Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPS issues

All,

I recently installed IPS licences on two SA520W's. On the first one I tried the evaluation licence  then installed a 1 year licence. On the second one I installed the 1 year licence directly. I use the SA520 simply as a security device directly on a ADSL line,  to prevent users of the Wifi network to spread trojans or start P2P networks. Besides lots of problems with a dropped WAN link, a few observations:

  • There seems to be only one signature file (SBIPS000001) it is also the only one that I can find on the cisco site. For an evaluation this looks OK but after the upgrade of the eval version strange things happen. Alter some days, suddenly the file was upgraded to SBIPS000003, although I can not find it on the site. The new end date does not show on the status, so no way to see what is actually in place.
  • On the blank SA520 installing the permanent licence shows  SBIPS000001. But the end date shows OK.
  • Validate the PAK number for a second time : message failure.
  • No list of (valid) PAK numbers or licences in the device. Just the last one in the renew screen (even if it fails).
  • URL References in the logfile to signatures on the Cisco site show broken links. Example: http://tools.cisco.com/security/center/viewIpsLiteSignature.x?signatureId=2009-000259. Try to find the number in the security center site: no result.
  • Lots of log entries that look serious but no clue what to do with it.
  • The signature update shows your cisco user credentials (including PW) in plain text in the log. Not very nice.                                (command is /pfrm2.0/bin/ida_test_query  Paluijn01 **mypassword**  0). I replaced the password of course......
  • CPU performance. I have the feeling that the SA520W is very busy with starting up al kind of things. Before everything is in place (time, firewall, Wireless, updates) 10-15 minutes is a safe time to start checking results of your reboot. IPS looks like one of the CPU intensive tasks. Today it took the second device more that 3 hours to drop below 10% load. Even that is high, compared to the other one <2% and no users on the network...
  • Sometimes it all stops..... After reconfiguration the Internet connection stops. At first I accused the modem and provider, but the diagnose screen shows a very nice working ping to the Cisco, or any site or IP adres. The firewall  : default policy outside allow all. Kill the IPS: no direct result, reboot, no succes. Suddenly : It works! Reinstate the IPS: everything works, but for how long ??

I think the SA520 is a perfect standoff device for small user groups, but these issues should be solved. I also bought the protect link licence. I do not dare to install it.

Please adress these issues soon.

Paul

5 REPLIES
New Member

Re: IPS issues

Hi Paul,

Please see my comments inline and also my requests for more information.

  • There seems to be only one signature file (SBIPS000001) it is also  the only one that I can find on the cisco site. For an evaluation this  looks OK but after the upgrade of the eval version strange things  happen. Alter some days, suddenly the file was upgraded to SBIPS000003,  although I can not find it on the site. The new end date does not show  on the status, so no way to see what is actually in place.

>>>>SBIP000001 signature file is the latest one. SBIPS000003 file was a test signature file, which was briefly put on the site.

  • On  the blank SA520 installing the permanent licence shows  SBIPS000001. But  the end date shows OK.

  • Validate the PAK number for a second  time : message failure.

>>>>This is an expected behavior as the license server registers the PAK ID for the first time and will complain if it's done again.

  • No list of (valid) PAK numbers or  licences in the device. Just the last one in the renew screen (even if  it fails).

>>>> This is not a supported feature. List of PAK numbers can be seen on the license server site (http://wwwin-tools.cisco.com/SWIFT/SLT/viewSltHome.do)

  • URL References in the logfile to signatures on  the Cisco site show broken links. Example: http://tools.cisco.com/security/center/viewIpsLiteSignature.x?signatureId=2009-000259.  Try to find the number in the security center site: no result.
  • Lots  of log entries that look serious but no clue what to do with it.
  • The  signature update shows your cisco user credentials (including PW) in  plain text in the log. Not very nice.                                 (command is /pfrm2.0/bin/ida_test_query   Paluijn01 **mypassword**  0). I replaced the password of course......

>>>> If you have saved the log file, can you pass it over. Will get it fixed.

  • CPU  performance. I have the feeling that the SA520W is very busy with  starting up al kind of things. Before everything is in place (time,  firewall, Wireless, updates) 10-15 minutes is a safe time to start  checking results of your reboot. IPS looks like one of the CPU intensive  tasks. Today it took the second device more that 3 hours to drop below  10% load. Even that is high, compared to the other one <2% and no  users on the network...
  • Sometimes it all stops..... After  reconfiguration the Internet connection stops. At first I accused the  modem and provider, but the diagnose screen shows a very nice working  ping to the Cisco, or any site or IP adres. The firewall  : default  policy outside allow all. Kill the IPS: no direct result, reboot, no  succes. Suddenly : It works! Reinstate the IPS: everything works, but  for how long ??

>>>> Will look into this.

Thanks,

Biraja

New Member

Re: IPS issues

Biraja,

Thanks for the response.

See my response in green. Look forward to the further response.

Regards,

Paul

New Member

Re: IPS issues

Hi Paul,

I did not see your responses in your post.

Can you post them again?

I could reproduce some of the issues (password shown in the logs) and will get them fixed in forthcoming release.

Thanks,

Biraja

New Member

Re: IPS issues

Biraja,

In the Rebound ! I removed the original questions.

Regards,

Paul

Version of Signature file

SBIP000001 signature file is the latest one. SBIPS000003 file was a

test signature file, which was briefly put on the site.

R: OK. The end date the device reports still is 18th april 2010 while

the 1 year licence is in place. We will see what happens after the

18th. Hope it will show the new end date !

Revalidate PAK number: failure

This is an expected behavior as the license server registers the PAK

ID for the first time and will complain if it's done again.

R: OK

Overview of PAK licences on device

This is not a supported feature. List of PAK numbers can be seen on

the license server site (http://wwwin-tools.cisco.com/SWIFT/SLT/viewSltHome.do

)

R: OK, however the link does not work, perhaps wrong URL, or are they

only visible by the cisco partner ?

References to Signatures in log do not match web

If you have saved the log file, can you pass it over. Will get it fixed.

R: OK, great. Enclosed a recent log file.

Password in log file

R: OK

CPU performance

Will look into this.

R: OK. My latest impression is that the CPU performance is averaged

over a longer time, so the longer you wait, the lower it gets. If that

is the case, it is not a very usable thing to diagnose startup problems.

Unexpected block of system

R: OK. I suspect the automated update proces of the IPS signature from

this unexpected behavior. In the same period that the first device

received the testversion, the other one was having troubles. My

suggestion is that you check IPS function, after the download of

signature files fails for any reason. Perhaps a better controlled

update proces (fixed time) can help with this. Idem for firmware

check / update.

New Member

Re: IPS issues

Hi Paul,

Officially SBIPS000003 is now available on Cisco.com.

With 1.1.21 firmware, the expiry time for currently used license is  shown, but with forthcoming release, the expiry times for all the IPS licenses applied will be added up

Can you check the site from where you have purchased the license PAK for the list of all the purchased PAK's?

I'll check the possibility of keeping the PAK history on the device.

I'll pass on the suggestions on the IPS upgrade process.

WIll try to address most of your concerns with forthcoming release.

Thanks,

Biraja

705
Views
0
Helpful
5
Replies