Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

[IOS IPS 15.1T2] Auto-update from Cisco not working

Hello,

I have a very standard Cisco 2921 with ip ips on a 15.1(2)T2 IOS. I have a valid data license but it would not get the signature updates from Cisco.

When i do: "debug ip ips auto-update"  and wait for the next update schedule, it says:

Router#
Translating "
www.cisco.com"...domain server (xxx.xxx.xxx.xxx) [OK]

Fail to connect to cisco.com
Nov 20 01:52:53.114: IPS Auto Update: ida_connect() failed.
Nov 20 01:52:53.114: IPS Auto-update: Request for download failed!
Nov 20 01:52:53.114: %IPS-4-IPS_AUTO_UPDATE_LOAD_FAILED: IPS Auto Update unable
to load IPS signature file from cisco
Nov 20 01:52:53.114: Timezone and summer-time offset in seconds = 3600
Nov 20 01:52:53.114: IPS Auto Update: setting update timer for next update: 1 hr
s 0 min

show license feature

Router#show license feature
Feature name             Enforcement  Evaluation  Subscription   Enabled
ipbasek9                 no           no          no             yes
securityk9               yes          yes         no             yes
uck9                     yes          yes         no             no
datak9                   yes          yes         no             yes
gatekeeper               yes          yes         no             no
SSL_VPN                  yes          yes         no             no
ios-ips-update           yes          yes         yes            no
SNASw                    yes          yes         no             no
hseck9                   yes          no          no             no
WAAS_Express             yes          yes         no             no

My config in short:

ip name-server xxx.xxx.xxx.xxx

!

ip inspect name FW-INET ftp
ip inspect name FW-INET icmp router-traffic
ip inspect name FW-INET udp router-traffic
ip inspect name FW-INET tcp router-traffic
!

ip ips config location flash:ips retries 1
ip ips deny-action ips-interface
ip ips notify SDEE
no ip ips notify log
ip ips name IPS-INET list 177
!
ip ips signature-category
  category all
   retired true
  category ios_ips
   retired false
  category ios_ips advanced
   retired false
!

ip ips auto-update
occur-at weekly 0-6 52 0-23
cisco
username xxxxxxxxxx password xxxxxxxxxxxxxxxxxx
!

password encryption aes

!

license udi pid CISCO2921/K9 sn xxxxxxx

!

crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
  key-string
   30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
   00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
   17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
   B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
   5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
   FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
   50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
   006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
   2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
   F3020301 0001
  quit

!

interface GigabitEthernet0/0
description Connected to the Internet
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

ip access-group 102 in
ip inspect FW-INET out
ip ips IPS-INET in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Connected to the Inside Switch

ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx.
duplex auto
speed auto
!

interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
!
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx

!

access-list 102 permit .................(some internal servers)

access-list 102 deny ip any any

access-list 177 deny ...................(deny some traffic we do not want to scan)

access-list 177 permit ip any any       (permit all other traffic)

access-list 177 deny ip any any

!

ntp server xxx.xxx.xxx.xxx

I searched very very long for solutions, but there is very less about the   ´cisco (ip ips auto-update)´ command because it´s quite new in 15.1T.  I even removed all Access Lists but nothing works.  I can ping www.cisco.com from the Router itself...  I am out of options here..

Roel

Everyone's tags (3)
25 REPLIES
Cisco Employee

Re: [IOS IPS 15.1T2] Auto-update from Cisco not working

Unfortunately with IOS IPS, you can't auto update directly from cisco.com. You can only auto update from your internal TFTP server.

Here is the URL for your reference:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ips_v5.html#wp1053549

Quoted from the URL:

"With Cisco IOS IPS 5.0, customers can now configure automatic signature updates from local servers."


Example of configuration:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ips_v5.html#wp1079125

Hope that answers your question on why it's not working.

New Member

Re: [IOS IPS 15.1T2] Auto-update from Cisco not working

Jennifer,

Since IOS 15.1T, there is a command "cisco" within the "ip ips auto-update" command, if you enter that command, you should also enter the username, password and occur-at parameters. It also says that you can't use the "url" parameter then.

Otherwise... why is this "cisco" command available at all.. ?

Kind regards,

Roel

Cisco Employee

Re: [IOS IPS 15.1T2] Auto-update from Cisco not working

You are absolutely right, Roel.

It does support auto update from cisco.com.

Here is the configuration line that you would need to add for direct auto update from cisco.com:

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1138659

Hope that helps.

New Member

Re: [IOS IPS 15.1T2] Auto-update from Cisco not working

Jennifer,

As you can see in my first post, I tried that.

Thanks for the url, I added the command: "ida-client server url https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl" to the config.

I also tried a 'manual' update by typing: "ips signature update cisco username xxxxxx password xxxxxx".

It still gives me this output:

Translating "www.cisco.com"...domain server (xxx.xxx.xxx.xxx) [OK]

Fail to connect to cisco.com
Nov 20 01:52:53.114: IPS Auto Update: ida_connect() failed.
Nov 20 01:52:53.114: IPS Auto-update: Request for download failed!
Nov 20 01:52:53.114: %IPS-4-IPS_AUTO_UPDATE_LOAD_FAILED: IPS Auto Update unable
to load IPS signature file from cisco

What can i do?   Can I debug more than this?  Or is the Cisco.com website not ready for this auto-update functionality..?

It is not showing:  "Bad username"  or "timeout".. i don't have a clue...

I removed all access-lists from the router. I am able to ping to www.cisco.com from the router.

Cisco Employee

Re: [IOS IPS 15.1T2] Auto-update from Cisco not working

Can you please try with the following:

"ida-client server url https://www.cisco.com//cgi-bin/front.x/ida/locator/locator.pl"

as the other IPS uses the "double slashes" between cisco.com and cgi-bin.

New Member

Re: [IOS IPS 15.1T2] Auto-update from Cisco not working

Jennifer,

When I use the url: "ida-client server url https://www.cisco.com//cgi-bin/front.x/ida/locator/locator.pl" (with two slashes instead of one slash after cgi-bin),  i get exactly the same errors. It still doesn't work.

Roel Broersma

Re: [IOS IPS 15.1T2] Auto-update from Cisco not working

There was an error from Cisco's side that caused the updates to fail.

Please check now, this is the notification from Cisco:

"There was an issue where IPS sensors configured to automatically update signatures are unsuccessful.

The issue has been corrected, and automatic signature updates should be functioning as expected."

Please rate if helpful

regards

Farrukh

New Member

Re: [IOS IPS 15.1T2] Auto-update from Cisco not working

Farrukh,

I still have the same problems/errors.  I tried with both  ida-client  urls.

Roel

Re: [IOS IPS 15.1T2] Auto-update from Cisco not working

Does your router have correct DNS settings?

Can you try putting the IP address instead of www.cisco.com

Regards

Farrukh

New Member

Re: [IOS IPS 15.1T2] Auto-update from Cisco not working

Farrukh,

It has correct DNS settings. I can ping www.cisco.com.

I even put "ip host www.cisco.com 88.221.32.170"  in my config  (a static host/ip mapping, like a hosts file, asuming that www.cisco.com is the only URL which is used for auto-update?).

Is there any way I can get more debugging? For some reason it wouldn't connect.. i am stuck at the errors..

Roel

Cisco Employee

Re: [IOS IPS 15.1T2] Auto-update from Cisco not working

Roel, www.cisco.com is not 88.221.32.170, so "ip host www.cisco.com 88.221.32.170" is incorrect.

Can you also test that your CCO ID work fine by going to cisco.com download site to manually download the signature file. Just wanted to confirm that the CCO ID that you use for the auto update is working correctly.

New Member

Re: [IOS IPS 15.1T2] Auto-update from Cisco not working

Jennifer,

Yes, my account works, it's by the way the same account as this forum post. I can download the signatures manually using this account.

When i do a ping here (from The Netherlands), it says: e144.cd.akamaiedge.net [88.221.32.170]  Probably www.cisco.com has more IPs. However, i removed the statis host mapping, it's translating OK, so that couldn't be the problem.

What else can I try / debug?  When does this error message exactly fires? (when it can;t make a socket,.. when it can't connect.. ? i want to know more exactly but the debugging is limited).

Kind regards,

Roel

Re: [IOS IPS 15.1T2] Auto-update from Cisco not working

Hello

I would use the traffic export feature on the router or the SPAN feature on the switch (if the WAN cable is not directly terminated on the router); to capture the concerned trafffic and analyze it.

Regards

Farrukh

New Member

Re: [IOS IPS 15.1T2] Auto-update from Cisco not working

Hi Roel,

I have the same problem and tried all links and hints following this thread ... we have still the same error messages. Our Hardware is a 1921/K9

ABC#show license feature

Feature name             Enforcement  Evaluation  Subscription   Enabled

(...)

ios-ips-update           yes          yes         yes            no

(...)

ABC#show ip ips auto-update

IPS Auto Update Configuration

  URL               : Direct Download from Cisco.com

  Username          : NISITNETC

  Encrypted password: XxXxXxXxXxXxXxXxXxXxXxXx

  Auto Update Intervals

    minutes (0-59)           : 17

    hours (0-23)             : 20

    days of month (1-31)     :

    days of week: (0-6)      : 0-6

    Next scheduled load time : 53 seconds

Jul 16 xxx: IPS Auto Update: ida_connect() failed.

Jul 16 xxx: IPS Auto-update: Request for download failed!

Jul 16 xxx: %IPS-4-IPS_AUTO_UPDATE_LOAD_FAILED: IPS Auto Update unable to load IPS signature file from cisco

Jul 16 xxx: Timezone and summer-time offset in seconds = 7200

Jul 16 xxx: IPS Auto Update: setting check timer to check for next update: 3 hrs 42 min

Did you solved it yet ? Happy to get some updates about this issue !!

Cisco Employee

Re: [IOS IPS 15.1T2] Auto-update from Cisco not working

Did some searching and found cases where this was caused by the lack of a certificate chain for cisco.com in a trustpoint on the router (since the Auto/Cisco.com Update URL is HTTPS not HTTP). Here is a copy of the steps used by another user successfully:

1.) Open MS Internet Explorer and navigate to https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl .

2.) After authenticating there will be a "lock" icon on the right-side of the address bar (mouse over will say "Security Report"). Click on the lock and choose 'View Certificates'.

3.) Click the 'Certification Path' tab. The path should be something like: VeriSign > VeriSign Class 3 Secure Server CA - G2 > www.cisco.com.

4.) Click on VeriSign (root) and click the 'View Certificate' button.

5.) Click on the 'Details' tab and click the 'Copy to File…' button.

6.) Follow the wizard; for the Export File Format choose 'Base-64 encoded X.509 (.CER)'.

7.) Save the file, name it "root.cer".

8.) Repeat steps 4 - 7 for the sub-CA (VeriSign Class 3 Secure Server CA - G2), and name this file "subca.cer".

9.) Open the file root.cer in a plain-text text editor (Notepad).

10.) On the router create a trustpoint (root):

crypto pki trustpoint root

enrollment terminal

revocation-check none

11.) The file (root.cer)'s content will look like:

-----BEGIN CERTIFICATE-----

...

-----END CERTIFICATE-----

Copy the lines that are between the BEGIN and END lines only.

12.) Router(config)# crypto ca authen root

Follow the prompt and paste the certificate data here -> hit Enter and type 'quit'.

13.) Open the file subca.cer in a plain-text text editor (Notepad).

14.) Create another trustpoint (rootVeriSub):

crypto pki trustpoint rootVeriSub

enrollment terminal

revocation-check none

15.) Copy its content (just like in step 11).

16.) Router(config)# crypto ca authen rootVeriSub

Follow the prompt and paste the certificate data (just like in step 12).

You should now have the certificate chain to validate www.cisco.com. Confirm that the router's clock is correct/accurate then test/check the Auto/Cisco.com Update feature again. If it still fails, does it fail with the same error?

New Member

Re: [IOS IPS 15.1T2] Auto-update from Cisco not working

Hello Dustin,

thx for your step-by-step script. I went trough it - please see my documentation:

conf t

crypto pki trustpoint root

enrollment terminal

revocation-check none

crypto ca authen root

!

! Enter the base 64 encoded CA certificate.

! End with a blank line or the word "quit" on a line by itself

!

MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYD

VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv

bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv

b3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEzMjM1OTAwWjB1MQswCQYDVQQGEwJV

UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU

cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds

b2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrH

iM3dFw4usJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTS

r41tiGeA5u2ylc9yMcqlHHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X4

04Wqk2kmhXBIgD8SFcd5tB8FLztimQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAG3r

GwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMWM4ETCJ57NE7fQMh017l9

3PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OFNMQkpw0P

lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/

quit

!

! Certificate has the following attributes:

!       Fingerprint MD5: CA3DD368 F1035CD0 32FAB82B 59E85ADB

!      Fingerprint SHA1: 97817950 D81C9670 CC34D809 CF794431 367EF474

!

! % Do you accept this certificate? [yes/no]: yes

! Trustpoint CA certificate accepted.

! % Certificate successfully imported

!

crypto pki trustpoint rootVeriSub

enrollment terminal

revocation-check none

crypto ca authen rootVeriSub

!

! Enter the base 64 encoded CA certificate.

! End with a blank line or the word "quit" on a line by itself

!

MIIEMDCCA5mgAwIBAgIEBycURjANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV

UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU

cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds

b2JhbCBSb290MB4XDTA3MDQwNDE0MTgzN1oXDTE3MDQwNDE0MTgxMVowUDEXMBUG

A1UEChMOQ3liZXJ0cnVzdCBJbmMxNTAzBgNVBAMTLEN5YmVydHJ1c3QgU3VyZVNl

cnZlciBTdGFuZGFyZCBWYWxpZGF0aW9uIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC

AQ8AMIIBCgKCAQEAg0vZDrAbIL8dHlVdZTG1Lq6eqxCan9rkQ9jYsqapQAaJQ7MP

SBMUkJpJdAR/N1rj7VbrSVZiYttuRffxAHlap6CuHMUr8H2PFL1KxsRaQlI/L7UU

fTsTzZ3y0UuBca+rHM1AQZ9GyqUaFgL8SgmDJvlkBJHf84PgoLsOW6jVYH6WxUp8

GlgQgT1q7jCIMUdwjrTJZTS13yLBFeBepklbxHOmpMnZT1kGABul55IusPyOacTK

UALsFZGs6nAFBUSV9Po2KUczvMKF86L/b626F4gE/aEE2dvvgXDEd/958Ppwpg1O

i6dXzWxJK0nMVS2b0O8MKhkLq7Cx1xrVZC8E1QIDAQABo4IBbDCCAWgwDwYDVR0T

AQH/BAUwAwEB/zBTBgNVHSAETDBKMEgGCSsGAQQBsT4BMjA7MDkGCCsGAQUFBwIB

Fi1odHRwOi8vY3liZXJ0cnVzdC5vbW5pcm9vdC5jb20vcmVwb3NpdG9yeS5jZm0w

DgYDVR0PAQH/BAQDAgEGMIGJBgNVHSMEgYEwf6F5pHcwdTELMAkGA1UEBhMCVVMx

GDAWBgNVBAoTD0dURSBDb3Jwb3JhdGlvbjEnMCUGA1UECxMeR1RFIEN5YmVyVHJ1

c3QgU29sdXRpb25zLCBJbmMuMSMwIQYDVQQDExpHVEUgQ3liZXJUcnVzdCBHbG9i

YWwgUm9vdIICAaUwRQYDVR0fBD4wPDA6oDigNoY0aHR0cDovL3d3dy5wdWJsaWMt

dHJ1c3QuY29tL2NnaS1iaW4vQ1JMLzIwMTgvY2RwLmNybDAdBgNVHQ4EFgQUzTqW

n65uD0BcHEj4Sy24cQHridowDQYJKoZIhvcNAQEFBQADgYEAdxIyplp2LV+ulyp1

W5iLQJ3YnSeHuBkF63DPSQNlA5pnGffb81Lim8BkccTyhqDgA60pTCSPOJvjgIQL

35kCrnN5UpR+gww5h2dEkBQGZGBpTLcgKZDGM4+tNq/08R9lvOir+K7GI9YtxF+X

ek5rOYuiM1zvKzH6iiW53IKvlMs=

quit

!

! Certificate has the following attributes:

!       Fingerprint MD5: 5617F2E7 4C2045F3 E78F6D42 4DBFB890

!      Fingerprint SHA1: B393EAAD 4B4DF83E 081BEB9C 5C932D38 0161C209

! Certificate validated - Signed by existing trustpoint CA certificate.

!

! Trustpoint CA certificate accepted.

! % Certificate successfully imported

router#sh run

! (...)

!

crypto pki trustpoint root

enrollment terminal

revocation-check none

!

crypto pki trustpoint rootVeriSub

enrollment terminal

revocation-check none

!

!

crypto pki certificate chain root

certificate ca 01A5

  3082025A 308201C3 020201A5 300D0609 2A864886 F70D0101 04050030 75310B30

  09060355 04061302 55533118 30160603 55040A13 0F475445 20436F72 706F7261

  74696F6E 31273025 06035504 0B131E47 54452043 79626572 54727573 7420536F

  6C757469 6F6E732C 20496E63 2E312330 21060355 0403131A 47544520 43796265

  72547275 73742047 6C6F6261 6C20526F 6F74301E 170D3938 30383133 30303239

  30305A17 0D313830 38313332 33353930 305A3075 310B3009 06035504 06130255

  53311830 16060355 040A130F 47544520 436F7270 6F726174 696F6E31 27302506

  0355040B 131E4754 45204379 62657254 72757374 20536F6C 7574696F 6E732C20

  496E632E 31233021 06035504 03131A47 54452043 79626572 54727573 7420476C

  6F62616C 20526F6F 7430819F 300D0609 2A864886 F70D0101 01050003 818D0030

  81890281 8100950F A0B6F050 9CE87AC7 88CDDD17 0E2EB094 D01B3D0E F694C08A

  94C706C8 9097C8B8 641A7A7E 6C3C53E1 37287360 7FB29753 079F53F9 6D5894D2

  AF8D6D88 6780E6ED B295CF72 31CAA51C 72BA5C02 E76442E7 F9A92CD6 3A0DAC8D

  42AA2401 39E69C3F 0185570D 588745F8 D385AA93 69268570 48803F12 15C779B4

  1F052F3B 62990203 01000130 0D06092A 864886F7 0D010104 05000381 81006DEB

  1B09E95E D951DB67 2261A42A 3C4877E3 A07CA6DE 73A21403 853DFBAB 0E30C583

  16338113 089E7B34 4EDF40C8 74D7B97D DCF47655 7D9B6354 18E9F0EA F35CB1D9

  8B421EB9 C0954EBA FAD5E27C F56861BF 8EEC0597 5F5BB0D7 A38534C4 24A70D0F

  9593EFCB 94D89E1F 9D5C856D C7AAAE4F 1F22B5CD 95ADBAA7 CCF9AB0B 7A7F

        quit

crypto pki certificate chain rootVeriSub

certificate ca 07271446

  30820430 30820399 A0030201 02020407 27144630 0D06092A 864886F7 0D010105

  05003075 310B3009 06035504 06130255 53311830 16060355 040A130F 47544520

  436F7270 6F726174 696F6E31 27302506 0355040B 131E4754 45204379 62657254

  72757374 20536F6C 7574696F 6E732C20 496E632E 31233021 06035504 03131A47

  54452043 79626572 54727573 7420476C 6F62616C 20526F6F 74301E17 0D303730

  34303431 34313833 375A170D 31373034 30343134 31383131 5A305031 17301506

  0355040A 130E4379 62657274 72757374 20496E63 31353033 06035504 03132C43

  79626572 74727573 74205375 72655365 72766572 20537461 6E646172 64205661

  6C696461 74696F6E 20434130 82012230 0D06092A 864886F7 0D010101 05000382

  010F0030 82010A02 82010100 834BD90E B01B20BF 1D1E555D 6531B52E AE9EAB10

  9A9FDAE4 43D8D8B2 A6A94006 8943B30F 48131490 9A497404 7F375AE3 ED56EB49

  566262DB 6E45F7F1 00795AA7 A0AE1CC5 2BF07D8F 14BD4AC6 C45A4252 3F2FB514

  7D3B13CD 9DF2D14B 8171AFAB 1CCD4041 9F46CAA5 1A1602FC 4A098326 F9640491

  DFF383E0 A0BB0E5B A8D5607E 96C54A7C 1A581081 3D6AEE30 88314770 8EB4C965

  34B5DF22 C115E05E A6495BC4 73A6A4C9 D94F5906 001BA5E7 922EB0FC 8E69C4CA

  5002EC15 91ACEA70 05054495 F4FA3629 4733BCC2 85F3A2FF 6FADBA17 8804FDA1

  04D9DBEF 8170C477 FF79F0FA 70A60D4E 8BA757CD 6C492B49 CC552D9B D0EF0C2A

  190BABB0 B1D71AD5 642F04D5 02030100 01A38201 6C308201 68300F06 03551D13

  0101FF04 05300301 01FF3053 0603551D 20044C30 4A304806 092B0601 0401B13E

  0132303B 30390608 2B060105 05070201 162D6874 74703A2F 2F637962 65727472

  7573742E 6F6D6E69 726F6F74 2E636F6D 2F726570 6F736974 6F72792E 63666D30

  0E060355 1D0F0101 FF040403 02010630 81890603 551D2304 8181307F A179A477

  3075310B 30090603 55040613 02555331 18301606 0355040A 130F4754 4520436F

  72706F72 6174696F 6E312730 25060355 040B131E 47544520 43796265 72547275

  73742053 6F6C7574 696F6E73 2C20496E 632E3123 30210603 55040313 1A475445

  20437962 65725472 75737420 476C6F62 616C2052 6F6F7482 0201A530 45060355

  1D1F043E 303C303A A038A036 86346874 74703A2F 2F777777 2E707562 6C69632D

  74727573 742E636F 6D2F6367 692D6269 6E2F4352 4C2F3230 31382F63 64702E63

  726C301D 0603551D 0E041604 14CD3A96 9FAE6E0F 405C1C48 F84B2DB8 7101EB89

  DA300D06 092A8648 86F70D01 01050500 03818100 771232A6 5A762D5F AE972A75

  5B988B40 9DD89D27 87B81905 EB70CF49 0365039A 6719F7DB F352E29B C06471C4

  F286A0E0 03AD294C 248F389B E380840B DF9902AE 73795294 7E830C39 87674490

  14066460 694CB720 2990C633 8FAD36AF F4F11F65 BCE8ABF8 AEC623D6 2DC45F97

  7A4E6B39 8BA2335C EF2B31FA 8A25B9DC 82AF94CB

        quit

! (...)

But at the end, the debugging show this again:

Jul 18 17:46:xxx: IPS Auto Update: ida_connect() failed.

Jul 18 17:46:xxx: IPS Auto-update: Request for download failed!

Jul 18 17:46:xxx: %IPS-4-IPS_AUTO_UPDATE_LOAD_FAILED: IPS Auto Update unable to load IPS signature file from cisco

Jul 18 17:46:xxx: Timezone and summer-time offset in seconds = 7200

Jul 18 17:46:xxx: IPS Auto Update: setting check timer to check for next update: 4 hrs 14 min

Any idea to debug ?!

Cisco Employee

Re: [IOS IPS 15.1T2] Auto-update from Cisco not working

Couple items to check:

  1. Is the router's clock set correctly/accurately?
  2. Can the configured CCO UserID successfully manually download files containing cryptography from cisco.com? I.e. if you navigate in a web browser to cisco.com and attempt to download a signature definition update package file manually, does this succeed? (Periodically, it may be necessary to attempt this to ensure that the CCO UserID has accepted the latest version of the cryptography/export agreement).
  3. Is outbound Internet access (for the router) open/allowed for DNS, HTTP, and HTTPS?
  4. Does the router have a valid/working DNS server(s) configured (so it can resolve www.cisco.com)?
  5. Have you configured the IOS IPS crypto key on this router? Details for this can be found in the "Step 3" section of the Getting Started guide, here.

If none of the above explain the behavior, reviewing a packet capture taken when an update attempt is made would be a good next step.

New Member

Re: [IOS IPS 15.1T2] Auto-update from Cisco not working

> Is the router's clock set correctly/accurately?

I think so:

router#show ntp status

Clock is synchronized, stratum 8, reference is 127.127.1.1

nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**24

reference time is D1CFFD0E.DD105433 (14:54:38.863 UTC Tue Jul 19 2011)

(...)

system poll interval is 16, last update was 12 sec ago.

> Can the configured CCO UserID successfully manually download files containing cryptography from cisco.com?

Yes !

> Is outbound Internet access (for the router) open/allowed for DNS, HTTP, and HTTPS?

Zone-Based-Firewall has "self" to "internet" open with tcp and upd.

> Does the router have a valid/working DNS server(s) configured (so it can resolve www.cisco.com)?

Yes:

router#ping www.cisco.com

Translating "www.cisco.com"...domain server (62.xxx.xxx.x)

(...)

Sending 5, 100-byte ICMP Echos to 84.53.164.170, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

> Have you configured the IOS IPS crypto key on this router?

Yes. Manual download an comiling is working and flash gets updates via internet ...

What can I do now ?

Cisco Employee

Re: [IOS IPS 15.1T2] Auto-update from Cisco not working

What can I do now ?

Take and review a packet capture(s) to attempt to determine/confirm that the router is in-fact able to reach out to cisco.com (and receive a response), etc.

Is there a proxy (or caching system, content filter, traffic optimizer/shaper, etc.) that could be affecting the router's HTTP/HTTPS access?

New Member

Re: [IOS IPS 15.1T2] Auto-update from Cisco not working

> Take and review a packet capture(s) to attempt to

> determine/confirm that  the router is in-fact able to

> reach out to cisco.com (and receive a  response), etc.

I will check it with an audit with the zone-pair "self-WAN" ...

> Is there a proxy (or caching system, content filter, traffic

> optimizer/shaper, etc.) that could be affecting the router's HTTP/HTTPS  access?

No.

New Member

[IOS IPS 15.1T2] Auto-update from Cisco not working

I tried the update with

     Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(2)T

but still the same Error Message. Did someone get it work - IOS IPS with automatic Signature Updates ?

Cisco Employee

Re: [IOS IPS 15.1T2] Auto-update from Cisco not working

FYI, I filed a defect for this behavior/problem (after some extensive testing/recreate work in my lab) about a month ago:

CSCtw75750 (IOS IPS: Auto-update Unable to Load IPS Signature File from cisco.com)

Aside from that defect, there are a multiple reasons why the feature can fail in this manner. Examples / known potential causes:

  1. The device does not have a valid DNS server(s) ('ip name-server') configured and is not able to resolve 'www.cisco.com' to a valid/correct IP address.
  2. The device does not have the necessary (unobstructed/unmodified) connectivity/access to reach cisco.com (DNS, HTTP, and HTTPS).
  3. The device does not have an appropriate/valid certificate chain/trustpoints for cisco.com configured.
  4. The device clock is not correct/accurate.
  5. The configured CCO Account credentials (Username/Password) are incorrect/invalid.
  6. The configured CCO Account has not accepted the latest version of the cryptography/export agreement on cisco.com.
  7. The configured CCO Account is not entitled (via an Active SMARTnet / IPS Services contract) to download IPS Signature Definition Update Packages.

Last year when you were troubleshooting this issue you did check many/all of those items, but since so much time has passed since then, it would be worthwhile to check them all again to be sure they are not causes.

After that, review the Release Note for the defect above... if your encounter of this behavior is caused by that defect, the workaround listed should work successfully. If that is the case, then this specific defect is the cause for you. If the workaround does not succeed, then one or more of the above items is a/the cause.

Cisco Employee

[IOS IPS 15.1T2] Auto-update from Cisco not working

Hello guys,

I noticed the issue, I noticed the discussion but I haven't noticed an working response for IOS IPS 15.;

I followed Dustin Ralich's guide and I had to do the followings :

  1. use the link "ida-client server url https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl"
  2. created the trustpoint root
  3. imported the certificate for www.cisco.com
  4. created the trustpoint for L3 from Verising
  5. imported the certificate from verisign;
  6. entered the autoupdate menu #ip ips auto-update
  7. set the "cisco" auto-update path;
  8. set the occurence
  9. set the username and password
  10. verified the update with "debug ip ips auto-update" and "debug ida-client"
  11. update successful
New Member

Re: [IOS IPS 15.1T2] Auto-update from Cisco not working

Hello,

It appears that attempts to get IPS auto-update working (whether by ensuring that password is not 8 characters long, or using the workaround of manual update) may be moot. It looks like Cisco has not released a new IPS Signature package since March 28th (S636).

Signature updates in the format suitable for use with Cisco Configuration professional (Cisco IOS Intrusion Prevention System Signatures for Cisco Configuration Professional) are still being released (latest is S647), but not files in the format that IOS auto-update seems to require (Cisco IOS Intrusion Prevention System Feature Software).

From my debug output:

073605: .May 24 12:21:43.923 BST: IPS Auto-update: Request for download is skipped

073606: .May 24 12:21:43.923 BST: %IPS-6-IPS_AUTO_UPDATE_DOWNLOAD_UNNEEDED: Signature package on this device is already the latest version

And "show ip ips signatures" reports "Cisco SDF release version S636.0".

Regards,

Bob McChesney

Message was edited by: Bob McChesney

New Member
9936
Views
5
Helpful
25
Replies