Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Errors installing MP 1.3.2 upgrade

I am attempting to install the 1.3.2 maintenance partition image on a 6500 IDSM-2 blade so I can upgrade to 4.1. I have tried two different servers (which work for sig updates.) I get past the URL and pw, and receive the "continuing will update the maintenance partition to 1.3.2- OK? I reply "yes" and nothing happens for about five minutes, then:

Using the Windows 2k pro FTP server, I get the message "error; exp. timeout" on the sensor

Using a Linux HTTP server, I get the message "error: connection failed" on the sensor

The MD5 checksum on the server images matches that on CCO. I signed on with the service account and looked in .../var/updates and its subdirectories and don't see the MP file. df says I have 15 GB free, so space isn't the problem.

What am I doing wrong?

/Chris Thomas, UCLA ATS

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Errors installing MP 1.3.2 upgrade

On the Linux FTP Server you might try running tcpdump to monitor the ftp connection between the sensor and the Linux FTP Server.

You will be able to see if the FTP Server is returning any errors to the sensor like invalid login errors, or file not found errors.

Worst case scenario you can try:

1) Create a service account

2) Login as the service account

3) Manually ftp the file from the ftp server to the service account's hoem directory on the sensor.

4) Login as the standard cisco account

5) configure terminal

6) Accept the sensors's own ssh key as a ssh server key: "ssh host-key 10.1.1.1"

NOTE: Replace 10.1.1.1 with your sensor's ip address.

7) Now you access the file through the sensor's own scp server for the upgrade or copy command: scp://johndoe@10.1.1.1/filename

Replace johndoe with your service account username

Replace 10.1.1.1 with your sensor ip address

Replace filename with the MP filename

4 REPLIES
Cisco Employee

Re: Errors installing MP 1.3.2 upgrade

On the Linux FTP Server you might try running tcpdump to monitor the ftp connection between the sensor and the Linux FTP Server.

You will be able to see if the FTP Server is returning any errors to the sensor like invalid login errors, or file not found errors.

Worst case scenario you can try:

1) Create a service account

2) Login as the service account

3) Manually ftp the file from the ftp server to the service account's hoem directory on the sensor.

4) Login as the standard cisco account

5) configure terminal

6) Accept the sensors's own ssh key as a ssh server key: "ssh host-key 10.1.1.1"

NOTE: Replace 10.1.1.1 with your sensor's ip address.

7) Now you access the file through the sensor's own scp server for the upgrade or copy command: scp://johndoe@10.1.1.1/filename

Replace johndoe with your service account username

Replace 10.1.1.1 with your sensor ip address

Replace filename with the MP filename

New Member

Re: Errors installing MP 1.3.2 upgrade

Thanks, Marcoa. BTW, I enjoyed your session last week at NW 2003.

I tried FTPing from the service account, and that completes immediately (0.8 sec) with no problem. I'll try sniffing another UPDATE from the user account and see what I find.

Is this possibly a problem with the IDSM being busy. I have a small amount of traffic SPANned to it, but a ps aux on the sensorApp processes shows a peak of maybe 5% CPU.

/Chris

Cisco Employee

Re: Errors installing MP 1.3.2 upgrade

Glad you enjoyed the session.

I don't think the problem is with the IDSM being busy. I would have to venture that maybe mainApp is seeing prompts from the FTP Server that it can't recognize or maybe your username, password, or filename in your upgrade command are misspelled.

I would be interested in seeing what the sniffing of the FTP connection shows.

New Member

Re: Errors installing MP 1.3.2 upgrade

I found part of the problem. My linux server is multihomed, and I used an IP not in the sensor's trusted list. When I set up the sniffer, I used the correct IP and it worked like a charm. It would be nice if the update command gave a "success" message rather than just returning. I booted off the 1.3.2 partition, and it looks fine.

The following might be of use to other customers with Linux servers: I'm using a Linux freeware HTTP server called Tiny HTTP. It's trivial to install and has nice security options (like only listening on my private network interface). And it communicates with the IDSM properly.

I'm running Redhat Linux 9.0. The stock FTP server is VSFTP (very secure FTP). The IDSM-2 does not seem to communicate properly with this server. From a sniffer, the comm proceeds OK until vsftp says "230 Login successful. Have fun." at which point the IDSM2 hangs and never sends another packet. That's why I'm using Tiny HTTP.

I have also been unsuccessful in trying to get SCP to work to a Linux server. I notice that the only servers Cisco supports seem to be Windows and Solaris. Since a growing number of customers will have Linux machines (and a decreasing number, Solaris), it would be nice to have some supported Linux options.

I still don't know why my (supported) Windows FTP server is failing, and I will have to sniff that.

Thanks for the help!

/Chris

99
Views
0
Helpful
4
Replies
CreatePlease to create content