Autoupdate feature is not working on ASA-SSM-20 module.
We have configure:
We get this errors on the ASA-SSM-20 module:
evError: eventId=1280563964539644086 vendor=Cisco severity=error
time: nov 17, 2010 08:15:45 UTC offset=60 timeZone=GMT+01:00
errorMessage: AutoUpdate exception: Receive HTTP response failed [3,212] name=errSystemError
evError: eventId=1280563964539644079 vendor=Cisco severity=error
time: nov 17, 2010 08:10:02 UTC offset=60 timeZone=GMT+01:00
errorMessage: http error response: 400 name=errSystemError
How is your ASA SSM module connected? The port on the module needs to be connected to your network, and that needs to have Internet connectivity. You would need to check that the ip address/subnet assigned for your module is NATed on the ASA (if the ASA is the default gateway to the Internet), and if you have any access-list that would also need to allow the traffic.
The correct auto update URL is:
(ie: the second and forth URL you posted earlier).
Hi!. The module is connected and has network connectivity. They have an external NTP server configured and this is working fine. On the ASA has a rule to allow http/https/ntp conectivity and the ASA reflects connections, also Global Correlation is working OK (update-manifest.ironport.com) ....but ... If connected directly to the IPS via SSH and tried to ping and/or trace to any external IP network (internet) has no response
But if I sniff with Wireshark on internal and external interfaces of the ASA, I see traffic flowing between IPS and 22.214.171.124 server. Here's a snapshot of wireshark
What is the version of the SSM module, and also what is the current signature pack? I am assuming that your SSM module license has not expired yet.
Product ID: ASA-SSM-20
Version: 7.0(4)E4 (650 days)
License Expiration Date: 29/08/2012
Actual Signature Version on ASA-SSM-20: S530 (updated via manual download to a PC and manual upload to ASA-SSM-20 via IME option)
Actual Signature Version Release: S531
Well, the license has expired (expired: 29/08/2010), that is why auto update does not work anymore. You would need to purchase the subscription license to be able to update the signature pack to the latest.
Was the auto update feature working previously?
Can you also confirm that the CCO account that you use works fine by going to www.cisco.com and try to download the signature pack manually.
Can you also check that the time on the IPS itself is correct (I understand that you sync it to an NTP server), but just want to double check if it does sync correctly and the time is correct on the IPS itself, and it's in the correct timezone, and the auto update schedule time is set to the same timezone.
1. No, autoupdate feature never worked .... we have tried several times, and we are trying to make it work now again.
2. CCO account if working fine, we are using it to manually download signatures from:
3. Yes, time on both IPS (we have two of them) is correct and syncronized with NTP server: 126.96.36.199 Timezone is the same on the Sensor Setup->Time configuration tab and the same is set on the Autoupdate Schedule time (GMT+1)
There is currently an open issue with automatic IPS updates on some platforms. Work is being performed internally to correct the issue.
For the current time you will need to manually apply signature updates.
Ok. If you/they need something, like Wireshark Captures, or run some test or something else, please let me known.
Thank you all!!!!!
Is there a problem with the website or the platform ?
Are appliances 42xx affected ?
My 4260 is showing the same symptoms, my auto update was working before. While my 4260 isn't working my MARS is flying on the updates.
I'd posted on this:
The issue is affecting specific platforms (the 4200 series appliances are affected).
Efforts are still underway to correct the issue. Until that time you can manually update the IPS signatures, or await word that the issue has been addressed.
There is a not a bug ID as the issue is not with the IPS software/hardware itself. The IPS software is functioning as designed.
I cannot speak directly to the exact cause of the issue as it is being addressed by the business unit; but they have confirmed it is not a functional defect in the IPS software.
This issue has been resolved. Please set your sensors' Auto Update URL to the default and allow the update to run again. Let us know if you continue to experience issues.
Cisco TAC Escalation Team
**Please check out our Podcasts**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast
I am experiencing a similar issue currently with a new SSC-5 module. I am working with TAC, however reposne has been slow. I can see traffic with Wireshark for 188.8.131.52 but I never see the traffic for 184.108.40.206 that I was told to allow on the firewall. I also found it confusing that I need to create exceptions on the firewall for outbound traffic to these two IP addresses when I do not have to make any exceptions for any other outbound traffic.
Here is what I see:
IPS_Sensor# show stat host
Auto Update Statistics
lastDirectoryReadAttempt = 09:03:09 GMT-06:00 Wed Jan 19 2011
= Read directory: https://220.127.116.11//cgi-bin/front.x/ida/locator/locator.pl
= Error: AutoUpdate exception: HTTP connection failed [1,110]
lastDownloadAttempt = N/A
lastInstallAttempt = N/A
nextAttempt = 11:00:00 GMT-06:00 Wed Jan 19 2011 Auxilliary Processors Installed
IPS_Sensor# show clock
.09:24:05 GMT-06:00 Wed Jan 19 2011
I know this thread is a few months old, but am hoping to spark an interest here.
I had a simular issue on a 4240, could never see the traffic for 18.104.22.168, had firewall open etc.
What fixed it for me was at my firewall, going from a static NAT rule for the appliance to a dynamic rule for inside network to outside interface.
I had same issue on ASA-SSM-10, IPS version 7.0(6)E4.
Auto Update is working now with default URL https://22.214.171.124//cgi-bin/front.x/ida/locator/locator.pl