Cisco ASA SSM-10 Global Correlation critical

Hello,
I have a high value for Global Correlation parameter, which I generated my ips module is alarmed, how I can reset this value?
Additionally, the automatical updates does not work properly in the module. What could be the problem?
Thanks for you help.

Ensure dns is configured on the sensor. It will need to communicate to receive updates. also ensure you have a valid license.
Sent from Cisco Technical Support iPhone App

Similar Messages

  • Correlating Cisco ASA-SSM-IPS Events/Logs

    I have just configured a Cisco ASA-SSM-IPS10. An exciting feature of this decice is the ability to monitor, analyse, and correlate security events. Can anybody help with a documentation to simplify daily (or periodic) analysis, and correlation of the IPS Logs? As I am not yet to up to speed with this task yet, a "How-to" document would be just fine.  Thank you.

    Hi Chris,
    Good to have you get on the case. I am yet to setup and ips manager software. Presently, I use an ASDM 6 interface, with this interface, I am able to view events and alerts, and perform other adminsitrative cores... The IPS manager express does it comes bundle with our device purchase? Does it contain necesary templates/docs for correlating events/Logs?

  • CISCO ASA SSM-10

    I have an ASA 5520, and I have Cisco ASA SSM-10, but I'm not sure how to work with it. My problems are here:
    1. What software do I need to get this to work
    2. From the rj45 connection on this module, where does it connects to.
    3. Give me some guide to configure it and test to see if it works.

    Hi,
    you need to do couple of things to get this to work.
    1. Configuration on ASA to forward the traffic to the module
    2. Chose whether you are going to plug the IPS in inline/promiscious mode
    3. Configure the IPS module
    Configuring ASA to forward the traffic to the module:-
    access-l IPS permit ip any any
    class-IPS
    match access-list IPS
    policy-map global-policy
    class IPS
    IPS inline/promiscious fail-open/fail-close
    When you do this ASa is configured to send the traffic to the module.
    Now you need to get in to the IPS
    you can get in to the through CLI on ASA:-
    do session 1
    it will ask you for username and password
    both are cisco by default
    run the command setup
    and it will walk you through the initial configuration of the sensor.
    once the sensor is configured
    log in to the IDM
    and need to go to configuration>> policies and assign vs0 to the backplane interface of the module so that sigs come in to the act of the traffic.
    you can connect the module in front of the IPS to the switch vlan where the other interface exist from where you want to see this traffic and want ips to come into act.
    Suppose you want to apply the IPS on inside network
    ASA inside interface ip:-192.168.1.1
    Module ip:-192.168.1.3/192.168.1.1
    Here the gateway for the module is the ASA inside interface.
    now all the traffic going outbound or coming in from the inside itnerface will be monitored by the IPS.
    now connect the ethernet interface of the module to the same vlan on switch where your inside interface is connected.
    Now you can even manage the IDM of the IPS just like you manage the ASDM for the ASA, you just need to have your host/network allowed to gain access to it.
    Thanks

  • Swap Cisco ASA SSM-10 from dead firewall

            Good afternoon,
    I currenty have 2 cisco 5510 firewalls one of the firewals is completly dead but contains a Cisco ASA SSM-10 can i remove this card and just place it into a working unit, will i have any problems doing so.
    Regards
    Paul

    No, that shouldn't be a problem at all as the serial number of the SSM-10 module does not get linked to the actual ASA appliance.

  • "Global Correlation" = Critical - Cisco AIP-SSM-20

    We are getting this error on both IME and IDM. What causes this, and how does one resolve it?
    We are also not getting new events in IME - could this be related to the problem?

    correct..The sensor must operate in Inline mode so that the Global Correlation features can increase efficacy by being able to use the inline deny actions.
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/ime/ime_collaboration.html

  • IPS-4420 Global Correlation status critcal

    How to check in the IPS 4420 is Globel correlation license are there or not?
    In IDS 4420 IDM event montor page I am facing two below problem
    1. Event Retrieval       =========== Critical
    2. Global Correlation  =========== Critical.
    I configure IPS box got to the Internet without proxy. But I don't how to check the IPS are connected to Cisco Global Correlation server?
    Why its shwoing critcal on Event Retrieval and Global Correlation.

    Are you planning to use the Global Correlation feature?
    Here is the information on Global Correlation for your reference:
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html
    If don't want to use that feature, you can disable that in the sensor health metric section so it's not showing Critical.
    Similarly, for Even Retrieval, you can just disable that in the sensor health metric section. This is only useful if your IPS events are retrieved by an external monitoring system, eg: IME.
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_sensor_management.html#wp2117358
    Message was edited by: Jennifer Halim

  • SSM-AIP 7.0(1) Global Correlation config nightmare!

    Thanks, Cisco, for creating a Management nightmare with your "Global Correlation" option in version 7.0...
    Lets start with the SSM-AIP-20 Management interface...
    We have an OOB Management network, with a single POI into this through a separate PIX515E appliance. Both the ASA5540 AND the SSM-AIP-20 reside on this network.
    The first issue was in Routing, since the ASA sees the Management network as "directly attached", and we ROUTE the traffic through the PIX for updates on the SSM module, we had to add translation entries in the PIX515E for the SSM module (10.x.x.x Management, 172.x.x.x translated).
    This was not a big issue, but here is where the nightmare begins...
    First a note: We have the Management network locked down TIGHT, only a couple of Network Management stations allowed into that network to access these devices.
    I enabled Global Correlation in test mode, but it was "failed" every time it tried to update.. Reading other posts, I created ACL and Static NAT in the PIX515E for these IP's:
    204.15.82.17 (IP listed in the IME Global Correlation update server)
    97.65.135.170 and .137 (from another post in these forums)
    207.15.82.17 (IP found in a trace)
    Still no updates. Looking in the PIX logs, I found "no translation" entries for the following addresses:
    198.133.219.25
    209.107.213.40
    208.90.57.73
    I put these in, and it started updating! FIXED? NOT!
    This morning, it was again failing... Looked in the PIX logs again, and found these:
    77.67.85.33
    77.67.85.9
    Entered them, and the SSM is happy again. How long? Who knows?
    So, now I have NINE holes in my "secure" network, and who knows when Cisco will change or add new IP addresses to this list.
    Cisco, if you are listening - ALL access to/from the Global correlation through a single IP? PLEASE?
    (use the one listed in the IME - 204.15.82.17, for the URL "update-manifests.ironport.com")

    A few of the addresses belong to Cisco (originally ironport.com addresses from the ironport aquisition) and are used as manifest servers to provide the sensor a list of files to download.
    The sensor then downloads those files from Akamai servers. Akamai has a large number of servers across the world. Cisco sends the update to Akamai and they replicate it across their servers. When sensors try to connect to the Akamai server it does a DNS query and by controlling the DNS response it can direct sensors to an Akamai server located nearer to the sensor. This allows for better load balancing, response times, and download speeds.
    However, Akamai has a large number of servers (in the thousands I think) world wide, and you can't predict which server your specific sensor will be directed to.
    Sensor connections to the cisco servers for the manifest (file list) is on port 443, and usually to update-manifests.ironport.com URLs.
    Sensor connections to the Akamai servers for the actual file downloads are on port 80 and usually to updates.ironport.com URLs.
    The above is all based on my limited understanding of how the updates work. I may have gotten a few details wrong, but should at least give you a general idea.
    I will be working with development to get this better documented in Release Notes and Readme with the next IPS software release.

  • ASA botnet filter vs ips global correlation

    Does the global correlation include the data from botnet filter? On Cisc's site it says this on the global correlation
    Customers deploying Cisco IPS can benefit from  Global Correlation in multiple ways. First, bad traffic from known  sources is stopped immediately. This includes zero-day attacks, for  which no traditional threat prevention currently exists, advanced  persistent threats (APTs), and botnet command and control traffic

    Hello Matt,
    Check the following info:
    Cisco ASA Botnet Traffic Filter
    This paper focuses on how Cisco Security Intelligence Operations relates to botnet threat identification, and its interaction with the Cisco ASA Botnet Traffic Filter. It is important to realize that a comprehensive security deployment should include Cisco Intrusion Prevention Systems (IPS) with its reputation based Global Correlation service and IPS signatures in conjunction with the security services provided by the ASA security appliance such as Botnet Traffic Filter.
    So I would say they both provide you security based on databases from the SIO but they will not be equal on their funcionalities, that is why Cisco recommend to use both when possible,
    Regards

  • Single AIP-SSM in Cisco ASA Failover Active / Standby Mode

    Hi,
    I can add single AIP-SSM on Cisco ASA in failover active / standby mode?

    No, both units need the same hardware, that includes the installed modules.
    Sent from Cisco Technical Support iPad App

  • CISCO IPS Global Correlation

    Hi,
    While enabling Global correlation, I understood that we need to configure proxy or DNS.
    Also, I hope that needs to open the port (80/443) on the firewall for the management IP address of IPSto reach the cisco sensor database. If i'm correct what about the destination IP, do we need to enable "any" or specific IP is there.
    ACL:
    Source (IPS Management IP) -> Port (80/443) -> Destination?

    Hi,
    Global correlation features only contain external IP addresses, so if you position a sensor in an
    internal lab, you may never receive global correlation information.
    Source (IPS Management IP) -> Port (80/443) -Detination is https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
    Regards
    Rajeswar

  • Cisco ASA IPS SSM-10

    Hello,
    I just upgraded one of my Cisco ASA IPS SSM-10 from version 7.0 (6) E4 to version 7.0 (7) E4 and the Radius authentication stopped working. I use Microsoft 2008 Radius and I still have 10 more of these working with version 7.0 (6) E4.
    I used to have the same Radius authentication issue with version 6 until we upgraded to ver 7.0 (6) E4 and this latest version screwed up again.
    Does anyone know if there is a Radius authentication bug in this latest version 7.0 (7) E4?
    Thank you
    Si

    There is a known issue CSCty46104. However a show-tech log can give more details as to why there was a failure in your case.
    Regards
    Sawan Gupta

  • Cisco IPS SSM 10 Sensor can't update signature file from ASA 5510

    Cisco ASA 5510 IPS Firewall with ASA-SSM-10 Module.  I am trying to do a manual update of the signature file and get the following error:
    Error: execUpgradeSoftware : couldn't connect to host
    I have confirmed that I can ping the ftp server successfully from the ASA and the command I am trying to use from the configure terminal of the module is:
    upgrade ftp://[email protected]//IPS-sig-S813-req-E4.pkg
    I have also tried via http and it does not work as well.  Any thoughts?

    to connect to ftp there should be username usually anonymous and password whitch can be any. check in ftp server
    aip_ssm_card# copy  ftp://192.168.15.12/JAF1308ARNJ_20131009032200919.lic license-key 
    User: anonymous
    Password: *********
    the username and/or the password are incorrect
    aip_ssm_card# copy  ftp://192.168.15.12/JAF1308ARNJ_20131009032200919.lic license-key 
    User: 123
    Password: ***
    File opening error
    I made special user 123 on ftp server with password 123
    aip_ssm_card# copy  ftp://192.168.15.12/JAF1308ARNJ_20131009032200919.lic license-key 
    User: 123
    Password: ***
    aip_ssm_card# 
    and dont forget to rate post

  • Cisco IPS (global correlation) is downloading lots of updates from the iron-port website

    I have query on Global correlation.
    Following is the observed behavior
    Scenario 1:
    Global Correlation Inspection: ON (Standard)
    Reputation Filter: ON
    Result: Global correlation downloads in bytes or KBs (observed on proxy)
    Scenario 2:
    Global Correlation Inspection: OFF
    Reputation Filter: ON
    Result: Global correlation downloads 4-5 MB every 5 Minutes (observed on proxy)
    This behavior has been observed on both IPS devices one by one. What we wanted the clarity on is why is does global correlation download so much of data when it is OFF, and downloads only minimal data when ON. The equation does not seem to be right.
    Request you for your prompt response.
    Regards,
    Neal

    Both global correlation and reputation filtering retrieve updates from the SensorBase network, or IronPort. By default, they communicate with the network every five minutes. This value cannot be changed by the IPS administrator.

  • Cisco IPS ASA SSM-10

    I am using an ASA SSM-10 IPS. Currently it keeps logging those event of alerts.
    Where does the IPS keeps all those event logs? In the disk space?
    Where can i see how much space i left?
    Will it went down if the space is full?

    This is from the post I linked earlier, and you don't have to worry the sensor will definitely not go 'down', the event-log data structure is circular and is over-written every time it is full.
    "The eventStore size starting at version 5.0(1) is a fixed 30 Meg. Its a *circular* eventStore that is intended to wrap (new events overwriting oldest events). The usual sensor deployment includes some sort of remote event monitor application (like IEV,IME etc.) that pulls events from the sensor. The eventStore acts as a buffer to allow the remote monitoring app to keep up with busy sensors. If your eventStore wraps every few hours then the monitoring app should be able to keep up with all the events being generated. The concern would be if the eventStore continuously wrapped in less than 10 or 15 minutes. At that point you may be loosing events and would need to tune the sensor signature config to only alarm on meaningful events."
    I'm assuming since the event-store is only 30 MB, its a 'part' of one of the following parititions:
    application-data OR application-log
    Most probably the first one.
    Regards
    Farrukh

  • Global correlation can't updated

    version is IPS7.0, asa5520-aip-ssm.
    Singatrue and  IME can be sucessfully updated,
    Global correlation can't updated,
    the Status of global correlation is Critical.
    I saw the website
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/ime/ime_collaboration.html#wp1053280
    and updated following the web page. But  can't work it.
    How could I update global correlation
    or go back old sensorbase?

    The output provided clearly indicates that the AIP-SSM is unable to resolve the update server address.  The server name update-manifests.ironport.com is not user configurable.
    Do you have more than one DNS server configured?  If so, disable all but the primary DNS server.
    If you only have one DNS server configured, please verify the AIP-SSM's management IP address has unrestricted access to the Internet.  (At a minimum TCP ports 80 and 443 and UDP port 53).
    Scott

Maybe you are looking for

  • Slow Render with High-End System?

    Im currently working on a (in my opinion) high-end Windows system for video editing. The system is about 2 years old and has cost a fortune in that time. So Im expecting significantly better speed. So heres my problem: Im working primarly in Premiere

  • How do i use parallel compression for 4 drum tracks in Logic pro 7.2.3 Please

    how do i use parallel compression for 4 drum tracks in Logic pro 7.2.3 Please. my version is 7.2.3 and my son did his drums on 4 tracks. 2 OH's 1 Kick and 1 Snare. Were confused because we cant figure out how to do parallel compression on the older l

  • Hp Solution Centre software will not install on windows 8.1

    I have just replaced my old HP Laptop with a new  HP Pavilion 15 Notebook PC and have managed to install my Hp Photosmart C4780 printer but am unable to get the software for the Hp Solutions to install. I have downloaded the file from the Hp site and

  • Migo-return delivery-credit memo

    hello gurus i created po for 10 kg . then i made gr of 10 kg. now i am returning 5 kg . delivery document is created .but now look the sequence ii created po for 10 kg . then i made gr of 10 kg.now i posted miro for 10 kg of material. now i want to r

  • Message "No Queries Found" showing in ABAP Query

    Hi, I have a ABAP Query, in which i want to add a new field in it... I already add that field but not displaying when i m executing that query.. I think i copied only field, not give queries on field.... Because when i compare this field from earlier