Re: Double check.

j.lolley · ‎08-19-2001

I currently have a sensor version 3.0(1)S5 operating with a director 2.2.3, signature (4) communicating via IPsec. By my own testing I am receiving alerts, although I'm not sure if I'm receiving everything. Different testing alerts I would run with earlier versions are not registering now, although some are. Does this version setup look accurate; is there something I could be missing?

Thanks in advance.

marcabal · ‎08-22-2001

You do have the latest versions loaded.

When you say that "Different testing alerts I would run with earlier versions are not registering now, although some are." are you saying that with 2.5 (or 2.2.1.x) sensors you would receive all of the alarms, but now that you have loaded 3.0 you are no longer receiving all of the alarms.

If so the first thing to check would be the severity level of the alarms that you are watching for and make sure that they were not accidentally changed during the upgrade process.

then next thing that could be happening is that you might be seeing a side affect of our new feature in 3.0 known as alarm summarization. Some alarms fire quite often under normal conditions and others fire often under attack conditions. To prevent these alarms from flooding the management console these alarms were placed in summarization mode. So the first time the alarm fires it will generate an alarm, but then it starts counting alarms, and instead of sending every subsequent alarm it sends a single summary alarm with the count of how many alarms it saw during a time interval.

For more information on the new Summarization feature you can refer to the 3.0 documentation:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids6/13346_01.htm#28460