Cisco ips 4200 - errsystemerror-ct-sensorapp.443 not responding

Similar Messages

• Cisco IPS Error -- errsystemerror-ct-sensorapp.333 not responding

  Hi Team,
  I am getting the below error while accessing IDM. I rebooted the device, after some times i get the same type of messages..
  error connecting to sensor + failed to load sensor. errsystemerror-ct-sensorapp.333 not responding. please check system processes- the connect to the specified lo::clientpipe failed.
  Will be appreciated for the quick reply on priority...
  regards
  Rajesh

  Hi,
  Pls find the below show version..
  Looks like all the processes are running..
  Application Partition:
  Cisco Intrusion Prevention System, Version 5.1(5)E1
  Host:
  Realm Keys key1.0
  Signature Definition:
  Signature Update S323.0 2008-03-24
  Virus Update V1.2 2005-11-24
  OS Version: 2.4.26-IDS-smp-bigphys
  Platform: IPS-4240-K9
  Serial Number: xxxxxxxxxxxx
  Licensed, expires: 01-Dec-2009 UTC
  Sensor up-time is 14:55.
  Using 512040960 out of 1454153728 bytes of available memory (35% usage)
  system is using 17.4M out of 29.0M bytes of available disk space (60% usage)
  application-data is using 44.1M out of 166.8M bytes of available disk space (28%
  usage)
  boot is using 35.3M out of 68.6M bytes of available disk space (54% usage)
  MainApp 2007_FEB_02_15_58 (Release) 2007-02-02T16:04:00-0600 Runn
  ing
  AnalysisEngine 2007_FEB_02_15_58 (Release) 2007-02-02T16:04:00-0600 Runn
  ing
  CLI 2007_FEB_02_15_58 (Release) 2007-02-02T16:04:00-0600
  Upgrade History:
  * IPS-K9-sp-5.1-5-E1 10:28:00 UTC Fri Feb 02 2007
  IPS-sig-S323-req-E1.pkg 07:26:42 UTC Tue Mar 25 2008
  Recovery Partition Version 1.1 - 5.1(5)E1

• ErrSystemError-ct-sensorApp.463 not responding on ASA-SSM-10

  Hello,
  I got following error message when login into IPS over IDM, after error is displayed IDM is closing.
  errSystemError-ct-sensorApp.463 not responding, please check system processes
  - The connect to the specified Io::ClientPipe failed.
  SSH login works, when using CLI following health statistics are available:
  sensor# show health
  Overall Health Status                                               Red
  Health Status for Failed Applications                         Red
  Health Status for Signature Updates                         Yellow
  Health Status for License Key Expiration                   Green
  Health Status for Running in Bypass Mode                Red
  Health Status for Interfaces Being Down                   Green
  Health Status for the Inspection Load                      Green
  Health Status for the Time Since Last Event Retrieval   Green
  Health Status for the Number of Missed Packets          Green
  Health Status for the Memory Usage                      Not Enabled
  Health Status for Global Correlation                    Green
  Health Status for Network Participation                 Not Enabled
  Security Status for Virtual Sensor sensor-int    Green
  Security Status for Virtual Sensor vs0           Green
  Do you have any idea why IPS crashed ?
  ASA-SSM-10 is installed into ASA 5510.

  Hello,
  I have the sem problem since sveral days, I found the following workaround on our environement. Working since 5hours.
  Hope it helps.
  Regards.
  IDSM-2 Sensor Module - errSystemError -ct-sensorApp.XXX not responding, please check system processes - The connect to the specified Io::ClientPipe failed.
  Symptom:
  When attempting to access an IDSM-2 sensor via its GUI (IDM) or via IME (IPS Manager Express), an error such as the following is encountered:
  "errSystemError -ct-sensorApp.XXX not responding, please check system processes - The connect to the specified Io::ClientPipe failed."
  Additionally, review of the 'show version' command output indicates the AnalysisEngine (sensorApp process) to be "Not Running".
  Conditions:
  IDSM-2 sensor module running 7.0(x) software release. Global Correlation Inspection feature enabled (On). A 'show tech' command output includes a sensorApp process core containing lines similar to the following:
  cat /usr/cids/idsRoot/core/sensorApp/core.txt
  /usr/cids/idsRoot/bin/sensorApp(_ZN3Cid3Rep9RepIpData13ApplyIpUpdateEPKcPNS0_8RepScoreE+)
  Solution:
  This problem is tracked as defect CSCti79423. It can be encountered on the IDSM-2 platform when a Global Correlation Update occurs. A fix for this is currently planned for inclusion in the next 7.0 release (7.0(6)).
  In the interim, the only workaround to ensure that the sensor does not re-encounter this defect is to disable Global Correlation Inspection (Updates) as such:
  sensor# conf t
  sensor(config)# service global-correlation
  sensor(config-glo)# global-correlation-inspection off
  sensor(config-glo)# exit
  Apply Changes?[yes]: yes
  After making the above configuration change, a reboot of the affected IDSM-2 sensor module should restore it to service:
  sensor# reset

• Cisco IPS 4200 Series Feature

  Does the Cisco IPS 4200 can support RADIUS for user authentication?
  Does the Cisco IPS 4200 can support SYSLOG for sending logging to outside?

  Are you kidding me? Then how do you explain
  the fact that security devices such as
  checkpoint and ASA firewalls are allowed
  authentication via tacacs/radius and you can
  send syslog back to a syslog server. Normally
  the information is got sent back via the
  Command and Control (C&C) interface which
  should be on a secure network in the first
  place.
  This is a limitation of the of the IDS itself.
  I have not tried version 5.x or 6.x yet but
  if they are similar to version 4.1, then
  they are nothing but a Linux box. You can
  "shell" into the box and install PAM on it
  so that you can use external authentication
  such as radius/tacacs or even LDAP.

• Error: getAnalysisEngineStatistics:ct-sensorApp.26277 not responding

  One of my customers has  IPS-4240-K9   and facing issue with follwing error
  Output from show statistics analysis-engine
  Error: getAnalysisEngineStatistics : ct-sensorApp.26277 not responding, please check system processes - The connect to the specified Io::ClientPipe failed.
  Output from show statistics anomaly-detection
  Error: getAnomalyDetectionStatistics : ct-sensorApp.26277 not responding, please check system processes - The connect to the specified Io::ClientPipe failed.
  Analysis Engine is working fine as you can see under show version
  MainApp            B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running 
  AnalysisEngine     BE-BEAU_E4_2010_MAR_25_02_09_7_0_2   (Ipsbuild)   2010-03-25T02:11:05-0500   Running 
  CollaborationApp   B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running 
  CLI                B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500         
  Can please someone help me to analysis the error.
  Look forward for response.
  Reagrds 

  Please find attached core.txt and version is
  Output from show version
  Application Partition:
  Cisco Intrusion Prevention System, Version 7.0(2)E4
  Host:                                                       
  OS Version:             2.4.30-IDS-smp-bigphys               
  Platform:               IPS-4240-K9                         
  Sensor up-time is 355 days.
  Using 1482727424 out of 1984548864 bytes of available memory (74% usage)
  Upgrade History:
    IPS-sig-S492-req-E4.pkg   00:01:02 UTC Sun Jun 06 2010 
  Recovery Partition Version 1.1 - 7.0(2)E3
  Look forward for your quick response.

• CIsco IPS 4200 Log Fields

  Hi,
  Could anyone please tell me where can I find the information regarding the Fields of the log for IPS 4200? In what sequence do they appear in log files and what does each field signify?
  Basically, I need the layout of the log file for the IPS logs. e.g. a sample layout would be something like this:
  [timestamp] , [signatureID] , [vendor] [signature desc], [attacker IP] , [victim IP] , [attack type] , [action ID] , [action desc]
  Thanks.
  Regards,
  Pratik

  Here's an example of an SDEE message. I believe this is from a version 5.x sensor (it could be version 4, I don't see Risk Rating). Each time a new major version of software is release, new features are added and (if reportable) they show up as new fields in the SDEE messages.
  testsensor4250XL
  sensorApp
  440
  Sdee
  10.1.1.119
  1180958240541285000
  10.1.1.119
  0
  1
  R0VUIC9vc3Mvc3VydmV5LmFzcD7pdW1kYXlzPTUrMyBIVFRQ0=
  11.1.1.2
  60556
  61.1.1.76
  80

• Cisco IPS Concurrent session support in ips 4260 and 4270 sensor

  I am wondring that no document from Cisco IPS data sheets mention the concurrent session support in Cisco IPS 4200 series sensor. I am looking forward to any one who can advise about the subject.
  Thanks
  Nouman

  Hi.
  with IPS devices it's difficult to measure performance by # of connections per second since several factors count to the performance limit, including:
  1- packet size.
  2- object sizes per transaction
  3- transactions per second
  4- signatures enabled
  5- features enabled
  that why public documents try to make it more realistic by mentioning the transactional performance.
  here is a link mentioning concurrent connections for 4270:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper0900aecd806e7283.html
  although the link mentiones 100k and 200k, but we've seen situations where we had a lot more connections with a smaller amount of signatures enabled.
  for the 4260 the public document only mentions the transactional performance.
  Regards,
  Fadi.
  If this answers your question please mark the thread as resolved.

• IPS 4200 Signature & Action IDs

  I need a reference manual for the list of all the signatures and actions supported by Cisco IPS 4200 series appliances with software version 6.x.
  I have tried locating this through the IPS product page but had no luck yet.
  Please let me know where can I find this reference manual.
  Thanks.

  Have you looked at the security center?
  http://tools.cisco.com/security/center/search.x?search=Signature
  Regards
  Farrukh

• Error: Cannot connect to NTP server or NTP server is not running - Cisco IPS

  This is different scenario here:
  I have two Cisco IPS 4260-k9 and both are in production now.
  One of the IPSs is configured with NTP and works fines, but another one is not.
  When tried to configure when the device is ON and live in production and got the following error,
  Error from CLI:
  " Error: Cannot connect to NTP server or NTP server is not running "
  Error from IME:
  " Delivery failed.
  err Unaccepable Value - cannot connect to the NTP server or NTP server is not running"
  I am able to reach the NTP server, also the same NTP is working fine with other devices....
  Am I doing anything wrong?
  Please advise

  Hi,
  Now the error has changed:
  Session.connect: java.net.SocketTimeoutException: Read timed out
  I have increased the pooling interval to 1 Hr from 1 Min. Waiting for the next pooling interval result.
  Guide me if I am heading right.... or anything else needs to be done.
  Regards,
  Krishna Chauhan

• Cisco ips 4206 Analysis Engine not running

  Cisco IPS 4206
  AnalysisEngine     BE-BEAU_E4_2010_MAR_25_02_09_7_0_2   (Ipsbuild)   2010-03-25T02:11:05-0500   NotRunning  
  Sensor health is showing critical .
  Application showing failed .
  Can any body help me on this,.

  We have had this issue in the past with our sensors and the only way that we were able to clear it was with a reboot of the sensor.  If you decide to reboot then you should probably do a "show tech" before the reboot and open a case with support to see what the root cause of the issue was.

• Does Cisco IPS appliance 4200 and 4300 series have whitelist?

  Hi all,
  I am wondering if I can do whitelist on the Cisco IPS appliance itself. I understand for IPS module in ASA it is possible...hope anyone can enlighten me.
  Cyrus

  Cyrus,
  It kinda does, it is called Event action filters, where you can excempt host/subnets for triggering certain signatures.
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_event_action_rules.html
  Whatever you put on them, wont trigger the signatures you dont want it to trigger.
  Hope it helps.
  Mike

• Evaluating cisco IPS AIP-SSM-10 allong side Tipping Point S330

  Hello all,
  What are your thoughts on this matter?  I am also going to be looking at the Palo Alto solution for IPS as well.
  I'm probably going to use the cisco 4200 sensors if they offer multi segment like the tipping point does. 
  I'm looking at protecting the perimiter but NOT replacing my current firewall.  The current firewall is the Microsoft TMG.
  I like what I see on the Cisco IPS express.  I've also looked at the CSM for management.  It seems that Cisco is a lot more flexible when it comes to editing and managing the signatures.
  ARe there similar experiences out there that you would like to share?
  Thanks!
  Kurt

  Both products are pretty strong. But Tipping point have a much more comprehensive, promptly updated, and a well managed signature base. Both products can monitor multiple segements (terminologies are different).
  A good way to compare is to subsribe to their IPS signature updates and see the difference, I mean both from Cisco and DV labs
  BR
  Farrukh

• Will IDS v4.1 software run on the IPS-4200 appliances?

  I understand that Cisco IPS 5.0 software will run on the IDS-4200 series appliances (e.g. - IDS -4235).
  Is the reverse true? Can I get Cisco IDS 4.1 to run on an IPS-4240 or an IPS-4255?
  Just curious, since I may have to answer the question internally soon...
  Thanks in advance,
  Alex Arndt

  Just an FYI the only Appliances/Modules that support 5.0 that do not support 4.1 are the ASA-SSM-AIP-10 and ASA-SSM-AIP-20.
  These 2 modules are brand new and will only support the 5.0 version.
  To read more about the 2 new modules refer to:
  http://www.cisco.com/en/US/products/ps6120/products_data_sheet0900aecd802930c5.html

• Reg. Cisco IPS Inline VLAN Mode

  Hi
  Currently my Cisco IPS 4240 version 5.1(5) , is in Promiscous mode.Soon i will be configuring it in Inline mode .i will be using only 1 IPS Interface and will be configuring VLANs in the switch and connect the trunk port to the Gig0/0 of the IPS .The issue is that if the IPS goes down , will the packet flow continue to run smoothly i.e will the "Auto bypass mode" will be applicable for this scenario too and let the traffic goes without inspection ?
  Ankur

  Perfectly normal. Your test does not test the Software ByPass feature.
  The confusion is in how Software ByPass and Virtual Sensor assignment are related.
  If ByPass is set ON (Not Auto, but specifcally ON) then the traffic will be software bypassed regardless of whether or not analysis engine is running or whether the inline pair is assigned to any virtual sensors.
  The driver does the bypass, and never even attempts to send it to the analysis engine.
  If Software ByPass is set to Auto OR Off, the driver will always attempt to send the packets to the analysis engine.
  The only difference between Auto and Off is what happens when the analysis engine STOPS pulling new packets from the driver.
  With Software ByPass Auto, the driver will start passing the packets straight through and not send them to analysis engine.
  With Software ByPass Off, the driver will bring the link down on the NICs until analysis engine is able to start receiving packets again.
  So you see that Software ByPass is a function of the NIC driver.
  Whether or not the pair is actually assigned to a virtual sensor is UNKNOWN by the NIC driver itself.
  Whether or not the inline pair is assigned to a virtual sensor is solely a function of the analysis engine. If the analysis engine is functioning is running then the driver is always going to send it the packets. The analysis engine then checks to see if the packets should be monitored. If the inline pair is assigned to a virtual sensor then it is monitored before being passed back to the driver for transmit.
  IF the inline pair is NOT assigned to a virtual sensor, then the packet is STILL passed back to the driver for transmit.
  So an inline pair that is NOT assigned to a virtual sensor will STILL have packets passed through if analysis engine is Running. So long as analysis engine is runninng the NIC driver in Software ByPass Auto or Off does not care whether or not it is actually monitored. The driver only knows that it must pass the packet to the analysis engine and the analysis engine will send the packet back for transmit.
  So adding and removing inline pairs from virtual sensors does NOT test the Software ByPass feature. The packets will always be passed through so long as analysis engine is running.
  If analysis engine stops passing traffic, then software bypass kicks in and all inline pairs (whether monitored or not) will be treated the same depending on whether bypass is Auto or Off.
  The only way to really test Software ByPass is to simulate an actual failure of the analysis engine.
  To do this:
  create a service account
  login with service account
  switch to user roor (su - root)
  The root password is the same as the service account password.
  Execute "ps -ef" to find the pid of the sensorApp process (which is the analysis engine)
  Now execute "kill -9 ###" replacing the ### with the pid of the sensorApp process.
  Now the Software ByPass functionality should kick in.
  You can always run "show int" to see the current running status of the Software ByPass feature in the driver.
  It will be either On, Off, or Auto_On or Auto_Off
  The Auto_On and Auto_Off are the 2 running states for the Auto configuration. Auto_Off is when analysis engine is working, and auto_on is when the analysis engine is not working.

• IPS-4200 IDM-HTTPS & Browser

  Hello,
  although we all know he problem of Cisco IPS's with Java, and knowing that java vulnerabilities are increasing, updating Java version is not allowed else we lose the ability to open IDM for the IPS's.
  Another thing is appearing now, is that I will have, each time i want to open an IDM session of the IPS, to clear my browser history and cookies to be able to log on to the IPS, otherwise i got the error of we could not load the Server, IPS_IPAddress:443.
  Is this related to any java parameters?
  Note: occurring with 4240 IPS’s

  Increasing the Memory Size of the Java Plug-In
  To correctly run IDM, your browser must have Java Plug-in 1.4.2 or 1.5 installed. By default the Java Plug-in allocates 64 MB of memory to IDM and ASDM. IDM and ASDM can run out of memory while in use, which can cause IDM and ASDM to freeze or display blank screens. Running out of memory can also occur when you click Refresh. An OutofMemoryError message appears in the Java console whenever this occurs.
  You must change the memory settings of Java Plug-in before using IDM and ASDM. The mandatory minimum memory size is 256 MB.
  This section contains the following topics:
  •Java Plug-In on Windows
  •Java Plug-In on Linux and Solaris
  Java Plug-In on Windows
  To change the settings of Java Plug-in on Windows for Java Plug-in 1.4.2 and 1.5, follow these steps:
  Step 1 Close all instances of Internet Explorer or Netscape.
  Step 2 Click Start  > Settings > Control Panel.
  Step 3 If you have Java Plug-in 1.4.2 installed:
  a. Click Java Plug-in.
  The Java Plug-in Control Panel appears.
  b. Click the Advanced tab.
  c. Type -Xmx256m in the Java RunTime Parameters field.
  d. Click Apply and exit the Java Control Panel.
  Step 4 If you have Java Plug-in 1.5 installed:
  a. Click Java.
  The Java Control Panel appears.
  b. Click the Java tab.
  c. Click View under Java Applet Runtime Settings.
  The Java Runtime Settings Panel appears.
  d. Type -Xmx256m in the Java Runtime Parameters field and then click OK.
  e. Click OK and exit the Java Control Panel.