[IOS IPS 15.1T2] Auto-update from Cisco not working

roel · ‎11-19-2010

Hello,

I have a very standard Cisco 2921 with ip ips on a 15.1(2)T2 IOS. I have a valid data license but it would not get the signature updates from Cisco.

When i do: "debug ip ips auto-update" and wait for the next update schedule, it says:

Router#
Translating "www.cisco.com"...domain server (xxx.xxx.xxx.xxx) [OK]

Fail to connect to cisco.com
Nov 20 01:52:53.114: IPS Auto Update: ida_connect() failed.
Nov 20 01:52:53.114: IPS Auto-update: Request for download failed!
Nov 20 01:52:53.114: %IPS-4-IPS_AUTO_UPDATE_LOAD_FAILED: IPS Auto Update unable
to load IPS signature file from cisco
Nov 20 01:52:53.114: Timezone and summer-time offset in seconds = 3600
Nov 20 01:52:53.114: IPS Auto Update: setting update timer for next update: 1 hr
s 0 min

show license feature

Router#show license feature
Feature name             Enforcement Evaluation Subscription   Enabled
ipbasek9                 no           no          no             yes
securityk9               yes          yes         no             yes
uck9                     yes          yes         no             no
datak9                   yes          yes         no             yes
gatekeeper               yes          yes         no             no
SSL_VPN                  yes          yes         no             no
ios-ips-update           yes          yes         yes            no
SNASw                    yes          yes         no             no
hseck9                   yes          no          no             no
WAAS_Express             yes          yes         no             no

My config in short:

ip name-server xxx.xxx.xxx.xxx

!

ip inspect name FW-INET ftp
ip inspect name FW-INET icmp router-traffic
ip inspect name FW-INET udp router-traffic
ip inspect name FW-INET tcp router-traffic
!

ip ips config location flash:ips retries 1
ip ips deny-action ips-interface
ip ips notify SDEE
no ip ips notify log
ip ips name IPS-INET list 177
!
ip ips signature-category
category all
   retired true
category ios_ips
   retired false
category ios_ips advanced
   retired false
!

ip ips auto-update
occur-at weekly 0-6 52 0-23
cisco
username xxxxxxxxxx password xxxxxxxxxxxxxxxxxx
!

password encryption aes

!

license udi pid CISCO2921/K9 sn xxxxxxx

!

crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
   30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
   00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
   17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
   B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
   5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
   FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
   50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
   006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
   2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
   F3020301 0001
quit

!

interface GigabitEthernet0/0
description Connected to the Internet
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

ip access-group 102 in
ip inspect FW-INET out
ip ips IPS-INET in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Connected to the Inside Switch

ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx.
duplex auto
speed auto
!

interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
!
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx

!

access-list 102 permit .................(some internal servers)

access-list 102 deny ip any any

access-list 177 deny ...................(deny some traffic we do not want to scan)

access-list 177 permit ip any any (permit all other traffic)

access-list 177 deny ip any any

!

ntp server xxx.xxx.xxx.xxx

I searched very very long for solutions, but there is very less about the ´cisco (ip ips auto-update)´ command because it´s quite new in 15.1T. I even removed all Access Lists but nothing works. I can ping www.cisco.com from the Router itself... I am out of options here..

Roel

Jennifer Halim · ‎11-19-2010

Unfortunately with IOS IPS, you can't auto update directly from cisco.com. You can only auto update from your internal TFTP server.

Here is the URL for your reference:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ips_v5.html#wp1053549

Quoted from the URL:

"With Cisco IOS IPS 5.0, customers can now configure automatic signature updates from local servers."

Example of configuration:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ips_v5.html#wp1079125

Hope that answers your question on why it's not working.

roel · ‎11-20-2010

Jennifer,

Since IOS 15.1T, there is a command "cisco" within the "ip ips auto-update" command, if you enter that command, you should also enter the username, password and occur-at parameters. It also says that you can't use the "url" parameter then.

Otherwise... why is this "cisco" command available at all.. ?

Kind regards,

Roel

Jennifer Halim · ‎11-20-2010

You are absolutely right, Roel.

It does support auto update from cisco.com.

Here is the configuration line that you would need to add for direct auto update from cisco.com:

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1138659

Hope that helps.

roel · ‎11-21-2010

Jennifer,

As you can see in my first post, I tried that.

Thanks for the url, I added the command: "ida-client server url https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl" to the config.

I also tried a 'manual' update by typing: "ips signature update cisco username xxxxxx password xxxxxx".

It still gives me this output:

Translating "www.cisco.com"...domain server (xxx.xxx.xxx.xxx) [OK]

Fail to connect to cisco.com
Nov 20 01:52:53.114: IPS Auto Update: ida_connect() failed.
Nov 20 01:52:53.114: IPS Auto-update: Request for download failed!
Nov 20 01:52:53.114: %IPS-4-IPS_AUTO_UPDATE_LOAD_FAILED: IPS Auto Update unable
to load IPS signature file from cisco

What can i do? Can I debug more than this? Or is the Cisco.com website not ready for this auto-update functionality..?

It is not showing: "Bad username" or "timeout".. i don't have a clue...

I removed all access-lists from the router. I am able to ping to www.cisco.com from the router.

Jennifer Halim · ‎11-21-2010

Can you please try with the following:

"ida-client server url https://www.cisco.com//cgi-bin/front.x/ida/locator/locator.pl"

as the other IPS uses the "double slashes" between cisco.com and cgi-bin.

roel · ‎11-22-2010

Jennifer,

When I use the url: "ida-client server url https://www.cisco.com//cgi-bin/front.x/ida/locator/locator.pl" (with two slashes instead of one slash after cgi-bin), i get exactly the same errors. It still doesn't work.

Roel Broersma

Farrukh Haroon · ‎11-22-2010

There was an error from Cisco's side that caused the updates to fail.

Please check now, this is the notification from Cisco:

"There was an issue where IPS sensors configured to automatically update signatures are unsuccessful.

The issue has been corrected, and automatic signature updates should be functioning as expected."

Please rate if helpful

regards

Farrukh

roel · ‎11-22-2010

Farrukh,

I still have the same problems/errors. I tried with both ida-client urls.

Roel

Farrukh Haroon · ‎11-22-2010

Does your router have correct DNS settings?

Can you try putting the IP address instead of www.cisco.com

Regards

Farrukh

roel · ‎11-22-2010

Farrukh,

It has correct DNS settings. I can ping www.cisco.com.

I even put "ip host www.cisco.com 88.221.32.170" in my config (a static host/ip mapping, like a hosts file, asuming that www.cisco.com is the only URL which is used for auto-update?).

Is there any way I can get more debugging? For some reason it wouldn't connect.. i am stuck at the errors..

Roel

Jennifer Halim · ‎11-22-2010

Roel, www.cisco.com is not 88.221.32.170, so "ip host www.cisco.com 88.221.32.170" is incorrect.

Can you also test that your CCO ID work fine by going to cisco.com download site to manually download the signature file. Just wanted to confirm that the CCO ID that you use for the auto update is working correctly.

roel · ‎11-23-2010

Jennifer,

Yes, my account works, it's by the way the same account as this forum post. I can download the signatures manually using this account.

When i do a ping here (from The Netherlands), it says: e144.cd.akamaiedge.net [88.221.32.170] Probably www.cisco.com has more IPs. However, i removed the statis host mapping, it's translating OK, so that couldn't be the problem.

What else can I try / debug? When does this error message exactly fires? (when it can;t make a socket,.. when it can't connect.. ? i want to know more exactly but the debugging is limited).

Kind regards,

Roel

Farrukh Haroon · ‎11-27-2010

Hello

I would use the traffic export feature on the router or the SPAN feature on the switch (if the WAN cable is not directly terminated on the router); to capture the concerned trafffic and analyze it.

Regards

Farrukh

NISITNETC · ‎07-16-2011

Hi Roel,

I have the same problem and tried all links and hints following this thread ... we have still the same error messages. Our Hardware is a 1921/K9

ABC#show license feature

Feature name Enforcement Evaluation Subscription Enabled

(...)

ios-ips-update yes yes yes no

(...)

ABC#show ip ips auto-update

IPS Auto Update Configuration

URL : Direct Download from Cisco.com

Username : NISITNETC

Encrypted password: XxXxXxXxXxXxXxXxXxXxXxXx

Auto Update Intervals

minutes (0-59) : 17

hours (0-23) : 20

days of month (1-31) :

days of week: (0-6) : 0-6

Next scheduled load time : 53 seconds

Jul 16 xxx: IPS Auto Update: ida_connect() failed.

Jul 16 xxx: IPS Auto-update: Request for download failed!

Jul 16 xxx: %IPS-4-IPS_AUTO_UPDATE_LOAD_FAILED: IPS Auto Update unable to load IPS signature file from cisco

Jul 16 xxx: Timezone and summer-time offset in seconds = 7200

Jul 16 xxx: IPS Auto Update: setting check timer to check for next update: 3 hrs 42 min

Did you solved it yet ? Happy to get some updates about this issue !!