Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

CS-MARS Upgrade 4.1.1

Has anyone here upgraded MARS from 3.4.x to 4.1.1? I seem to be experiencing some interesting issues, in terms of a lack of events / sessions are no longer being reported (looking at graphs from the point of upgrade there is a significant drop in reported data.). Its almost like my devices were dropped.

Just curious if anyone else has attempted an early upgrade.

3 REPLIES
New Member

Re: CS-MARS Upgrade 4.1.1

Hi,

I have upgrade the boxes to 4.1.1 and still have to integrate the devices. Can you just elaborate on the problem.

Thnxs

New Member

Re: CS-MARS Upgrade 4.1.1

Hi,

We upgraded to 4.1.1 and we seem to have a problem where IPS v5 events aren't being process correctly. Also appears that the password listed for the IPS device was changed/corrupted during the 4.1.1 upgrade and we had to manually change it back.

Good Luck.

New Member

Re: CS-MARS Upgrade 4.1.1

We have two PN-200's in our infrastructure, with approximately ~80 4235's IDSs pointed at them, ~70 PIX 525/535's, 3 Checkpoints, and 12 VPN 3000 concentrators.

We were running 3.4.4 with only a few minor problems, but updated one of our test boxes to 4.1.1. The update went OK, and added the new features, but introduced 3 problems specific to the 4.1.1 code:

1. Device Set reporting within customixed reports, or any canned reports that use the device set field, no longer report the device. Top reporting devices DO work, however.

2. The case/ticketing system is broken, in that any reports attached to it seem to have their data corrupted once attached to a ticket.

Ongoing problems have been that in the email reporting, the javascripts in the body of the email (to emulate a web page I'm assuming) are corrupted, and hang Notes. Also, the graphics are not embedded into the email, but are sent with href links, so since our CS-MARS appliances are in a DMZ not accessible by Notes, the images (ala graphs) are not displayed.

The 4.1.1 code did, however, introduce a separate, more severe problem in our production box, that results in us not being able to batch any reports (it only lets us run them inline) and reports longer than 7-9 hours don't typically finish. I feel I've narraowed it down to a fault with the PNPARSER service that seems to restart fairly often (at least every hour, usually every few minutes), as well as the superV service.

I've got 4 TAC cases open on this particular issue, and have been waiting a week or so for a resolution to the last problem. The rest are fairly minor that I feel can be addressed with either a hotfix or the 4.1.2 update. My last problem however is more sever.

As to your specific problem, which type of device appear to be dropped? What all do you have pointed at your appliance? Cisco IDS has always been the problem for us, and if that's it, I may have some tips. I've gotten pretty good at troubleshooting these devices.

91
Views
0
Helpful
3
Replies
CreatePlease to create content