Diverting traffic to IDSM for inline IPS mode

Similar Messages

• IPS mode with IDSM-2 module on Cat6K

  Hi,
  I have installed the IDSM-2 module on the Catalyst 6509 switch, now I was refering to the configuration guide for IPS 6.0 there are multiple modes I can configure like inline, inline vlan pair, Promiscuous & vlan group mode.. so I'm thinking which one would be the best solution...
  The catalyst 6509 is acting as the CORE/Distribution with multiple Vlan's (around 20 vlans) configured, and customer wants the IPS to be deployed in such a way that it covers the traffic from all the vlans..
  Also note that there is a redundant Cat6509 switch which also has got the IDSM-2 module installed, so can these both IDSM-2 modules be installed in active/standby or active/active combination...
  can someone through some lights on the same please...
  Regards
  Vijay.

  A sensor can enter bypass mode for several reasons, including, but not limited to:
  1) Analysis Engine reconfiguration
  2) Global  Correlation updates
  3) Daily Signature DB self purg
  4) sensorApp failure
  Most of these reasons are benign. I have written Supportability Enhancement CSCtg69012 so that each bypass log will show the reason for entering bypass mode.
  The bug is available via the CCO Bug Toolkit: http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs.
  You may review the bug and click on the "Save Bug" button at the bottom of the page to receive email updates as changes are made to the bug's state.
  To fully diagnose your issue, I suggest opening a TAC case where we will request a "show tech," including debug level logs. This will allow us to see what is triggering the sensor to enter bypass mode.
  Thank you,
  Blayne Dreier
  Cisco TAC IDS Team
  **Please check out our Podcast**
  TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

• Idsm 2- Inline Mode Deployment

  I would like to configure an IDSM-2 in inline mode, I am having trouble about the deployment, I have a couple of questions;
  1. If you configure 2 VLANs (existing) as VLAN pairs does this mean the exist connection between the 2 VLANs is broken?
  ie they can only communicate to each other via IPS.
  2. Where is the best place to deploy this type of IPS?

  In an inline VLAN-pair scenario, the IDSM2 will bridge the VLANs together using VLAN tag swapping.  Below is a quick topo sketch of an inline design where this might be used.
  6500 MSFC--VL10--(inside) FWSM (outside)--VLAN 11--IDSM--VLAN 111--RTR--INTERNET
  In the example above, the FWSM outside and RTR inside interfaces sit on the same Layer 3 subnet but different Layer 2 VLANs.  The IDSM is positioned inline using an inline VLAN-pair.  Traffic leaving the FWSM towards the Internet will go into the trunk to the IDSM on VLAN 11.  The IDSM will then swap the VLAN tag to 111 before fowarding the packet down the trunk.  This process allows the traffic to be influenced into the IDSM for inspection.
  http://www.cisco.com/en/US/customer/docs/security/ips/7.0/configuration/guide/cli/cli_interfaces.html#wp1047718

• IDSM-2 inline VLAN pair mode

  My customer has voice, video and data VLAN's. Customer wants to inspect only inter VLAN traffic ONLY for data to be inspected by IDSM-2 inline while bypassing other VLAN traffic to FWSM and then to WAN.
  Is that possible with Inline VLAN pair mode?
  I read the cisco document which states as below
  "You can configure IDSM-2 to simultaneously bridge up to 255 VLAN pairs on each data port. IDSM-2 replaces the VLAN ID field in the 802.1q header of each packet with the ID of the VLAN on which the packet is forwarded. It drops any packets received on VLANs that are not assigned to an inline VLAN pair."
  The last statement says it will drop all other vlan traffic which are not assigned to any inline vlan pair?
  Regards
  Vinod

  You can bypass analysis engine when inline bypass is activated , allowing traffic to flow through the inline interfaces and inline VLAN pairs without inspection. Inline bypass ensures that packets continue to flow through the sensor when the sensor processes are temporarily stopped for upgrades or when the sensor monitoring processes fail. But not always.

• IDSM-2, inline and Passive mode in same Module?

  Hi,i have a question that it can be strange.in our network we have implemented idsm-2 module in our 6513 Switch in inline mode.without any discution about network design suppose that our network is going beyond IDSM-2 Throughput and then we want to use IDSM-2 for some traffic in Passive mode insted of inline to reduce drop probability in inline mode.i mean before this state we were using idsm-2 data port 1(in vlan pair mode),now can we use data port 2 for this purpus(capturing some traffic on data port 2 for passive operation)? in other word idsm-2 can operate in this way?

  i found my answer in idsm-2 document "You can mix sensing modes on IDSM-2. For example, you can configure one data port for promiscuous mode and the other data port for inline VLAN pair mode. But because IDSM-2 only has two data ports and inline mode requires the use of both data ports as a pair, you cannot mix inline mode with either of the other two modes." but something else,for doing such thing suppos that i have sig 2004 configured for inline traffic to deny attacker inline then this action doesnt make any sense for some data in passive mode and suppos that for that kind of traffic which idsm-2 is operating in passive mode i want to just send an alert. so can i use deferent VS for doing this? thanks.

• NeedHelp Is it bug at IDSM-2 with IPS-K9-7.0-2-E3.pkg??

  Dear All,
  i have idsm with IPS-K9-7.0-2-E3.pkg installed,
  i use inline mode for this idsm, and idsm place is front on server farm
  but i have some problem that one segment in my network cant access the server
  but another segment can access that server,
  that server is oracle database aplication (real time)
  in this is happend only for that server.
  when i filter the traffic with idsm, the result that transaction match with
  signature number 7000, evenly that signature dont have action to deny the traffic,
  the traffic still cannot bypass, then ill try to disable but nothing impact to that segment
  evenly other segment can access that server normally.
  anyone can explain to me why this happen??
  ill try to downgrade to IPS-K9-7.0-2-E3.pkg with IME but always error..
  anyone can help me please..

  Hi Josh..
  This is my answer
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  First off, you cannot downgrade the version  without a re-image.  You can only downgrade signatures.  Second, you  mention 7.0(2)E3 as the version you are on and the version you want to  downgrade to.  Can you verify what version you are running?
  Im not yet  downgrade to 7.0(2) because I don’t have yet permission from my bos . And now my isdm still use 7.0(2)E3
  This is capture from my isdm
  OTIDSM# sh ver
  Application Partition:
  Cisco Intrusion Prevention System, Version 7.0(2)E3
  Host:                                                        
      Realm Keys          key1.0                               
  Signature Definition:                                        
      Signature Update    S425.0                   2009-08-17  
      Virus Update        V1.4                     2007-03-02  
  OS Version:             2.4.30-IDS-smp-bigphys               
  Platform:               WS-SVC-IDSM-2                        
  Serial Number:          SAD132802TL                          
  Licensed, expires:      20-Oct-2010 UTC                      
  Sensor up-time is 2 days.
  Using 1415421952 out of 1983504384 bytes of available memory (71% usage)
  system is using 17.4M out of 38.5M bytes of available disk space (45% usage)
  application-data is using 38.6M out of 166.8M bytes of available disk space (24% usage)
  boot is using 41.5M out of 68.6M bytes of available disk space (64% usage)
  MainApp            B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running  
  AnalysisEngine     B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running  
  CollaborationApp   B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running  
  CLI                B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500            
  Upgrade History:
    IPS-K9-7.0-2-E3   07:43:07 UTC Thu Oct 15 2009  
  Maintenance Partition Version 2.1(3)
  Recovery Partition Version 1.1 - 7.0(2)E3
  Host Certificate Valid from: 27-Apr-2010 to 27-Apr-2012
  On  the traffic not passing issue, if you put the sensor in bypass does  that resolve the issue. That will eliminate any signature related  actions from impacting the traffic.  If you are still unable to access  the servers then you should look for a routing or network layer issue
  What you mean about bypass? Is it to released the idsm from network? If that so, I had do that and the server can access from segment that before cant access it. I had done to check the network layer problem but everything is ok,
  And I want to clarify the other segment that cant access the server only for some application (real time application) in that server but the server can ping and telnet from that segment ( I think this is to clarify the network issue problem)
  If that clears things up, the next step would be to create an Event  Action Override to produce alert for all signatures.  Then you can  review IME for any signatures firing related to these servers.  Please  remove the Override once you are done testing as this can have a  performance impact on the sensor over time and should only be used  temporarily to troubleshoot a specific issue.
  Well, I will try your suggestion, But I will wait permission to execute it. I hope this is work for my idsm-2
  If you  are still having trouble, if may help to get some info about the config  of the sensor and the switch.  Specifically, how the VLAN or Interface  Pairs are setup, etc.
  Oke,  I will…
  Btw, thanks for your help boss
  GBU …

• IDSM-2 Inline Vlan Pair - Duplicate Packets

  Dear All
  We have a setup where two IDSM-2 modules are ether-channeled together in a single 6513 Chassis.
  There is an FWSM module also, which acts as the default gateway for all internal VLANs.
  Problem: IDSM show stat virtual-sensor command is showing tons of 'Duplicate Packets'
  show statistics virtual-sensor | inc Duplic
  Duplicate Packets = 2950967
  Inline TCP Tracking Mode: Interface and VLAN
  Topology:
  Assume Client VLAN = 10 and Server VLAN = 60
  IPS Inline VLAN Pairs:
  10 >> 110 (Client VLAN)
  60 >> 160 (Server VLAN)
  Client >> Server Flow: (Layer 2):
  [ClientPC] >>>> Access Switch (VLAN 10) >>>> Core SW >>>> IDSM-2 (VLAN 10--110 Pair) >>>> Core Sw >>>> FWSM VLAN 110 >>>>
  FWSM VLAN 160 >>>> Core Sw >>>> IDSM-2 (VLAN 160--60 Pair) >>>> Server Switch (VLAN 60) >>>> [Server]
  Core Switch IPS Etherchannel Setup:
  Group 5: IDSM(A) and IDSM(B) Port x/7
  Group 6: IDSM(A) and IDSM(B) Port x/8
  Some VLAN Pair(s) are on interface x/7 and others are on x/8
  Because of the above issue, we see a lot of TCP normalization signatures being fired (as the IPS gets confused with duplicate packets seen for the same flow). Specially signatures 1330:12 :17 and :18.
  It is also causing some applications to break (e.g. Veritas Netbackup 6.5). When I removed the DENY action from these signatures, our IPS started having stability issues (This could also be due to E3 upgrade)
  Should we change the Tracking mode to 'VLAN' only, OR any other possible solution?. Should not the 'interface and vlan' setting be sufficient?.
  Regards
  Farrukh

  This will take some traffic analysis to determine what is going wrong.
  You might need to place a sniffer to watch the traffic on the client where the backup software is running at the same time that you capture the traffic on the sensor.
  Look to see if there are any differences in the traffic.
  Look for any anomalies in the traffic.
  Look to see if maybe the backup software is not using a standard TCP connection (is it jumping the tcp sequence numbers in any abnormal way?)
  You might also try some things on the sensor to determine if the sensor itself might have an issue.
  Determine if the connction passes through 2 connections (inline vlan pairs) monitored by the sensor.
  If you can, you might try removing both of the pairs from the virtual sensor. (don't delete the pairs, just remove them from the virtual sensor so they won't be analyzed)
  And see if the backup works.
  If it does then just add in one pair, and see if it keeps working.
  If it has errors with just the one pair, then the problem is likely not because of the connection being monitored twice.
  Something else must be weird about the connection.
  If the problems are only seen when having both pairs in the same virtual sensor, then try placing the pairs in different virtual sensors and see if the problem goes away.
  If the problem goes away when in different virtual sensors, then there may be an error in the inline tcp session tracking code that should track connections separately for each interface/vlan.

• Switch config for Inline Interface Pair

  Hello all
  Am having a doubt here, so need your help.
  I want to configure an IPS in inline interface mode. What I have is
  internet rtr---->Switch----->outside intrface of ASA
  Here, I want to monitor/inspect the traffic coming from the internet.
  I am planning to connect the inline interfaces to the same switch.
  What am not sure is what will be the switchport configuration for the inline interface pair?
  Also, How the switch will forward traffic to the IPS and then IPS to the ASA?
  Thanks in advance
  ..Abhi

  What are you using for an IPS, an appliance? an IOS IPS in the Internet router or the ASA?
  If you want to feed the output of your IPS into the same switch as the input, you'll need to create two separate VLANS, one for the switch interfaces that are outside your IPS and the other for the interfaces that are inside your IPS.
  interface Gi0/1
    switchport access vlan 10
  switchport mode access
  switchport nonegotiate
  interface Gi0/5
    switchport access vlan 20
  switchport mode access
  switchport nonegotiate
  interface vlan 10
  interface vlan 20
  - Bob

• 4250-sx connecting to 6500 for vlan pair mode

  I am not sure if this question should be asked on the ids forum or the switching forum. Please let me know if it is the wrong place to be asking.
  Could someone perhaps help? It the first time we are configuring this setup so we need some help in configuring the SX interface on a 6500 switch.
  We would like to connect our 4250-SX ips sensor (5.1) for inline vlan pair mode to a 6500 catalyst running ios software. The switch has a fiber SC type connection. We would like to find a document that best describes how the interface on the switch should be configured for successful operation for this solution. Can someone point us to this document? We have been told that the port will need to be configured as an 802.1q trunk. Is this correct?
  We would also like to filter all unneeded vlans from propagating on to that trunk. What is the best way to do this?
  Thanks in advance

  Whether the port is fiber or copper won't really matter much.
  The first step is determine between which 2 vlans you will want to do inline vlan pair monitoring.
  The most direct solution is to pick one existing vlan, and create one brand new vlan.
  Now trunk both of these vlans on the switch port where the sensor is connected:
  Here is a basic example configuration for that switch port:
  interface GigabitEthernet1/1
  switchport
  switchport access vlan 1
  switchport trunk native vlan 1
  switchport trunk allowed vlan 100-101
  switchport mode trunk
  no ip address
  no shutdown
  exit
  Vlan 100 was the existing vlan, and vlan 101 was the newly created vlan.
  The vlan 1 settings were just to ensure the port was set back to the default of vlan 1 for the access vlan; the vlan 1 setting is not used in the vlan pairing and is not in the list of allowed vlans for the trunk port.
  NOTE: You will see that the mode must be forced to trunk. Also be aware that depending on the port you may also have to force the trunk type to 802.1q:
  "switchport trunk encapsulation dot1q"
  Now on the sensor itself you will want to create an inline vlan pair on that SX interface, and pair vlan 100 with vlan 101.
  Now remember that vlan 101 was a new vlan and is empty. So right the now the sensor is doing inline monitoring between that empty vlan and the rest of your network. The trick now is to move Some of the ports from the original vlan into that new vlan.
  If this is your first time setting this up, then I suggest you try this with a very simple network with 3 pcs that all talk to each other on the same subnet. All 3 pcs would be in the same vlan to begin with. After the steps above are done to create the new vlan and create the inline vlan pair on the sensor, the next step is to move pcs into the other vlan. So for one PC change it's switch port configuration to move just that one PC from the original vlan (100) to the new vlan (101).
  Wait a minute for spanning-tree to run.
  Now ensure that the PCs from the orginal vlan can communicate to the PC in that new vlan.
  NOTE: Both vlans are for the same IP subnet. The sensor does not IP route between the subnets, it just switches or brides packets between the 2 subnets. So the IPs on the PCs do not change as they get moved to the other vlan.
  If you run some tests you will see that the sensor will see all traffic between the PC in the new vlan talking to either of the PCs in the original vlan. But you will also find that if the 2 PCs in the original vlan talk to each other, the sensor is unlikely to see that traffic (on occasion it will, but the sensor is just receiving a copy during broadcast and multicast situations).
  Typical deployments will have something like a firewall in the original vlan, and the Internal network machines moved to the new vlan. Or if the switch itself is routing, then the switch will have it's ip address on the original vlan, and all of the other machines will be moved to the new vlan.
  You also have the option of creating additional inline vlan pairs. To do this just create a new vlan for every original vlan where you want to add inline vlan pair monitoring.
  Then just add those vlans to the trunk allowed vlan command and create the pair in the sensor configuration.
  So let's say you also wanted to pair vlans 104 and 105 together. Then the command would look like:
  switchport trunk allowed vlan 100-101,104-105
  Your question about how do you keep the unneeded vlans from propogating is answered by that same command above. The "allowed vlan" list will restrict the trunk to only carrying those vlans listed.

• When inline IPS's are powercycled...

  using the CLI (or gui) reset command, will network traffic continue to pass through if the IPS is configured for inline mode?
  I know i could find out in a matter of minutes, but i'd rather not mess with our live network ;)

  The HW ByPass Switches generally have both Electronic and Mechanical mechanisms for controlling the ByPass functionality.
  The Electronic Mechanisms are what the HW ByPass Switch will use while it is receiving power. It will electronically be monitoring the link between the itself and the 2 sensor ports (the 2 sensor ports being used for inline monitoring).
  If the link goes down, then the HW ByPass Switch can electronically detect the link down, and will ByPass the sensor.
  If, however, the HW ByPass Switch itself loses power, then this is when the Mechanical mechanism kicks in.
  On power loss the HW ByPass Switch will immediately loose any link to the sensor (ByPasssing the sensor regardless of whether or not the sensor is up ).
  And mechanically the other 2 interfaces of the HW ByPass Switch (the 2 connected to the other devices, aka the switches and/or routers and/or firewalls) will connect to each other and act like a simple wire. The HW ByPass Switch turns into just an expensive wire when it looses power.
  So the HW ByPass Switch is capable of passing traffic when it looses power. It will not send traffic to the sensor when it has lost power, but will allow the other 2 devices to send traffic to each other (hence the ByPass).
  Now I see there has been confusion between a Tap and and a HW ByPass Switch.
  These are 2 separate pieces of hardware.
  A TAP is used only for promiscuous monitoring. It only Copies packets to the sensor, and can not be used with an InLine sensor for InLine monitoring.
  A HW ByPass Switch is only used for InLine monitoring. It sends the real packet through the sensor, and so can not be used with a promiscuous sensor because all packets would go to the sensor and never come back to the HW ByPass Switch.
  Some of the confusion is that some vendors like NetOptics produces both Taps and HW ByPass Switches. So when you go to make your purchase you will need to be very clear on whether you want a Tap for promisucous monitoring or a HW ByPass Switch for InLine monitoring.
  What you will also find out is that the technology for Taps and for HW ByPass Switches are complimentary. And it would not surprise me that in a year or 2 you woudl start seeing hybrid boxes that can be configured to work as a Tap OR a HW ByPass Switch (similar to how Cisco IPS Sensors can be configured for promiscuous IDS or inline IPS)

• 5515x inline IPS questions...

  I'm attempting to configure an IPS for my first time and have a few questions... I went through Cisco's quick start guide and it appears that the ASA management and IPS management can have seperate IPs on the same management interface, is that correct?
  I already have an ASA in use on my network and just want to add the 5512x IPS behind my ASA firewall to check for intrusion attempts. Could someone give advice on the best way of implementin this? I do not have a seperate management network so I'm not sure if I should be using the management port at all. For the IPS to act as inline, would I configure 2 interfaces on the ASA, 1 going to my firewall ASA and the other interface going to my internal network? I only want the IPS device to act as an IPS, I don't need the firewall capabilities.
  Thanks for any advice!           

  just to bring a different design into the game: Can't you replace your actual ASA with the new one that has IPS enabled? That will give you a much simpler design.
  If you really want to separate the two functions then the IPS-ASA doesn't need a dedicated managemt interface. just connect it to your internal network with an IP-config that matches that network.
  The inline-config is as you wrote, one interface to the ASa, one interface to the internal network. As you only want IPS on the new device and no firewalling you could also configure state-bypass on the ASA that does IPS.
  Sent from Cisco Technical Support iPad App

• Sample configuration of IME 7.0 with NME-IPS-K9 and How to get licence for NME-IPS-K9?

  Dear all,
  I already installed NME-IPS-K9 with Cisco Router 2821 series successfully and I used IME(Cisco IPS Manager Express 7.0.1) to configure NME-IPS-K9 but I never try with this before. I have some issue need everyone help:
  1. Could you share the sameple for configuring IME with NME-IPS-K9 to monitor and manage all network traffice or package that attack to NME-IPS-K9?
  2. Could you show me how to get licence for NME-IPS-K9?
  Thanks everyone for your time to help me and share your great ideas.
  I am really appreciated and  looking for forward to hearing response from you all.
  With my warm regards,
  Sarem Phy
  H/P:092562530

  CPU 100% on the NME-IPS module is normal. It will always show 100%. CPU on IPS is not related to the inspection load.
  To check if the IPS module is overloaded, please check the "Inspection Load" speedometer.

• [Non IE Regression] Support for full screen mode with multiple monitors

  This seems to be a regression with Flash Player v11.2.202.x (for all other browsers).
  With Internet Explorer it is still working.
  http://kb2.adobe.com/cps/890/cpsid_89050.html
  == Support for full screen mode with multiple monitors ==
  Full screen content will remain in full-screen on secondary monitors, allowing users to watch full-screen content while working on another display.
  Tested on Windows 7 x64 SP1 with:
  - Internet Explorer 9
  - Firefox Release, Beta, Aurora, Nightly
  - Opera 12 build 1116
  In bugbase.adobe.com I cannot choose v11.2.x

  Please vote for it If you have the same problem:
  https://bugbase.adobe.com/index.cfm?event=bug&id=3016912
  Thanks

• How to set different nr of e.g dia wp for different op.modes when in instan

  I wander how to set different nr of e.g dia wp for different op.modes when in instance profile the nr of wp is fixed.
  thx in advance

  yes u can create the operation mode by using tcode rz04. the steps are:-
  1) run the tcode :- rz04
  2: select the operation mode then click on create instance (create ur instanace for eg :- day mode and night mode)
  3)click on operation mode select the timetable then select normal operation(24 hr)->assign the modes (means select the time by double click and then right click on that select assign and give the mode eg:- day mode ) same way give another modes.Incase if there is any problem then please let me know.
  4)go to back -> click on instance/operation mode ->select create new instance->give the host name & click on current setting and save it the diaglog window will appear give the operation mode name eg day mode then if you want to increase or decrease the work process by cliking on + and - tab u can change it after that save it the WP authorization some kind of this window will appear click on yes then new instance mode will appear give the instance name eg night mode then save it again dialog window will appear do changes in work process according to ur requriement and click on save again the same wp window will appear if u want to add more operation mode then click yes either no then save it . Now u will able to see ur all operation modes.
  operation mode setup
  http://help.sap.com/saphelp_nw70/helpdata/EN/c4/3a5e76505211d189550000e829fbbd/content.htm
  Operation Mode Switches
  http://help.sap.com/saphelp_nw04/helpdata/en/c4/3a5f1f505211d189550000e829fbbd/content.htm
  Note 39412 - How many work processes to configure
  cheers
  dEE

• Nokia 5800 - No Support for TV out-mode?

  I just recently realised that that is true for my set... That there is no support for TV out-mode... I've tried, audio comes out from my TV speakers but there is no visual. Is there anything at all that I can do to utilise this feature? I have after all been supplied with the wires and all...

  The Whole Story As Below, Anyone Can Help?
  [THREAD ID:1-3T7CFIN]
  SR 1-8296203408
  Dear Mr. Xh,
  Thank you for emailing Nokia Careline.
  In response to your email, your concern has been noted. We know that our supplier is doing everything in their power to remedy the situation. We suggest to check with your dealer if they have a policy regarding exchanges. We do apologize for the inconvenience caused.
  You may like to visit our website at www.nokia.com.my for more information and support for your Nokia device. If you have further enquiries, please write to us again or contact Nokia Careline at 1300 881600. We operate between the hours of 8.00am and 8.00pm, seven days a week.
  Kind regards,
  Ana V.
  Nokia Careline
  Do you know you can now update your phone software at your own convenience? Visit www.nokia.com.my/support to check if your phone model is supported and download the "Nokia Software Updater".
  -----Original Message-----
  From: 
  Sent:  03/10/2009 11:02:40 PM
  To:  [email protected]
  Subject:  Re: Nokia -Nokia 5800 Xpress Music - Tv- Out Inquiry
  Dear Nokia Careline,
  The "No Return Policy" already be used here. Seem that I have no choice to go for other alternatives. Maybe I have to file the case to our local authority i.e. Tribunal Court Claim to exercise my consumer right here.
  Perhaps, further blogs at Nokia discussion column, facebook, twitter might help to let others understand more about so-called Nokia Careline entertain their loyal customer.
  If you insist your stand there, then I am always ready to go for my alternatives.
  I won't let go unless you could satisfy me.
  --- On Thu, 10/1/09, [email protected] <[email protected]> wrote:
  From: [email protected] <[email protected]>
  Subject: Nokia - Nokia 5800 Xpress Music - Tv- Out Inquiry
  To:
  Date: Thursday, October 1, 2009, 3:39 AM
  Reference No.: SR# 1-8296203408
  Dear Mr. X,
  We appreciate your prompt reply.
  We will be noting for concern as a feedback. However, please be informed Mr. Tan that Nokia has noted in the box regarding the said case.
  The outage experienced by our sub-supplier was quite unexpected. Typically, the lead time for components such as this one is fairly long, and one cannot react to sudden changes at short notice. We value our relationship with our suppliers and sub-suppliers, and know that our sub-supplier is doing everything in their power to remedy the situation and return to regular supply.   
  The lack of TV out should not affect any other device functionalities besides that you will not be able to show/transmit pictures or video to external monitor/screen.
  As Nokia does not have a replacement policy, we suggest to check with your dealer if they have a policy regarding exchanges.
  Apologies for any inconvenience.
  You may like to visit our website at www.nokia.com.my for more information and support for your Nokia device. If you have further enquiries, please write to us again or contact Nokia Careline at 1300 881600. We operate between the hours of 8.00am and 8.00pm, seven days a week.
  Kind regards,
  Nicky E.
  Nokia Careline
  Do you know you can now update your phone software at your own convenience? Visit www.nokia.com.my/support to check if your phone model is supported and download the "Nokia Software Updater".
  [THREAD ID:1-3T7CFIN]
  -----Original Message-----
  From: 
  Sent:  30/09/2009 10:32:05 PM
  To:  [email protected]
  Subject:  Re: Nokia - Nokia 5800 Xpress Music - Tv- Out Inquiry
  Dear NOKIA CARELINE,
  Yap, you can tell me leaflet included & a tiny label on the pack box. But who will really check every single area of the pack box & read the whole manual or leaflet when they decided to buy the phone. What normally customer will check is the handphone and the accessories. Now you are telling me that customer have to check everything even they  buy something from a reputable company like Nokia. If I going in a shop that sell a China like Nokia 5800 handphone and I bought it then I won't have a say here at all.
  I have checked with my retailer they allow me to return the unit but I can't get full refund from them. They are going deduct a couple of hundred cause they said the unit is considered used unit now. According to them instead of asking customer to wait they prefer to refund the customer. So who is going to bear for the cost now.
  I certainly frustrated by getting a unit that without TV out function. If you are telling me that once manufactured the feature could not be added in, then I would say if you do have a unit with TV-out feature now you could exchange directly to your customer. Why still ask your loyal customer like me to refer to dealer or retailer. Is that what you mean after sales service or NOKIA CARELINE. You don't even care in the first place.
  Your apologies certainly couldn't be accepted with reason of Nokia did include leaflet to inform and tiny sticker at the bottom of the pack box. Sound irresponsible to me at all.
  What I wanna your care now, that is pls exchange a unit with TV-out feature with mine in which without such feature. Do I really put the CARELINE into difficulty position. Your reply to me is highly appreciated and also to show that you care or don't care.
  Regards,
  XX
  --- On Wed, 9/30/09, [email protected] <[email protected]> wrote:
  From: [email protected] <[email protected]>
  Subject: Nokia - Nokia 5800 Xpress Music - Tv- Out Inquiry
  To:
  Date: Wednesday, September 30, 2009, 5:14 AM
  Reference No.: SR# 1-8296203408
  Dear Mr. X,
  Thank you for emailing Nokia Careline.
  Greetings!
  In response to your inquiry, please be informed Mr. Tan that due to a component shortage, a limited number of Nokia 5800 Xpress Music has been manufactured without the TV-out functionality. It is possible that you have one of these devices. In that case, the sales package should have a sticker on the package and a leaflet inside the package that inform about the lack of TV-out functionality. Also, the TV-out cable has been removed from the affected sales packages.   
  Kindly take note Mr. Tan that it is not possible to add the feature after the device has been manufactured. Therefore we have labeled the affected sales packages with a sticker and included a leflet that inform about the lack of TV-out functionality. Those individuals who wish to have the TV-out functionality should wait for a sales package that that has it again.
  The new batch of phones should have the feature back. As this matter is clearly stated in the sales package, it is not possible to return to Nokia. However, you may check with your dealer if they have a policy regarding the return of the unit in exchange for a version that has the TV-out feature. Those individuals who wish to have the TV-out functionality should wait for a sales package that that has it again.
  Apologies for any inconvenience.
  You may like to visit our website at www.nokia.com.my for more information and support for your Nokia device. If you have further enquiries, please write to us again or contact Nokia Careline at 1300 881600. We operate between the hours of 8.00am and 8.00pm, seven days a week.
  Kind regards,
  Nicky E.
  Nokia Careline
  Do you know you can now update your phone software at your own convenience? Visit www.nokia.com.my/support to check if your phone model is supported and download the "Nokia Software Updater".
  [THREAD ID:1-3T7CFIN]
  -----Original Message-----
  From: 
  Sent:  30/09/2009 09:04:38 AM
  To:  [email protected]
  Subject:  WebForm Automated Email
  [Message:I bought a unit of Nokia 5800 last week for my wife. I discovered that the unit I bought is without TV support because when I tried to connect the TV cable that I bought. I tried to check the manual & pack box then only noticed a small label on the pack box stated no TV out supported. The retailer informed me that they only aware about this when I complained to them. I checked the discussion blogs, some stated because of worldwide component shortage so such function being omitted. I can't accept such explanation because I feel like I was being cheated by Nokia. Am I buying a pirated product now. Oh come on, how could Nokia so irresponsible to deliver the product with imcomplete function since TV out in general or ealier batch was included. Could you imagine if next time the product is delivered without GPS function, camera support, wifi & etc. by giving excuses of worldwide component shortage. What's the different buying a China Imitaion Product
  now. I certainly wanna to return my unit if such function was omitted. Please reply your loyal customer ASAP.]