cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2768
Views
0
Helpful
19
Replies

Botnet database updates

Mike Brooks
Level 1
Level 1

In ASDM under monitoring, Botnet Traffic Filter, Updater Client I noticed the following:

Last update attempted at 16:32:15 EDT Oct 13 2011,

   with result:  Failed to read downloaded update file

Next update is in 00:00:00

Database file version is '1317880142' fetched at 02:19:29 EDT Oct 6 2011, size: 2097150

Can anybody tell me how to get this to update to current version of the database?

If I click on Fetch Botnet Database it tells me update already pending.

Enable Botnet Updater Client and Use Botnet data dynamically downloaded from updater server are both enabled.

I'm running on an ASA5510 with v8.2(5) and Botnet traffic filter is licensed.

Thanks,

Mike

1 Accepted Solution

Accepted Solutions

Alright, Do you have the Firewall on failover? Is there a way you can run in the other one and reload the current one? If not, have you tried to reload the ASA?

Ive seen a couple of cases where the low memory available can cause this, and some others where the case was resolved by reloading the unit.

Let me know.

Mike

Mike

View solution in original post

19 Replies 19

Maykol Rojas
Cisco Employee
Cisco Employee

Mike,

From the command line, you can do dynamic-filter database fetch, and that will try to pull the databse directly from Cisco. Make sure that from the firewall you can ping update-manifests.ironport.com, if you can ping it, there sould not be any problem trying to download it.

Mike Rojas

Mike

I can ping update-manifests.ironport.com from the firewall.  When I do dynamic-filter database fetch the firewall responds with 'INFO: Dynamic Filter: update already pending' as noted above.

Thanks,

Mike

One quick question, is the botnet blocking sites at this point? Can you try to remove the dynamic filter commands and put them back again?

Mike

Mike

Yes it is still blocking sites.  I already tried removing the dynamic filter commands and putting them back in earlier today.

Mike

Can you run the following command?

debug dynamic-filter updater-client

Mike

Mike

Ok I have entered that command.  So how do I collect/view the output from it?

Mike

You should see the ASA trying to connect to update-manifests.ironport.com. That will indicate us if the Firewall has any problems trying to reach the updater server.

Do you have any new proxy server setup on the network, anything that may have changed?

Mike

Mike

I don't see anything related to update-manifests.ironport.com in the log.  As a matter of fact we changed internet services on the afternoon of Oct. 13 which is the date noted in my original question.  Now, nothing changed in the ASA during the internet service change with the exception of DNS server addresses.  We kept the same block of public ip addresses.

Mike

Alright,

Can you let the debug on, remove and put the dynamic filter commands to see what we get on the logs once you do it? We may need to create some captures on the outside interface going to the updater website.

Mike.

Mike

Ok took out the commands and added them back via cli.  Debug was left on.  Received a lot of output on the terminal session but I'm not sure it's related.  Captured all I could from the telnet app buffer and saved to a txt file. Uploaded it as an attachment.

Mike

Ok,

How much RAM do you have on the device?

Mike

Mike

256 MB

Mike

Is it running out of RAM memory? (show mem)

Mike

Mike

Free memory:        68516248 bytes (26%)

Used memory:       199919208 bytes (74%)

-------------     ----------------

Total memory:      268435456 bytes (100%)

Mike

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: