11-19-2010 06:20 PM - edited 03-10-2019 05:11 AM
Hello,
I have a very standard Cisco 2921 with ip ips on a 15.1(2)T2 IOS. I have a valid data license but it would not get the signature updates from Cisco.
When i do: "debug ip ips auto-update" and wait for the next update schedule, it says:
Router#
Translating "www.cisco.com"...domain server (xxx.xxx.xxx.xxx) [OK]
Fail to connect to cisco.com
Nov 20 01:52:53.114: IPS Auto Update: ida_connect() failed.
Nov 20 01:52:53.114: IPS Auto-update: Request for download failed!
Nov 20 01:52:53.114: %IPS-4-IPS_AUTO_UPDATE_LOAD_FAILED: IPS Auto Update unable
to load IPS signature file from cisco
Nov 20 01:52:53.114: Timezone and summer-time offset in seconds = 3600
Nov 20 01:52:53.114: IPS Auto Update: setting update timer for next update: 1 hr
s 0 min
show license feature
Router#show license feature
Feature name Enforcement Evaluation Subscription Enabled
ipbasek9 no no no yes
securityk9 yes yes no yes
uck9 yes yes no no
datak9 yes yes no yes
gatekeeper yes yes no no
SSL_VPN yes yes no no
ios-ips-update yes yes yes no
SNASw yes yes no no
hseck9 yes no no no
WAAS_Express yes yes no no
My config in short:
ip name-server xxx.xxx.xxx.xxx
!
ip inspect name FW-INET ftp
ip inspect name FW-INET icmp router-traffic
ip inspect name FW-INET udp router-traffic
ip inspect name FW-INET tcp router-traffic
!
ip ips config location flash:ips retries 1
ip ips deny-action ips-interface
ip ips notify SDEE
no ip ips notify log
ip ips name IPS-INET list 177
!
ip ips signature-category
category all
retired true
category ios_ips
retired false
category ios_ips advanced
retired false
!
ip ips auto-update
occur-at weekly 0-6 52 0-23
cisco
username xxxxxxxxxx password xxxxxxxxxxxxxxxxxx
!
password encryption aes
!
license udi pid CISCO2921/K9 sn xxxxxxx
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
!
interface GigabitEthernet0/0
description Connected to the Internet
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip access-group 102 in
ip inspect FW-INET out
ip ips IPS-INET in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Connected to the Inside Switch
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx.
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
!
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
access-list 102 permit .................(some internal servers)
access-list 102 deny ip any any
access-list 177 deny ...................(deny some traffic we do not want to scan)
access-list 177 permit ip any any (permit all other traffic)
access-list 177 deny ip any any
!
ntp server xxx.xxx.xxx.xxx
I searched very very long for solutions, but there is very less about the ´cisco (ip ips auto-update)´ command because it´s quite new in 15.1T. I even removed all Access Lists but nothing works. I can ping www.cisco.com from the Router itself... I am out of options here..
Roel
11-19-2010 11:10 PM
Unfortunately with IOS IPS, you can't auto update directly from cisco.com. You can only auto update from your internal TFTP server.
Here is the URL for your reference:
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ips_v5.html#wp1053549
Quoted from the URL:
"With Cisco IOS IPS 5.0, customers can now configure automatic signature updates from local servers."
Example of configuration:
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ips_v5.html#wp1079125
Hope that answers your question on why it's not working.
11-20-2010 05:59 AM
Jennifer,
Since IOS 15.1T, there is a command "cisco" within the "ip ips auto-update" command, if you enter that command, you should also enter the username, password and occur-at parameters. It also says that you can't use the "url" parameter then.
Otherwise... why is this "cisco" command available at all.. ?
Kind regards,
Roel
11-20-2010 04:13 PM
You are absolutely right, Roel.
It does support auto update from cisco.com.
Here is the configuration line that you would need to add for direct auto update from cisco.com:
Hope that helps.
11-21-2010 08:25 AM
Jennifer,
As you can see in my first post, I tried that.
Thanks for the url, I added the command: "ida-client server url https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl" to the config.
I also tried a 'manual' update by typing: "ips signature update cisco username xxxxxx password xxxxxx".
It still gives me this output:
Translating "www.cisco.com"...domain server (xxx.xxx.xxx.xxx) [OK]
Fail to connect to cisco.com
Nov 20 01:52:53.114: IPS Auto Update: ida_connect() failed.
Nov 20 01:52:53.114: IPS Auto-update: Request for download failed!
Nov 20 01:52:53.114: %IPS-4-IPS_AUTO_UPDATE_LOAD_FAILED: IPS Auto Update unable
to load IPS signature file from cisco
What can i do? Can I debug more than this? Or is the Cisco.com website not ready for this auto-update functionality..?
It is not showing: "Bad username" or "timeout".. i don't have a clue...
I removed all access-lists from the router. I am able to ping to www.cisco.com from the router.
11-21-2010 02:01 PM
Can you please try with the following:
"ida-client server url https://www.cisco.com//cgi-bin/front.x/ida/locator/locator.pl"
as the other IPS uses the "double slashes" between cisco.com and cgi-bin.
11-22-2010 03:04 AM
Jennifer,
When I use the url: "ida-client server url https://www.cisco.com//cgi-bin/front.x/ida/locator/locator.pl" (with two slashes instead of one slash after cgi-bin), i get exactly the same errors. It still doesn't work.
Roel Broersma
11-22-2010 05:19 AM
There was an error from Cisco's side that caused the updates to fail.
Please check now, this is the notification from Cisco:
"There was an issue where IPS sensors configured to automatically update signatures are unsuccessful.
The issue has been corrected, and automatic signature updates should be functioning as expected."
Please rate if helpful
regards
Farrukh
11-22-2010 05:33 AM
Farrukh,
I still have the same problems/errors. I tried with both ida-client urls.
Roel
11-22-2010 05:48 AM
Does your router have correct DNS settings?
Can you try putting the IP address instead of www.cisco.com
Regards
Farrukh
11-22-2010 05:58 AM
Farrukh,
It has correct DNS settings. I can ping www.cisco.com.
I even put "ip host www.cisco.com 88.221.32.170" in my config (a static host/ip mapping, like a hosts file, asuming that www.cisco.com is the only URL which is used for auto-update?).
Is there any way I can get more debugging? For some reason it wouldn't connect.. i am stuck at the errors..
Roel
11-22-2010 04:04 PM
Roel, www.cisco.com is not 88.221.32.170, so "ip host www.cisco.com 88.221.32.170" is incorrect.
Can you also test that your CCO ID work fine by going to cisco.com download site to manually download the signature file. Just wanted to confirm that the CCO ID that you use for the auto update is working correctly.
11-23-2010 12:20 AM
Jennifer,
Yes, my account works, it's by the way the same account as this forum post. I can download the signatures manually using this account.
When i do a ping here (from The Netherlands), it says: e144.cd.akamaiedge.net [88.221.32.170] Probably www.cisco.com has more IPs. However, i removed the statis host mapping, it's translating OK, so that couldn't be the problem.
What else can I try / debug? When does this error message exactly fires? (when it can;t make a socket,.. when it can't connect.. ? i want to know more exactly but the debugging is limited).
Kind regards,
Roel
11-27-2010 05:47 AM
Hello
I would use the traffic export feature on the router or the SPAN feature on the switch (if the WAN cable is not directly terminated on the router); to capture the concerned trafffic and analyze it.
Regards
Farrukh
07-16-2011 11:29 AM
Hi Roel,
I have the same problem and tried all links and hints following this thread ... we have still the same error messages. Our Hardware is a 1921/K9
ABC#show license feature
Feature name Enforcement Evaluation Subscription Enabled
(...)
ios-ips-update yes yes yes no
(...)
ABC#show ip ips auto-update
IPS Auto Update Configuration
URL : Direct Download from Cisco.com
Username : NISITNETC
Encrypted password: XxXxXxXxXxXxXxXxXxXxXxXx
Auto Update Intervals
minutes (0-59) : 17
hours (0-23) : 20
days of month (1-31) :
days of week: (0-6) : 0-6
Next scheduled load time : 53 seconds
Jul 16 xxx: IPS Auto Update: ida_connect() failed.
Jul 16 xxx: IPS Auto-update: Request for download failed!
Jul 16 xxx: %IPS-4-IPS_AUTO_UPDATE_LOAD_FAILED: IPS Auto Update unable to load IPS signature file from cisco
Jul 16 xxx: Timezone and summer-time offset in seconds = 7200
Jul 16 xxx: IPS Auto Update: setting check timer to check for next update: 3 hrs 42 min
Did you solved it yet ? Happy to get some updates about this issue !!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide