Re: New 4235, upgrading sigs...variation #1

pbobby · ‎09-04-2003

Brand new 4235 that I've rebuilt using the 4.0(1)S37 build CD.

Following the successful installation, and post configuration, I installed 4.1(1)S47 without a hitch.

BTW I tried the install both with and without the int0 interface running.

Now I try to install 4.1(1)S51 and get the following error:

Broadcast message from root (Thu Sep 4 05:32:00 2003):

Applying update IDS-sig-4.1-1-S51. This may take several minutes.

Please do not reboot the sensor during this update.

Broadcast message from root (Thu Sep 4 05:38:49 2003):

Error sending sensorApp control transaction. Restoring old signatures and rebooting

Broadcast message from root (Thu Sep 4 05:38:49 2003):

Un-install complete. sensorApp restarting, this may take serveral minutes.

shawn.posthumus · ‎09-04-2003

I was experiencing the same issues. I beleive it was due to the amount of traffic being monitored at the time on the sensor. After disabling the sensing interface, the upgrades completed successfully.

The following is taken from the readme to disable the sensing interface:

1. To disable the sensing interface of a sensor, follow these steps:

a. Log in as cisco on the sensor.

b. Enter the sensor configuration mode by typing the following:

configure terminal

c. Enter the sensing interface configuration mode by typing the

following:

interface sensing

where is int0 for IDS-4210, IDS-4220, IDS-4235, IDS-4250-TX

int2 for IDS-4250-SX, IDS-4250-XL

int7 for WS-SVC-IDSM2

d. Disable the interface by typing the following:

shutdown

2. Apply the signature update as described above.

3. To reenable the sensing interface of a sensor, follow these steps:

a. Log in as cisco on the sensor.

b. Enter the sensor configuration mode by typing the following:

configure terminal

c. Enter the sensing interface configuration mode by typing the

following:

interface sensing

where is int0 for IDS-4210, IDS-4220, IDS-4235, IDS-4250-TX

int2 for IDS-4250-SX, IDS-4250-XL

int7 for WS-SVC-IDSM2

d. Enable the interface by typing the following:

no shutdown

pbobby · ‎09-04-2003

Yes I agree. I indicated I had tried to install the patch both with and without the interface being enabled.

A side note, the attempt to install the patch actually took longer with the interface disabled, but in the end, still the same error.

shawn.posthumus · ‎09-04-2003

<<<

Oops, sorry about that, I missed that initially.

Although even doing this, a few times I had to upgrade like 3 times for it to finally work.

rwassom · ‎09-04-2003

How long after the 4.1(1)S47 upgrade did you try to update to S51? It takes the system some time to build cache files in the background. If you attempt to update the software during this time, the update will fail.

pbobby · ‎09-04-2003

I now have an open TAC Case.

I did try to update to S51 quite quickly after upgrading to S47, but that was yesterday. I tried once more to upgrade to S51 and still it failed.

However I'll remember this issue in the future; it's one of those hidden things that only affects users during new builds of sensors and getting them up to level ;)

Associated with this TAC Case is the fact that my 4235 sensor is reporting "Running *really* low on DMA Buffers" every 10 minutes.

My assigned TAC Engineer is researching the issue, and suspects they may be related (although the upgrade to S47 went smoothly).

shawn.posthumus · ‎09-04-2003

One other thing you can try: I had more success upgrading one step at a time. Doing S47 -> S48 -> S49 etc.. seemed to work more reliably for us.

rwassom · ‎09-04-2003

You should typically only see the "Running *really* low on DMA Buffers" message immediately after a fresh installation. I'm not sure why you would continue to see it after ~5 minutes or so of system uptime. Are you logging a lot of information on this system? Is it seeing traffic at all when you get this message? Where are you seeing the message displayed, on a monitor/terminal or in log files?

pbobby · ‎09-04-2003

So far, without having configured much about the sensor beyond the basic setup, I'm not sure what the sensor is doing.

It certainly is plugged in to a busy part of my network, but I haven't tempered down any of the signatures, nor explicity enabled any IP Logging.

The TAC engineer working on the case suggested upgrading to S49 first, but unfortunately that's no longer on the website. I'll be hearing from him soon.

rwassom · ‎09-04-2003

S49 and other outdated releases are stored in the Archives section on CCO, under the appropriate sensor type. Only software updates necessary to upgrade to the very latest service pack and sig update are stored in the Latest Software section. Since these updates are cumulative, the interim releases are archived to minimize confusion.

pbobby · ‎09-05-2003

To close this thread, I have a working sensor.

I rebuilt it from scratch again, using the 4.0(1)S37 Build CD, but I disconnected the cable from the promiscuous interface.

Once the Sensor was rebuilt, and initial setup completed, I did the following

configure terminal

int sensing int0

If the sensor did not respond with (along the lines of) "Busy updating configuration, try again later" I knew that the sensor was not in the middle of an update. BTW Is there a better way to check?

I then applied 4.1(1)S47, and allowed the update to finish and reboot the sensor. I performed the same check as above.

And again with 4.1(1)S51.

Once all was done, I reconnected the promiscous interface. Which from now on I will leave unplugged during any initial build and subsequent upgrade.

Cheers.

shawn.posthumus · ‎09-05-2003

<

Don't know if this is the right way or not, but I have been doing a show conf. When it reports the full configuration with all the sigs and filters, you know it has finished.