Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Global Correlation Update Failures

I've recently turned on Global Correlation but we've failed to update every 5 minutes.

PL-ASA-IPS# show stat global

Network Participation:

   Counters:

      Total Connection Attempts = 2

      Total Connection Failures = 0

      Connection Failures Since Last Success = 0

   Connection History:

      Connection Attempt on February 16 2010, at 14:28:38 UTC = Successful

      Connection Attempt on February 16 2010, at 14:19:06 UTC = Successful

Updates:

   Status Of Last Update Attempt = Failed

   Time Since Last Successful Update = never

   Counters:

      Update Failures Since Last Success = 4

      Total Update Attempts = 4

      Total Update Failures = 4

   Update Interval In Seconds = 300

   Update Server = update-manifests.ironport.com

   Update Server Address = 204.15.82.17

   Current Versions:

      config = 0

      drop = 0

      ip = 0

      rule = 0

Warnings:

I have a static NAT translation for the IPS, there are no proxy servers in our enviorment and it can ping outside as well as update-manifests.ironport.com (204.15.82.17). DNS is setup as well.

In the logs I see this entry:

16Feb2010 14:13:15.679 265.199 collaborationApp[491] rep/E A global correlation update failed: Failed download of ibrs/1.1/config/default/1236210407 : HTTP connection failed

I guess I'm at a loss for what else I can check. We have no problems sending the Network Participation data but we can't get any data. Any suggestions?

Cisco Intrusion Prevention System, Version 7.0(2)E3

Signature Definition:

    Signature Update    S469.0                   2010-02-11

    Virus Update        V1.4                     2007-03-02

OS Version:             2.4.30-IDS-smp-bigphys

  • Intrusion Prevention Systems/IDS
4 REPLIES
New Member

Re: Global Correlation Update Failures

A few hours of searching led me to find out that the problem was being caused by an ASA/Websense combo. I has to tell the ASA to not apply filtering rules (HTTP and HTTPS) to the IPS' IP address.

Within minutes this fixed the issue.

New Member

Re: Global Correlation Update Failures

Thanks Robert.  I had a similar configuration (ASA/Websense) and was getting the same errors.  The filter url except command fixed it in less than a minute.

New Member

Re: Global Correlation Update Failures

I received "A global correlation update failed : Failed download of ibrs/1.1/drop/default/1267213766 : URI does not contain a valid IP address messages, like this one, in the category Reputation update failure

any ideas?

It has the default IP : 204.15.82.17

wps-asa-ips2# sh stat global
Network Participation:
   Counters:
      Total Connection Attempts = 3167
      Total Connection Failures = 1
      Connection Failures Since Last Success = 0
   Connection History:
      Connection Attempt on February 26 2010, at 20:24:42 UTC = Successful
      Connection Attempt on February 26 2010, at 20:14:39 UTC = Successful
      Connection Attempt on February 26 2010, at 20:04:34 UTC = Successful
      Connection Attempt on February 26 2010, at 19:54:35 UTC = Successful
      Connection Attempt on February 26 2010, at 19:44:40 UTC = Successful
Updates:
   Status Of Last Update Attempt = Failed
   Time Since Last Successful Update = 609 minutes
   Counters:
      Update Failures Since Last Success = 121
      Total Update Attempts = 4388
      Total Update Failures = 123
   Update Interval In Seconds = 300
   Update Server = update-manifests.ironport.com
   Update Server Address = 204.15.82.17
   Current Versions:
      config = 1236210407
      drop = 1267177755
      ip = 1267179307
      rule = 1267124528

New Member

Re: Global Correlation Update Failures

I have the same issue, i have no ASA or websense product between this device and the iNet.

Does anyone have a fix or workaround?

I have an AIM-IPS running 7.0(6)E4 with Signature versuon S599.0. All updates to date have been manualy d/l to a local ftp server

the auto update "seems" to run but never gets any updates

This is what i see

# sh stat global

Network Participation:

   Counters:

      Total Connection Attempts = 127

      Total Connection Failures = 127

      Connection Failures Since Last Success = 127

   Connection History:

      Connection Attempt on October 06 2011, at 10:46:32 UTC = Failed

      Connection Attempt on October 06 2011, at 09:24:32 UTC = Failed

      Connection Attempt on October 06 2011, at 08:03:04 UTC = Failed

      Connection Attempt on October 06 2011, at 07:59:52 UTC = Failed

      Connection Attempt on October 06 2011, at 06:36:57 UTC = Failed

Updates:

   Status Of Last Update Attempt = Failed

   Time Since Last Successful Update = never

   Counters:

      Update Failures Since Last Success = 2702

      Total Update Attempts = 2702

      Total Update Failures = 2702

   Update Interval In Seconds = 300

   Update Server = update-manifests.ironport.com

   Update Server Address = Unknown

   Current Versions:

      config = 0

      drop = 0

      ip = 0

      rule = 0

Warnings:

#sh ver

Application Partition:

Cisco Intrusion Prevention System, Version 7.0(6)E4

Host:

    Realm Keys          key1.0

Signature Definition:

    Signature Update    S599.0                 2011-09-29

OS Version:             2.6.14-Cavium-Octeon

Platform:               AIM-IPS-K9

Serial Number:          xxx

Licensed, expires:      31-Mar-2012 UTC

Sensor up-time is 9 days.

Using 54726656 out of 454148096 bytes of available memory (12% usage)

system is using 22.4M out of 80.0M bytes of available disk space (28% usage)

application-data is using 46.8M out of 213.0M bytes of available disk space (23% usage)

boot is using 54.4M out of 114.8M bytes of available disk space (50% usage)

application-log is using 61.8M out of 513.0M bytes of available disk space (12% usage)

MainApp            B-BEAU_2011_SEP_10_00_30_7_0_5_45   (Ipsbuild)   2011-09-10T00:32:09-0500   Running

AnalysisEngine     B-BEAU_2011_SEP_10_00_30_7_0_5_45   (Ipsbuild)   2011-09-10T00:32:09-0500   Running

CollaborationApp   B-BEAU_2011_SEP_10_00_30_7_0_5_45   (Ipsbuild)   2011-09-10T00:32:09-0500   Running

CLI                B-BEAU_2011_SEP_10_00_30_7_0_5_45   (Ipsbuild)   2011-09-10T00:32:09-0500

Upgrade History:

* IPS-AIM-K9-7.0-6-E4       17:39:07 UTC Sat Sep 10 2011

  IPS-sig-S599-req-E4.pkg   07:59:08 UTC Wed Oct 05 2011

Recovery Partition Version 1.1 - 7.0(6)E4

Host Certificate Valid from: 25-Sep-2011 to 25-Sep-2013

>

as seen above there is no ip address listed for "update-manifests.ironport.com"

NS lookup is able to resolve,

why can't the IPS?

I can i hard code the ip address?

>Non-authoritative answer:

>Name:    update-manifests.ironport.com

>Address:  204.15.82.17

6331
Views
0
Helpful
4
Replies