06-10-2009 07:46 AM - edited 03-10-2019 04:39 AM
Hello,
I am having issues with the IPS sensor not doing the global correlation updates. The IPS module has access to the internet and I can ping the server which serves the updates. Anything else to be checked?
06-10-2009 07:52 AM
To add to the previous post, I am seeing the following error:
08Jun2009 collaborationApp[465] rep/E A global correlation update failed: openConnection: Caught IpAddrException badAddrString
Messages, like this one, in the category - Reputation update failure - were logged 24 times in the last 7200 seconds.
06-10-2009 11:54 PM
the issue that you are experiencing is due to a new feature that is turned on by default in the 7.0(1)E3 called Global Correlation. You are receiving the health critical messages because the IPS is not setup to allow the Global Correlation updates. You can turn this
Global Correlation feature off in IME by going to Configuration->Policies->Global
Correlation and turning off the Inspection/Reputation and Network Participation settings.
If you want to use this feature you will need to setup a proxy or DNS on the
IPS
06-11-2009 05:24 AM
Hi Ashish,
I understand that Global Correlation is a new feature. I am trying to get it to work so that it can go fetch updates but it doesnt work. The IPS module has the required DNS servers listed and also Internet connection. But still it doesnt work.
Thanks,
G
06-11-2009 06:10 AM
Have you configured DNS or proxy server as per
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli
_setup.html#wpxref67214
06-11-2009 06:15 AM
Hi Ashish,
I have configured the DNS servers and the IPS module can ping the DNS server. I can also ping the IP address to which IPS is going to go to download the updates from.
Thanks,
G
06-22-2009 05:06 AM
sorry for the late response...
You may be hitting CSCsy29617 Sensor unable to download global correlation update files
06-22-2009 05:56 AM
You need to setup a static NAT for the IPS address. That is kind of left out/hidden in the configuration documents.
06-22-2009 05:59 AM
Hi guys,
Thanks for your responses. I figured out what the issue was. I didnt have Network Participation turned on. As soon as I turned it on and restarted the module, everything seems to work fine. I dont have static NAT entry for it.
Thanks,
G
08-24-2009 08:55 AM
I was having issues updating the Global Correlation feature as well. From a packet capture, I found that the sensor was trying to open an http connection to two IP addresses (97.65.135.170 and 97.65.135.137). After I allowed this in addtion to the update-manifest.ironport.com IP address for https, the updates started working.
I do not have Network Participation enabled.
Mark
09-15-2009 07:49 AM
Try adding some or all the following IP addresses for access to the device:
204.15.82.17
207.15.82.17
97.65.135.170
97.65.135.137
208.90.57.73
209.107.213.40
198.133.219.25
77.67.85.33
77.67.85.9
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: