"Global Correlation" = Critical - Cisco AIP-SSM-20

We are getting this error on both IME and IDM. What causes this, and how does one resolve it?
We are also not getting new events in IME - could this be related to the problem?

correct..The sensor must operate in Inline mode so that the Global Correlation features can increase efficacy by being able to use the inline deny actions.
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/ime/ime_collaboration.html

Similar Messages

  • Cisco ASA SSM-10 Global Correlation critical

    Hello,
    I have a high value for Global Correlation parameter, which I generated my ips module is alarmed, how I can reset this value?
    Additionally, the automatical updates does not work properly in the module. What could be the problem?
    Thanks for you help.

    Ensure dns is configured on the sensor. It will need to communicate to receive updates. also ensure you have a valid license.
    Sent from Cisco Technical Support iPhone App

  • IPS-4420 Global Correlation status critcal

    How to check in the IPS 4420 is Globel correlation license are there or not?
    In IDS 4420 IDM event montor page I am facing two below problem
    1. Event Retrieval       =========== Critical
    2. Global Correlation  =========== Critical.
    I configure IPS box got to the Internet without proxy. But I don't how to check the IPS are connected to Cisco Global Correlation server?
    Why its shwoing critcal on Event Retrieval and Global Correlation.

    Are you planning to use the Global Correlation feature?
    Here is the information on Global Correlation for your reference:
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html
    If don't want to use that feature, you can disable that in the sensor health metric section so it's not showing Critical.
    Similarly, for Even Retrieval, you can just disable that in the sensor health metric section. This is only useful if your IPS events are retrieved by an external monitoring system, eg: IME.
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_sensor_management.html#wp2117358
    Message was edited by: Jennifer Halim

  • SSM-AIP 7.0(1) Global Correlation config nightmare!

    Thanks, Cisco, for creating a Management nightmare with your "Global Correlation" option in version 7.0...
    Lets start with the SSM-AIP-20 Management interface...
    We have an OOB Management network, with a single POI into this through a separate PIX515E appliance. Both the ASA5540 AND the SSM-AIP-20 reside on this network.
    The first issue was in Routing, since the ASA sees the Management network as "directly attached", and we ROUTE the traffic through the PIX for updates on the SSM module, we had to add translation entries in the PIX515E for the SSM module (10.x.x.x Management, 172.x.x.x translated).
    This was not a big issue, but here is where the nightmare begins...
    First a note: We have the Management network locked down TIGHT, only a couple of Network Management stations allowed into that network to access these devices.
    I enabled Global Correlation in test mode, but it was "failed" every time it tried to update.. Reading other posts, I created ACL and Static NAT in the PIX515E for these IP's:
    204.15.82.17 (IP listed in the IME Global Correlation update server)
    97.65.135.170 and .137 (from another post in these forums)
    207.15.82.17 (IP found in a trace)
    Still no updates. Looking in the PIX logs, I found "no translation" entries for the following addresses:
    198.133.219.25
    209.107.213.40
    208.90.57.73
    I put these in, and it started updating! FIXED? NOT!
    This morning, it was again failing... Looked in the PIX logs again, and found these:
    77.67.85.33
    77.67.85.9
    Entered them, and the SSM is happy again. How long? Who knows?
    So, now I have NINE holes in my "secure" network, and who knows when Cisco will change or add new IP addresses to this list.
    Cisco, if you are listening - ALL access to/from the Global correlation through a single IP? PLEASE?
    (use the one listed in the IME - 204.15.82.17, for the URL "update-manifests.ironport.com")

    A few of the addresses belong to Cisco (originally ironport.com addresses from the ironport aquisition) and are used as manifest servers to provide the sensor a list of files to download.
    The sensor then downloads those files from Akamai servers. Akamai has a large number of servers across the world. Cisco sends the update to Akamai and they replicate it across their servers. When sensors try to connect to the Akamai server it does a DNS query and by controlling the DNS response it can direct sensors to an Akamai server located nearer to the sensor. This allows for better load balancing, response times, and download speeds.
    However, Akamai has a large number of servers (in the thousands I think) world wide, and you can't predict which server your specific sensor will be directed to.
    Sensor connections to the cisco servers for the manifest (file list) is on port 443, and usually to update-manifests.ironport.com URLs.
    Sensor connections to the Akamai servers for the actual file downloads are on port 80 and usually to updates.ironport.com URLs.
    The above is all based on my limited understanding of how the updates work. I may have gotten a few details wrong, but should at least give you a general idea.
    I will be working with development to get this better documented in Release Notes and Readme with the next IPS software release.

  • Single AIP-SSM in Cisco ASA Failover Active / Standby Mode

    Hi,
    I can add single AIP-SSM on Cisco ASA in failover active / standby mode?

    No, both units need the same hardware, that includes the installed modules.
    Sent from Cisco Technical Support iPad App

  • CISCO IPS Global Correlation

    Hi,
    While enabling Global correlation, I understood that we need to configure proxy or DNS.
    Also, I hope that needs to open the port (80/443) on the firewall for the management IP address of IPSto reach the cisco sensor database. If i'm correct what about the destination IP, do we need to enable "any" or specific IP is there.
    ACL:
    Source (IPS Management IP) -> Port (80/443) -> Destination?

    Hi,
    Global correlation features only contain external IP addresses, so if you position a sensor in an
    internal lab, you may never receive global correlation information.
    Source (IPS Management IP) -> Port (80/443) -Detination is https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
    Regards
    Rajeswar

  • Correlating Cisco ASA-SSM-IPS Events/Logs

    I have just configured a Cisco ASA-SSM-IPS10. An exciting feature of this decice is the ability to monitor, analyse, and correlate security events. Can anybody help with a documentation to simplify daily (or periodic) analysis, and correlation of the IPS Logs? As I am not yet to up to speed with this task yet, a "How-to" document would be just fine.  Thank you.

    Hi Chris,
    Good to have you get on the case. I am yet to setup and ips manager software. Presently, I use an ASDM 6 interface, with this interface, I am able to view events and alerts, and perform other adminsitrative cores... The IPS manager express does it comes bundle with our device purchase? Does it contain necesary templates/docs for correlating events/Logs?

  • Cisco IPS (global correlation) is downloading lots of updates from the iron-port website

    I have query on Global correlation.
    Following is the observed behavior
    Scenario 1:
    Global Correlation Inspection: ON (Standard)
    Reputation Filter: ON
    Result: Global correlation downloads in bytes or KBs (observed on proxy)
    Scenario 2:
    Global Correlation Inspection: OFF
    Reputation Filter: ON
    Result: Global correlation downloads 4-5 MB every 5 Minutes (observed on proxy)
    This behavior has been observed on both IPS devices one by one. What we wanted the clarity on is why is does global correlation download so much of data when it is OFF, and downloads only minimal data when ON. The equation does not seem to be right.
    Request you for your prompt response.
    Regards,
    Neal

    Both global correlation and reputation filtering retrieve updates from the SensorBase network, or IronPort. By default, they communicate with the network every five minutes. This value cannot be changed by the IPS administrator.

  • Cisco IPS 4240 VS Cisco ASA AIP SSM-10 Modula

    I'm looking to replace another vendor's IPS system we have at our company. We do have an ASA 5510 in our envionment currently.
    Considering I don't need the extra bandwidth of the IPS 4240 series and the AIP SSM-10 requires an ASA 5510 what are the differences?

    Operationally the AIP-SSM1 and the 4240 run the same software, so they work pretty much the same.
    The AIP-SSM inside the ASA is less expensive alternateive, but becuase it sits inside an ASA there is more to configure and manage (the ASA plus the sensor), The ASA also has some built in inspections that may filter some traffic/attacks from being seen at the AIP-SSM sensor.
    - Bob

  • Global correlation can't updated

    version is IPS7.0, asa5520-aip-ssm.
    Singatrue and  IME can be sucessfully updated,
    Global correlation can't updated,
    the Status of global correlation is Critical.
    I saw the website
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/ime/ime_collaboration.html#wp1053280
    and updated following the web page. But  can't work it.
    How could I update global correlation
    or go back old sensorbase?

    The output provided clearly indicates that the AIP-SSM is unable to resolve the update server address.  The server name update-manifests.ironport.com is not user configurable.
    Do you have more than one DNS server configured?  If so, disable all but the primary DNS server.
    If you only have one DNS server configured, please verify the AIP-SSM's management IP address has unrestricted access to the Internet.  (At a minimum TCP ports 80 and 443 and UDP port 53).
    Scott

  • Activating IPS AIP-SSM

    Hello Everyone,
    Some time ago we purchase a couple of ASA5510s with the IPS aip-ssm modules in them. I got them installed and got the vpns running, but never activated the IPS module on them.
    I am getting ready to get the IPS modules going. But, don't I need some time of subscription so that the IPS module can download signature updates?
    Does anyone know what the part number on that subscription is? I am seeing listings for "content security plus" licenses, but I think that is something different. I am also seeing licenses for Botnet traffic filter licenses. But, again, I am not sure if that's the right one.
    Thanks,
    Ben

    You will need a subscription license in order to take advantage of signature and Global Correlation updates. The official name for this license is "Cisco Services for IPS".  Take a look at the following Q&A doc which covers some of the part numbers.
    http://www.cisco.com/en/US/services/ps2827/ps6076/services_qa0900aecd8022e962.pdf

  • Why my IPS - aip-ssm send requests to 80.53.146.82 port 80

    I have a web proxy ..tunnel filters...and AIP-SSM....inside of the network...i configure host service, network setting and hhtp-proxy to use my proxy when updating global corelation ...
    On proxy I allow hhtps to 204.15.82.17 ---ironport service.
    In proxy log I see that https to 204.15.82.17 is allowed and after that ips try to sending http packets to 80.53.146.82 -----I SEE in the RIPE that is AKAMAI technologies IP..address.
    What is this?
    Why my IPS - aip-ssm send requests to 80.53.146.82 port 80

    This is the new 7.x Global Correlation feature, and it is documented here:
    http://www.cisco.com/en/US/docs/security/ips/7.0/release/notes/18483_01.html#wp1161779
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html
    AFAIK, you can turn off this feature as per your discretion. Cisco has adapted the Ironport senderbase technology to their IPS as well. Its a pretty interesting feature, I hope it becomes as successful as the one for mail traffic.
    Please rate if helpful.
    Regards
    Farrukh

  • Global correlation events

    I have an ASA 5510 with an SSM-10 module. I have global correlation turned on and updating. When I look at the dashboard's "Global Correlation Report" I see packets that have been denied by global correlation. Can someone tell me how global correlation events are logged? I'd like to be able to see the raw data associated with the global correlation.
    Thanks.

    Hi,
    Take a look at this:
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html#wp1065809
    As can be seen, whenever "global correlation" causes any kind of action to be taken by the IPS it produces an alert unless the packet is being denied by "reputation filtering" which does not produce any kind of alert. Also, "This feature only applies to global correlation  inspection where the traffic is allowed if no specific signature is  matched".
    I am not sure of all those fields in then alert but i have seen at least some of them. If you are not seeing any alerts with those fields, then global correlation may not be seeing any instances where it has had to modify the risk ratings and take appropriate actions for it, that is, you may not be receiving any kind of such packets from malicious hosts at all in the first place.
    Also, if you have "reputation filtering" on, you might want to turn it OFF to ensure it is not causing this behavior.
    Rregards,
    Prapanch

  • Global Correlation and Application Failed

    Hi, People.
    I have IPS4270-20-K9 with version 7.0(3)E4 and signature version 572.
    In Sensor Health show me a problem critical, with:
    - Application Failed
    - Global Correlation
    sensor#sh statistics global-correlation
    Error: getGlobalCorrelationStatistics : ct-collaborationApp.459 not responding, please check system processes - The connect to the specified Io::ClientPipe failed.
    How do I resolve these problems?
    Tks.

    That error message indicates that one of the software processes required for the Global Correlation feature (CollaborationApp) is not responding (stopped/crashed, hung, etc.). You will need to reboot ("reset") the sensor to restore the process to a "Running" status.
    There are multiple defects present in the version of software you are running (7.0(3)E4) that are likely culprits/causes that were fixed in subsequent releases (7.0(4)E4 and 7.0(5a)E4). After you have rebooted the sensor and restored it to service, you can upgrade to a fixed release (7.0(5a)E4).

  • Global-correlation does not update.

    Hi all,
    I have a problem to update the global-correlation. I do get updates for the signatures in the IPS but see output below regarding the global-correlation;
    ==========================================
    show statistics global-correlation
    Network Participation:
       Counters:
          Total Connection Attempts = 0
          Total Connection Failures = 0
          Connection Failures Since Last Success = 0
       Connection History:
    Updates:
       Status Of Last Update Attempt = Failed
       Time Since Last Successful Update = never
       Counters:
          Update Failures Since Last Success = 8
          Total Update Attempts = 8
          Total Update Failures = 8
       Update Interval In Seconds = 300
       Update Server = update-manifests.ironport.com
       Update Server Address = 204.15.82.17
       Current Versions:
          config = 0
          drop = 0
          ip = 0
          rule = 0
    Warnings:
    ===========================================
    Hardware used:
    asa-ssm-10 (version 7.0(4)E4)
    ASA-5520(version 8.4(1))
    I see all traffic passing the firewall and ISP-routers.
    I hope someone can help me with this issue or some pointers.
    Thanks in advance,
    Erik Verkerk.

    Hi Jennifer,
    Good to hear we do not have to buy an additional license and that global-correlation is included in version 7.0.
    Thanks for your suggestion "access to internet", I did a re-re-recheck of my configuration and found out that I had a "little routing issue in one of my routers". I solved this and now it is working.
    ===========================================
    sh statistics global-correlation
    Network Participation:
       Counters:
          Total Connection Attempts = 0
          Total Connection Failures = 0
          Connection Failures Since Last Success = 0
       Connection History:
    Updates:
       Status Of Last Update Attempt = Ok
       Time Since Last Successful Update = 2 minutes
       Counters:
          Update Failures Since Last Success = 0
          Total Update Attempts = 269
          Total Update Failures = 268
       Update Interval In Seconds = 300
       Update Server = update-manifests.ironport.com
       Update Server Address = 204.15.82.17
       Current Versions:
          config = 1236210407
          drop = 1300274962
          ip = 1300276386
          rule = 1300221126
    Warnings:
    =================================
    Thanks for your time and help.
    Thanks,
    Erik Verkerk.

Maybe you are looking for

  • How do i fix my white i pod touch screen

    how do i fix my i pod touch 4th generation when it has a white screen and wont let me do anything

  • ALEAUDIT IDOC FROM R/3 AS ACKNOWLEDGEMENT TO XI IDOC

    Hi, I am working on one XI scenario in which XI is sending one CREMAS Idoc to R/3.In R/3 this is an inbound Idoc which has process code CRE1.   Now In XI I want that whenever this IDOC get posted successfully in R/3,it should send one ALEAUDIT idoc t

  • What is Your Kernel Size?

    Today I decided to compile my kernel and remove everything I wouldn't need Kernel 2.6.25.4    -Size: 2.285 MB    -Modules: 1.2 MB    Total: 3.485 MB Features: -ACPI -Button -Fan -Processor -Suspend to Ram -Frame Buffer w/ Tux logo -NVIDIA/AMD Sata -I

  • Option/fuction disappeared

    After upgrading to iOS 4.3 the option for using my Iphone 4 as a modem has disappered. I have tried to upgrade it again and also done a cold-boot without success. Anyone else that has experienced the same?

  • Create iview for db

    Hello, Im very new in EP, I need to create iviews for accesing and retrieving data from an oracle and MS SQL Server database. Im using EP version 7.0, maybe you could guide me with this topic or give me some ideas about how to implement that. If you