Solved: Re: VMS 2.3 IPS MC 2.2

mherald · ‎01-04-2006

I am having difficulty with a VMS server, running IPS MC 2.2. When I try to push out a signature upgrade (regardless of signature level), I get an error. Ther error is "Object update failed. Unknown update type." Anyone have any idea how to fix this? I do have the signatures put into the correct folder, the signatures are in the drop down box to be chosen. Interestingly enough (as I copied some other files unintentionally) only files that deal with IPS/IDS come up as chooseable. Under IPS 2.1, other files such as IOS for routers were availible as well (although I doubt they would work).

I did start out with IPS MC 2.0, installed/upgraded IPS MC 2.1 and then upgraded/installed IPS MC 2.2

marcabal · ‎01-10-2006

You should Not zip the file yourself.

For each signature update there are both .pkg files and .zip files that can be downloaded.

The .pkg file is what the sensor itself uses for updating.

The .zip file is what the IPS MC (VMS) uses for updates. The .zip file internally contains the same .pkg file needed by the sensor as well as a few additional files needed specifically by the IPS MC (VMS).

If you manually zip up the .pkg file the .zip will be missing the additional file that the IPS MC needs.

So if you are manually applying the update to the sensor then use the .pkg files availble through links from this page:

http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/

BUT if you are pushing the updates through IPS MC then you need to download the .zip files available through links on this page:

http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ids

View solution in original post

joe.oranday · ‎01-04-2006

I think your problem was caused due to the installation of the CSCsc33696 patch. In the "post patch actions" section of the release notes, it says you have to re-import one of each of your device types.

hope that helps.

joe

mherald · ‎01-04-2006

Sorry, I left that part out after the CSCsc33696 patch, I did re-import all the devices.

My problem occurs when I try to push a new signature to a device. After I choose the file, I get the error.

mkirbyii · ‎01-04-2006

I was getting a similar error after upgrading to 2.2. I had to go back to 2.1 because I could not push out sig updates. Are you using 4.x, 5.x and IOS IPS? I am using only 5.x sensors and something that I noticed in my case is on the main page titled "devices" at the bottom is states "Latest 5.x signatures" = no updates (or somethng like this). Does yours list the proper sig level? TAC beleives this was why I could push sigs. Even if I tried to reapply old sigs to the mc it would fail with the error.

On another note, I had a second issue that caused me to downgrade. When restarting the Ciscoworks services and then launch SECMON all my old events showed up in the event viewer. If I cleared them out or resolved them and restarted CWorks, they all came back! Not sure if you are having this issue too.

Unfortunately I needed to push sig 211 to 25 sensors and could not wait to troubleshoot, so I uninstalled reinstalled and restored the db.

mherald · ‎01-04-2006

This is pretty much a new install of everything. The install are all IDSM-2 blades running 5.0(5), various signature levels (all S206+). There aren't any 4.x nor 5.1.

The interesting part, the VMS software that shipped with everything, was IPS MC 2.0, which doesnt work with IPS 5.0, so I upgraded to IPS MC 2.1. Everything worked except viewing the 5.0 signatures and updating signatures.

So I upgraded to IPS MC 2.2, now everything works except updating the signatures.

Another intresting part, under IPS MC 2.1, the blades all reported incorrectly to be appliances by icon. Now under IPS MC 2.2, they all report correctly to be blades.

Being this is pretty much a clena install, I can upgrade/downgrade the VMS server currently at any time. I am pretty much willing to try most anything. I may open a TAC case on this.

Here is what it says at the bottom of the into page to IPS MC:

Latest signature level of IDS 4.x 4.1(5)S204

Latest signature level of IPS 5.x S211.0

Latest signature level of IOS IPS S204

mherald · ‎01-09-2006

I have found the issue. Going through all the docs, all the 3.x and 4.x signatures have .zip extensions. Now the signatures dowload in .pkg files. Once I zipped ip the .pkg file, the VMS server was able to put the signature updates out.

What is further interesting, I was also able to push out the 5.0(5) upgrade with the VMS server. After selecting the 5.0(5) upgrade (in zipped form) only the sensors that needed the upgrade appeared in the panel to push the upgrade out to.

marcabal · ‎01-10-2006