- Need to upgrade 30 sensors from IDS4.1.5.S204 to V5x.
- Upon applying IPS-K9-maj-5.0-1-S149.rpm.pkg the upgrade failed with the following error:
component "signatureDefinition" and the instance "sig0"
/signatures/[sig-id=2001,subsig-id=1]/engine/ -- the union does not have a member selected
- Downgraded sensor to 4.1.5 S201 and upgrade again failed.
- Ran "recover application-partition" and brought sensor to S47 and again no luck with upgrade.
Cisco said there is a bug in 4.1.5(S204) and our only choice is to reimage all sensors with the ISO Version 5 while waiting for the fix in the next version. Have you encountered this problem? What did you do to fix it.
That error is generally seen when the upgrade script was unable to convert the 4.x configuration to 5.x style configuration.
As part of the Signature Update installation on a verison 4.x sensor, there are 5.x signature files stored on the sensor. When the 5.x upgrade happens the upgrade script looks for these 5.x signature files for use in converting the 4.x config to 5.x.
Sometimes these 5.x signature files don't get properly installed on the sensor during the signature upgrade process.
There is also another situation where if a 5.0 upgrade files, then as part of the failure recovery the 5.0 upgrade is removing those 5.x signature files from the 4.x sensor. This causes a follow on 5.0 upgrade to fail. This is a bug in the 5.0 upgrade script. When the 5.0 installation fails for some reason it was supposed to leave those 5.x signature files on the sensor so they could be used on the next attempt.
So it is possible that those 5.x signature files have been removed from your sensor accidentally.
Luckily there is an easy recovery method. Simple load the latest S206 signature update.
Also be aware that we have seen several failures in upgrading to 5.x because of space issues on the sensor. The S206 signature update has made changes to the NSDB to reduce the used space on the sensor. So loading S206 before upgrading to 5.x will help with any space problems being encountered during the 5.x upgrade.
The other possibility is that there may be something in your configuration for signature 2001 that does not translate properly to 5.0 configuration. So I would recommend deleting any tuning of your 2001 signature before attempting the 5.0 upgrade again.
In a worst case scenario you could also just re-image the entire sensor to 5.0 using either a System Image file (on the IDS-4215, IPS-4240, IPS-4255, IDSM-2, or NM-CIDS), or using the 5.x CD (for IDS-4210, IDS-4235, or IDS-4250). The System Images can be downloaded from the cisco web site. The 5.x CD would need to be ordered through the Product Upgrade Tool on the Cisco website (it is $0 cost for sensors under maintenance contracts).
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :