note that there are 3 lines. (1 short one and 2 long ones)


set PATH=E:\CSCOpx\bin;%PATH%


E:\CSCOpx\MDC\Apache\openssl req -config E:\CSCOpx\MDC\Apache\conf\ssl\openssl.conf -new -nodes -out E:\CSCOpx\MDC\Apache\conf\ssl\server.csr -keyout E:\CSCOpx\MDC\Apache\conf\ssl\server.key


E:\CSCOpx\MDC\Apache\openssl x509 -in E:\CSCOpx\MDC\Apache\conf\ssl\server.csr -out E:\CSCOpx\MDC\Apache\conf\ssl\server.cert -req -signkey E:\CSCOpx\MDC\Apache\conf\ssl\server.key -days 365

mylove142 Tue, 01/23/2007 - 19:36
User Badges:

When I run the batch file, it asks me 2 question:

1) Click the program you want to use to open "server.csr"

2) Click the program you want to use to open "server.csrt"


I don't know to choose which programs to open 2 above file?

edwakim Tue, 01/23/2007 - 19:40
User Badges:
  • Cisco Employee,

Hi,


You may see 5 lines from the output but there are only 3 lines.


Please make them to 3 lines and try it again.


Thank you.



Edward

mylove142 Tue, 01/23/2007 - 20:15
User Badges:

Dear Sir,

I have done what you said. However, I can't import IDSM-2 from Cisco VMS. I see the same error like the fist post.

I have updated complete with the first IDSM-2 but I can't updated for the second IDSM-2. I use Cisco VMS to manage both IDSM-2.

At the first time, when I install IPS v5 at the first IDSM-2, I see the change of Graphical interface of Cisco VMS v2.2 from v4 to v5.

At the second time, when I install IPS v5 at the second IDSM-2, I don't see the the change of Graphical interface of Cisco VMS v2.2, the graphical interface is still version 4.

Maybe VMS v2.2 has error to connect to IDSM-2?




edwakim Tue, 01/23/2007 - 20:25
User Badges:
  • Cisco Employee,

Hi,


Could you delete the sensor from the IPSMC and try to re-add the sensor?


Thank you.



Edward

mylove142 Tue, 01/23/2007 - 20:32
User Badges:

thank you very much

I have updated finish. I delete the sensor and then import the sensor

Actions

This Discussion