Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IDSM-2 Signature Updates from Cisco.com URL?

THE IDSM-2 IPS Sensor in my 6509 switch was not auto updating from version 6.1(1)E3 S297, so I manually updated it to 7.0(2)E4 S480.  Unfortunately it still won't auto update from cisco.com and I think the url it is using is not correct.  My IDSM-2 Configuration has the url of:

https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

Is there a more current URL I should be using?

Jim

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: IDSM-2 Signature Updates from Cisco.com URL?

Jim;

  The URL you provided is the correct URL.

  You can see what might be occurring by reviewing the output of the command sh stat host from the CLI.  The very end of the output will display the auto-update status.

  With that output you can either post here, and time permitting we can try to work through the issue, or you can open a service request with TAC for directed assistance.

Scott

17 REPLIES
Cisco Employee

Re: IDSM-2 Signature Updates from Cisco.com URL?

Jim;

  The URL you provided is the correct URL.

  You can see what might be occurring by reviewing the output of the command sh stat host from the CLI.  The very end of the output will display the auto-update status.

  With that output you can either post here, and time permitting we can try to work through the issue, or you can open a service request with TAC for directed assistance.

Scott

New Member

Re: IDSM-2 Signature Updates from Cisco.com URL?

Ok, the strange thing is that last night the latest signature update installed without issue automatically.  Strange, oh well, all is working now.  Thanks for the info, if it reoccurs I'll either post again or open a TAC case.

Jim

Cisco Employee

Re: IDSM-2 Signature Updates from Cisco.com URL?

Jim;

  Glad to hear it was successful.

  There is a known issue when the signature update is scheduled to occur on the hour boundary (i.e. 03:00) that it can fail to update fequently but not always.  Skewing the update check time off the boundary (i.e. 03:06) corrects the issue.

  Again, you can receive a quick view of a potential issue in the 'sh stat host' output.

Scott

New Member

Re: IDSM-2 Signature Updates from Cisco.com URL?

That could have very well been the problem.  I just switched it to update

offset from the exact hour.  Thanks Again.

New Member

Re: IDSM-2 Signature Updates from Cisco.com URL?

Hi,

Auto update of signatures are not happening.

output of sh stat host:- Auto Update Statistics

   lastDirectoryReadAttempt = 08:25:45 UTC Wed Apr 06 2011

    =   Read directory: http://www.cisco.com/cisco/software/download.html#

    =   Error: AutoUpdate exception: HTTP connection failed [1,0]

   lastDownloadAttempt = 10:00:51 UTC Wed Dec 22 2010

   lastInstallAttempt = N/A

   nextAttempt = 09:25:00 UTC Wed Apr 06 2011

Auxilliary Processors Installed

OS Version:             2.4.30-IDS-smp-bigphys
Recovery Partition Version 1.1 - 6.2(3)E4
Cisco Employee

Re: IDSM-2 Signature Updates from Cisco.com URL?

Abhishek;

  The automatic IPS signature update process does not perform DNS lookups.  Your system is configured to use the following update URL:

http://www.cisco.com/cisco/software/download.html#

  This is invalid.

  The correct URL is:

https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

  This is the only valid URL; the double-forward slash (//) after the IPS address is not a typographical error.

Scott

New Member

Re: IDSM-2 Signature Updates from Cisco.com URL?

Hello Scott,

I change the URL to https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl  still the IDSM not updating the signature automatically.

output of sh stat host: Auto Update Statistics

   lastDirectoryReadAttempt = 14:43:19 GMT+05:30 Thu Apr 07 2011

    =   Read directory: http://Rn@72.163.7.55//swc/esd/04/273556262/guest/

    =   Success

   lastDownloadAttempt = 14:43:19 GMT+05:30 Thu Apr 07 2011

    =   Download: http://Rn@72.163.7.55//swc/esd/04/273556262/guest/IPS-sig-S557-req-E4.pkg

    =   Error: autoUpdate successfully selected a package (http://Rn@72.163.7.55//swc/esd/04/273556262/guest/IPS-sig-S557-req-E4.pkg) from the cisco.com locator service, however, package download failed: HTTP status : 403 -  Webcat Access denied

   lastInstallAttempt = 15:46:59 GMT+05:30 Wed Dec 22 2010

   nextAttempt = 15:41:00 GMT+05:30 Thu Apr 07 2011

Auxilliary Processors Installed

Cisco Employee

Re: IDSM-2 Signature Updates from Cisco.com URL?

Abhishek;

  The new output indicates that the IDSM-2 is successfully connecting to the update website.

  The IDSM-2 is encountering issue when attempting to retrieve the actual update package.  Is there a firewall, proxy server or URL filter (i.e. WebSense) between the IDSM-2 management IP address and the Internet?  If so, you will need to create an exception for the IDSM-2's management IP address so it can access the Internet without restriction.

Scott

New Member

Re: IDSM-2 Signature Updates from Cisco.com URL?

Hello,

Any update on this issue? I see the same behavior on two IDSM-2s. I didn't see any traffic being blocked on the firewall but still opened all IP traffic from the sensors to 198.133.219.25 and there was already an exception from Websense for anything to 198.133.219.0 /24.

This behavior only started recently. A while ago they had stopped updating then started up again without any intervention. Now they've stopped again. My last update is 566.

Thanks.

Vincent

Cisco Employee

Re: IDSM-2 Signature Updates from Cisco.com URL?

Vincent;

  What does the output of 'sh stat host' show about the last attempts to update signatures?

Scott

New Member

Re: IDSM-2 Signature Updates from Cisco.com URL?

Hi Scott,

Same thing as for Abhishek Kala:

Auto Update Statistics
   lastDirectoryReadAttempt = 10:24:05 UTC Tue May 31 2011
    =   Read directory: http://vpersaud001@72.163.7.55//swc/esd/05/273556262/guest/
    =   Success
   lastDownloadAttempt = 10:24:05 UTC Tue May 31 2011
    =   Download: http://vpersaud001@72.163.7.55//swc/esd/05/273556262/guest/IPS-sig-S570-req-E4.pkg
    =   Error: autoUpdate successfully selected a package (http://vpersaud001@72.163.7.55//swc/esd/05/273556262/guest/IPS-sig-S570-req-E4.pkg) from the cisco.com locator service, however, package download failed: Failed to receive the HTTP response
   lastInstallAttempt = 14:11:02 UTC Sat May 14 2011
   nextAttempt = 10:24:00 UTC Wed Jun 01 2011

Thanks.

Cisco Employee

Re: IDSM-2 Signature Updates from Cisco.com URL?

Vincent;

  It looks as if the IDSM-2's managment IP address does not have access to 72.163.7.55, or the Websense is intercepting that access and causing issue. The 198.133.219.25 address is used to determine if a new update is available. If an update is available, the IDSM-2 is redirected to another server to retrieve the actual signature update.

Scott

New Member

Re: IDSM-2 Signature Updates from Cisco.com URL?

Scott,

I allowed all IP access from the sensors out to the Internet and excepted all traffic from them to websense. They both updated. However, I'd like to restrict traffic to specific hosts or subnets. Do you know what server IPs are accessed for the updates? Bearing in mind this worked fine for about three years and only started having problems recently. Did something change on Cisco's side?

Thanks very much for your help.

Vincent

Cisco Employee

Re: IDSM-2 Signature Updates from Cisco.com URL?

Vincent;

  I do not have a list of specific IP addresses that are used for signature updates. At this time, the initial IP address for the check is hard-coded as 198.133.219.25. The servers hosting the signature updates were relocated; this apparently resulted in new IP addresses being assigned. I do not know the full range currently in use, but certainly adding an exception for the 72.163.7.0/24 should cover this new range.

Scott

New Member

Re: IDSM-2 Signature Updates from Cisco.com URL?

Thanks for your help. I'll work with those two ranges.

New Member

IDSM-2 Signature Updates from Cisco.com URL?

IPS will check if update available through 198.133.219.25/443 and will download it through 72.163.7.55/80 so if you have any firewall in between try to configure both an don the IPS level configure:

https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

best regards,

bashar

IDSM-2 Signature Updates from Cisco.com URL?

The following document discusses the IPS auto-update feature in more detail.  Please note that the auto-update locator server IP recent changed from 198.133.219.25 to 72.163.4.161.  The second document covers the steps required to change the IPS configuration to reflect the new IP address.

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2113/products_tech_note09186a0080bd008f.shtml

https://supportforums.cisco.com/docs/DOC-27693

3258
Views
35
Helpful
17
Replies