Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Cisco Employee

Emergency IPS Service Pack to be Posted Later Today

There was an emergency notification last night that I want to be sure everyone has seen:

1. Emergency IPS Version 5.0(5) Service Pack to be Released on 10/28 to Address

CSCsa85330

An emergency service pack will be released later today (October 28, 2005) to address a high severity bug relating to Daylight Savings (bug details below). All version 5.X sensors are impacted. To resolve this bug, this service pack must be installed prior to Daylight Savings which will occur on Sunday, October 30th 2005.

Bug Details:

Bug ID: CSCsa85330

Bug Title: MainApp - core during day when switchover to daylight savings happens.

Description: Within 24 hours after a transition to or from summertime (i.e. Daylight Savings Time), the sensor may become unresponsive and not allow CLI logins if Daylight Savings Time is enabled. The MainApp process will no longer run and a core file will be generated in /usr/cids/idsRoot/log/mainApp/.

The files for the 5.0(5) service pack will be posted later today (target time is 2:00 p.m. U.S. Central). Once available they can be downloaded from the following URLs:

Sensor: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5

IPS MC: http://www.cisco.com/cgi-bin/tablebuild.pl/ipsmc5sp

This Service Pack will also resolve the following known issues:

CSCsb87741 TCP streams with certain ordering may not be properly inspected

CSCsb92206 Sensor boots up in crit level 2

CSCsb87674 4215 IPS 5.0 inline mode stops transmitting packets

CSCsb84996 sensorApp fails to shutdown when sent a SIGINT from mainApp

CSCsc02898 ips sensor 5.0(4) sensorapp aborting.

CSCsc04126 sensorApp aborts for BiDirData ListObj

CSCsc15875 IPS 5.0 is unable to shun E1 channelised inft. ( Serial x/y:z)

Another bulletin will be sent out within 2 hours of the posting of this Service Pack announcing its availability.

7 REPLIES
Cisco Employee

Re: Emergency IPS Service Pack to be Posted Later Today

A little more information:

If your sensor is not configured for summer-time, then your sensors will not hit CSCsa85330.

If your sensor is running version 4.x, then your sensor will not hit CSCsa85330.

But if you sensor is version 5.x, and configured for summer-time with the default settings which are used in most locations in the United States and possibly other countries. Then your sensor is likely to hit CSCsa85330.

If you are unable to install the 5.0(5) Service Pack you may want to consider disabling summer-time on your sensors before this coming Sunday when the switch over happens.

What happens if your sensor does not get upgraded before Sunday and you are using the summer-time option for handling DayLight Savings Time:

The mainApp process will core sometime during the 24 hours after the switchover happens.

With the mainApp core you will no longer be able to ssh or telnet to the sensor as the cisco userid, or any other userid with administrator, operator, or viewer privelage levels. Any monitoring tool pulling events from the sensor will loose connection to the sensor because the connection is through the web server that is part of mainApp.

How to recover:

If you have a service account, then login using the service account. Switch to user root using the command "su -" and provide the same password for root as for your service account.

As user root you will then need to execute "reboot" to reboot the sensor.

NOTE: The service account unlike the other accounts can still login even after the mainApp crash.

If you do not have a service account then the sensor will need to be rebooted by another means. If the snesor is an appliance you will need to physically power the sensor on and off. If the sensor is an IDSM-2, NM-CIDS, ASA-SSM-10, or ASA-SSM-20, then you will need to login to the switch, router, or asa and reboot or reset the module.

I will keep you posted of any other developments, and let you know when the 5.0(5) Service Pack is available.

Gold

Re: Emergency IPS Service Pack to be Posted Later Today

For anybody who hasen't gotten the notification that it's available (like me).

http://ftp-sj.cisco.com/cisco/crypto/3DES/ciscosecure/ips/5.x/IPS-K9-sp-5.0-5.pkg

Cisco Employee

Re: Emergency IPS Service Pack to be Posted Later Today

Thanks for posting this. I was just about to post the notice as well:

Cisco Employee

Re: Emergency IPS Service Pack to be Posted Later Today

Here is the wording from the official announcement:

Announcing the Availability of IPS Version 5.0(5) Emergency Service Pack to Address

CSCsa85330

The IPS Version 5.0(5) emergency service pack is now available for Cisco IPS Version 5.0 sensors. This Service Pack addresses a high severity bug (CSCsa85330) relating to Daylight Savings (bug details below). All version 5.X sensors configured with summer-time are impacted.

Important Note: To resolve this bug, this service pack must be installed by Saturday night, October 29, prior to Daylight Savings which will occur on Sunday, October 30th 2005.

Bug Details:

Bug ID: CSCsa85330

Bug Title: MainApp - core during day when switchover to daylight savings happens.

Description: Within 24 hours after a transition to or from summertime (i.e. Daylight Savings Time), the sensor may become unresponsive and not allow CLI logins if Daylight Savings Time is enabled. The MainApp process will no longer run and a core file will be generated in /usr/cids/idsRoot/log/mainApp/.

The files for the 5.0(5) service pack can be downloaded from the following URLs:

Sensor: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5

IPS MC: http://www.cisco.com/cgi-bin/tablebuild.pl/ipsmc5sp

This Service Pack will also resolve the following known issues:

CSCsb87741 TCP streams with certain ordering may not be properly inspected

CSCsb92206 Sensor boots up in crit level 2

CSCsb87674 4215 IPS 5.0 inline mode stops transmitting packets

CSCsb84996 sensorApp fails to shutdown when sent a SIGINT from mainApp

CSCsc02898 ips sensor 5.0(4) sensorapp aborting.

CSCsc04126 sensorApp aborts for BiDirData ListObj

CSCsc15875 IPS 5.0 is unable to shun E1 channelised inft. ( Serial x/y:z)

Community Member

Re: Emergency IPS Service Pack to be Posted Later Today

Are older versions affected as well?

How will this affect versions that are upgraded from 4.x to 5.x AFTER daylight savings?

Cisco Employee

Re: Emergency IPS Service Pack to be Posted Later Today

We don't believe version 4.1 boxes are affected, and are running tests to be sure.

The issue will only be seen in the 1st 24 hours after the time change. So if your sensor stays up till Monday your OK. You won't have to be concerned until next April when the spring time change happens.

Cisco Employee

Re: Emergency IPS Service Pack to be Posted Later Today

We have done some testing and were unable to cause the problem on a 4.1 sensor.

164
Views
0
Helpful
7
Replies
CreatePlease to create content