IDS/IPS 4250, two sensors, connection status Paused

Hi,
I have VMS 2.3 and SecMon 2.2 and two IDSs in there. I have noticed that the connection status for the sensors have changed from "Connected TLS" to "Paused". I have gone through database truncation process and all file sizes are good butstill having issues.
I deleted the sensors from the SecMon and added only one sensor, the connection status changed back to connected but it was set to paused in one hour time after adding the one sensor.
I can login to the sensor, i can ping the VMS server from the IDS command prompt and the IDS from the VMS DOS prompt. I have done everything possible to change this condition but none has so far worked.
any thoughts???
Thx,
Masood

Connection states for RDEP devices are written into a table in the database by the receiver collector object. This means that if the receiver thread hangs or is not currently running, whatever state was last written to the table will be displayed.
"Paused" means that the collector for this device is waiting for the system to clear a large backload of data that is waiting to be inserted into the database. This can occur if the rate of flow of events temporarily overwhelms the receiver and usually indicates that the database has grown too large (more than 2 million IDS or Syslog events) or the system is very busy (servicing event viewer, generating reports, pruning, etc.). It usually takes several minutes (fifteen or more) for the system to recover to the point where it can begin collecting events again.
What sounds like happened here was that the sensors were offline, or at least were not getting events from the MC for a period. Then when you reconnected it the events began to be processed by the receiver process which in turn caused the 'paused' state. As I mentioned above, once it catches up with event processing you should be ok. Of course you'll want to ensure that you regularly prune your IDSMC/SecMon database to prevent this from happening again.
You may also want to look at see how much you're logging. You may still need to tune your signatures down as well and you should not have every signature enabled.
You should also look to upgrade your IDS/IPS software (you didn't mention what version you're on) to the latest service pack (4.1.5 for 4.x and 5.0.5 for 5.0.x)
Thanks,
Jeff

Similar Messages

  • IDS Connection status is indeterminate

    I have a Cisco 4215 IDS sensor running 5.1-3 I am trying monitor events using Ciscoworks VPN/Security Monitoring Solution but I get a connection status of indeterminate under the Monitoring Center, Security Monitor, Monitor, Connections. I have 29 others running 4.x with a status of Connected TLS.
    Looking on how to fix this problem.

    I found this solution under the Ciscoworks VPN/Security Management Solution FAQ and it worked.
    My Sensor shows connection status as ?Indeterminate?. How do I fix this?
    A. Select Server Configuration > Administration > Process Management > Process Status to check the status of the IDS_Receiver process on the VMS server. Restart the process if it has stopped. Try these suggestions if the process continues to stop automatically:
    Check the install-dir/CSCOpx/log/IDS_Receiver.log file.
    Run an audit log report that shows the IDS_Receiver subsystem messages.

  • 2 * 4260 Sensors connected to Active/standby FWSM in 6500

    4260 Sensors connected to Active/ Active firewalls
    I have the following scenario:
    We  have two edge firewalls with Active/ standbye setup connected directly to  two core switches5600. New two IPS sensor s4260 are required to be  connected inline between the FWSM and core switches. What is the  best practice design for such a scenario? Does the below diagram work  fine in this case or another design is applicable?
    we use vlan paring

    re you using Inline Interface Pair or VLAN Pair?
    we will use Vlan Pair
    What is the expected throughput of the Network?
    100 mb/s
    Are these WAN firewalls or Internet?
    wan firewall (FWSM)
    Are there any server farms?
    conected 6500

  • IDS/IPS logging, and SDM replacement?

    I'm reviewing for my CCNA Security exam. I've got several books that I'm using for study materials..the Cisco press blue softcover, CCNA Security Study Guide by Tim Broyles...
    Now, I've seen arguments about how the IDS "pulls" data. The books are unclear, and I'm trying to get a definitive answer.
    In the IDS chapter in Cisco's book, discussion at the end of the chapter talks about how the IDS uses SDEE to pull the data. But it shows two examples of config lines, SDEE and Log, and it goes on to say that SDEE and Syslog are the protocols used to grab the alerts. But then, in the next paragraph, it says to that it uses HTTP (and further says HTTPS is more secure) to gather the data.
    So, in googling to try and find resolution, I made the water murkier. I saw everything from those dreaded " I just took the exam..." and various other answers.
    I'm thinking that syslog is not a protocol. Syslog is a venue where data is stored and can be retrieved and viewed by various applications like Solar Winds, etc. So, I'm thinking SDEE uses HTTPS (which is a protocol) to grab the data. But, I want to ensure I have my ducks in a row before the exam.
    So, can someone with AUTHORITY please advise what the heck IDS uses to pull the data?
    Now the 2nd part of this concerns dreaded SDM. SDM is at v 2.5, and there have been no updates/tweaks to it. I never see anyone in the RW use it. I'm sure that there's something better out there, yet Cisco is insisting on hammering that home on their CCNA security exam. What is SDM being replaced with? What should I start working with if I want to go on and get my CCNP Security certification?
    Thanks much...testing on Tuesday

    The confusion you are seeing is because IPS (or IDS) exists on two entirely different platforms; the router IOS and the IPS sensor appliance. These two types of IPS devices are managed and report events very differently.
    The Router IOS PS feature can report events (signature hits) via syslog (and yes, that is a real protocol, just not a very secure one for carrying sensitive information like signature events) and SDEE. The Appliance IPS Sensors can only report events via SDEE (and SNMP Traps, if optioned on a per-signature basis to do so).
    SDEE is a "pull" protocol, meaning the Sensor acts as the host and the client "asks" for signature events. This allows multiple clients to get a feed off one sensor and not have to maintain message synchronization. SDEE is an XML formatted protocol (so it's self documenting) and is carried over HTTPS.
    - Bob

  • Network connection status timed out.

    I have been trying for two days to sign into the iTune store so that I can activate and sync my iPhone. I get the following message "itune store connection status failed. Network connection timed out."
    I downloaded and installed the latest version of iTunes and I still get the same error message.
    Is there anyway to resolve this?

    With Applicatrions>Utilities>Disk Utility, run it, click on your boot drive, look near the bootom far a button that say about Permiiaions..
    But I feel a beeter way is to get Applejack...
    http://www.versiontracker.com/dyn/moreinfo/macosx/19596
    After installing, reboot holding down CMD+s, then when the prompt shows, type in...
    applejack AUTO
    Then let it do all 5 of it's things.
    At least it'll eliminate some questions if it doesn't fix it.
    The 5 things it does are...
    Correct any Disk problems.
    Repair Permissions.
    Clear out Cache Files.
    Repair/check several plist files.
    Dump the VM files for a fresh start.

  • AFP Connection Status box shows each time I launch Photoshop

    I am on a 2-computer network and whether I am off the network or on, each time I launch PhotoshopCS the AFP Connection Status box pops up with the message: Looking up "[name's] computer" (the other computer on the network). Why is this appearing and how do I get rid of it? It's the only application this happens in. I'm on a PowerBook G4; the other computer is a G5 tower. Both run OSX 10.4.xx. (When this happens I press Cancel in the dialog box and Photoshop continues to launch.)

    BDAqua, Thanks for trying to help; you're the only person who responded. I have read the two threads you sent, but I'm not seeing the similarities between these issues and mine. I don't think I changed a user short name; I went to the Users folder as suggested in one of the posts and there are three users: me, the other person who's computer I connect to sometimes, and a shared folder. The other thread looks like it has to do with someone who's ON a network and can't see the other computers. That's not my problem.
    Any other suggestions? It only happens when I launch Photoshop, and naturally I have saved something from the other computer to mine in that program, but in lots of others too.

  • Cisco CSM - Has anyone deployed it in their environment for IDS/IPS devices

    We are an MSP and are evaluating Cisco CSM to manage about 50 IDS/IPS devices. Each of these devices has their own customer signature policy.
    Does anyone use it in their production environments? Do you find it useful?
    Regarding policy management for devices that already have a signature policy, I know you can discover the policy, what we want to do is take the current discovered policy, modify it if we need to and then re-deploy it to the device. I'm finding that this is all read only once the policy is discovered.
    Is there a way to modify the signature, for example, adding a logging parameter and then re-deploy?
    Just curious if others had similar experiences with CSM.
    Thanks!

    haxworthy,
    I currently use CSM to manager a variety of IPS devices (IOS IPS, 42xx Sensors, 65xx-series blades). The policies vary on some devices. CSM works wonderfully. CSM discoveries the various policies on the device on an individual basis. Policies can then be edited on a per-sensor basis or on a group level. Has worked wonderful in our environment. A nice upgrade from the old IPSMC. Let me know if you have any other questions.
    -Mike
    http://cs-mars.blogspot.com

  • UWL at SP13 and Connection status button

    Is it just me, but if you are on SP13 then the connection status button in the Universal Inbox gives no output, but the items still appear in the inbox.  I have two sp13 systems which have this problem and I know it worked before sp13.  I have another portal which is on SP12 and the connection status button works as expected.

    Hi Chuckie,
    We have not done the SP14 upgrade yet.  We have captured a series of issues in SP13 that is clearly justifying the upgrade but we just need to find the time.
    Issues that affect us include:
    - upload of files to collab rooms (866283)
    - pop-up for non-SSL warnings (872859)
    - pop-up for non-SSL warnings for Life & Work events (666182)
    - "Active Users" reporting (SDN Message)
    - The UWL stuff (676253) for the "Workflow ID" message
    I am sure that there are others but there are the direct reasons...
    We would love to leverage any info you can get from the upgrade to SP14...
    Of course, read the note on SP14 and the fixes/changes.
    I guess that we will be there late in January.
    Take care and have a nice weekend!
    Judson

  • IPod Connection Status Failed

    I have two ipod nanos, one of them is working fine, the other i have a problem with. Using iTunes version 7, i run the iPod Diagnostic test found in the help menu. After running it, it says that the iPod connection status has failed. It gives me a link for the solution.
    (http://docs.info.apple.com/article.html?artnum=93716) None of the solutions worked.
    When i run the test for my other ipod, using the same cable and everything, there are no problems. It seems as though the defect is the iPod itself, i can't restore it because iTunes doesn't recognize it when i plug it in.
    Windows XP

    I had the same problem and discovered that it was caused by iPod Services hanging. Here's what solved it for me:
    Right-click My Computer and click Manage to open Computer Management.
    In left side, double-click Services and Applications, then double-click Services.
    Double-click iPod Service in the right-hand panel.
    Under the General tab, click the Stop button and leave the iPod Service Properties window open.
    Connect the iPod - it should start reading "Do Not Disconnect". If it doesn't, wait until it shows up in My Computer, then click Start in the iPod Service Properties window.
    (By the way, I found this solution at Zolved.com.)

  • Linksys EA6500 Device List Connection Status - update process

    I have the Linksys EA6500 with the latest firmware and have a question regarding the device list connection status.
    Currently, I am seeing devices in the list that have a connection status of live, but they are not even within my home network. 
    What is the update/cycle time for the device list actually checking connection status of a device?
    In my situation, it has been 3 days (72 hours) since the two device showing as connected have not been connected to my home network/router. 
    Noticed that this inaccurate connection status for these devices is also contributing to the Device Monitr app not showing correct device connection status info. 
    Would like to have real-time device connection status if possible. This device list is great way to know when device get connected or disconnected which helps me know when my kids get home from school or using game console when should be doing homework.
    Thanks for your help.
    Solved!
    Go to Solution.

    When you go to Troubleshooting > Diagnostics > Router configuration and clicked on Backup it is actually letting you save a backup of your configuration. It should prompt you where to save the file for you to use it later to reconfigure the router settings by loading it back on the router itself. I suggest that you do a hard reset on the router itself – push and hold the reset button using a pin or paper clip for 10-15 seconds then wait for the cisco light to go solid. Once the cisco light will turn solid access the router page again by typing in 192.168.1.1 in the address bar and load the backup that you have saved. Just go back to Troubleshooting > Diagnostics > Router configuration and click on Restore option. It will ask you to look for the backup config file that you have save and open it and the settings should be restored on the router. Check then if the same problem (device list) will be experienced.

  • WLC 4400 and IDS/IPS

    One of my clients is keen to know the IDS/IPS capabilities with WLC 4400. Any hints? Also can anyone explain IDS sensor to me? Thank you.

    There are a number of IDS capabilities that are highlighted regarding the WLC. Unfortunately, you will find that the product continues to suffer from ongoing false positives and a severe lack of documentation (and support) for the IDS.
    For example, if you utilize containment against a rogue AP (which is used to prevent users from attaching to the rogue), the system detects its own containment messages as a denial of service attack. The system is not intelligent enough to know that it is the source of these messages and ignore them.
    Initially, Cisco flagged these false positive as "cosmetic" and claimed that to fix them required a "feature request that must be run through the Cisco sales team" which we did in the spring of 07. Cisco has be VERY slow in coming around on getting these fixed (it has been well over a year since these have been documented and they are still not resolved in the current version of 4.2).
    The Wireless IDS system is also famous for other false alarms which Cisco TAC has linked to alarming on normal behavior when a client goes out of range and a string of deauthentication messages is sent to make sure that the conversation has ended. The WLC 4.2 continues to flag these as false-positive denial-of-service attacks even though the IDS parameters could be adjusted (from the factory) to account for the known 64 repeated deauths that are sent.
    The IDS file is capable of "tuning" but the parameters are very lightly documented. In fact, the IDS parameter file itself had the least sparse version of documentation and it is a text file only 200-lines long.
    In terms of determining if a rogue AP is on-wire. This functionality does not work reliably (not just if there is no path on the wired network to the controller which is understandable) but even if the rogue AP is on the same subnet as the controller. It just plain does not work.
    If you are attempting to determine if there are clients on the rogue AP, this mechanism works with limited success since the AP has to catch the client attaching during its brief scan interval. This results in misleading information.
    There are other false alarms that appear to be related to a specific chipset (using the OUI / first octet of the MAC address). However, there has been very little movement on Cisco's part in getting resolution to getting these anomalies addressed. The basic attitude has been "if we didn't see it in our lab in San Jose when we wrote the code, there's nothing we can do". Since the IDS lacks any ability to "phone home" (sending the alarms it is seeing to the development team) they end up having to develop in a relatively limited environment.
    For more information, please reference the following:
    Wireless LAN Controller IDS Signature Parameters
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008063e5d0.shtml
    I would send you the link to some of the bugs, such as CSCsj06015, CSCsh35010, CSCsk60655, etc. but the Cisco bug tool ( http://tools.cisco.com/Support/BugToolKit/ )is currently not working (no doubt the system is getting overworked). Maybe the site will be up when you read this.
    In the interest of fairness, there have been efforts over the past year by Cisco to address these false alarms and a number of them appear to finally be resolved.
    Bottom line: In my opinion, the wireless IDS is still not ready for prime time. To quote my customer, "I just can't trust it". Unless you set your customer's expectations fairly low, you will both end up disappointed.
    That said, the product itself still has many compelling reasons to implement it including ease of installation and management. If you are willing to wade through the various bugs in the IDS and WCS it still is the best game in town.
    - John

  • When my instructor app shares, my connectivity status changes to poor and her voice becomes sporadic

    I am training to be an at-home rep and learning on-line through AdobeConnect.  Whenever the instructor app shares with the client's application (through secure VPN and Citrix) the connectivity status bar swings between poor to excellent and much of the time I lose her voice.  The IT Support has not been able to figure out why -- my PC and technical requirements all meet their standards.  I doubled my broadband speed, but that also didn't solve the problem.  Any help would be appreciated. I will have to drop out of training if I can't get this fixed soon.  Rosie

    I am having the same problem as the person above.  I have been working with my DSL provider for 2 weeks and have been unable to find anything that is causing the latency problems (although my DSL service has improved overall with the changes that were made).  When I connect via my Verizon aircard, everything works great, but I will rapidly start getting charged for data overages in a week.
    Because the aircard worked great, this led me to believe it was a problem with my DSL connection.  I have done trace routes and there is no consistent issue with slower ping times or packet loss.  Yes, I get the occasional 200-250ms ping times on one hop, but that is not unusual due to the reduced priority on ping traffic (ICMP, I think).  Anyway, then I learned that routes are not always symetrical and that the return path may be different than the outgoing or request path.  And the return path seems to be where the issue is.
    How can I work with someone to troubleshoot my return path from adobeconnect.com?  Can someone do a traceroute to 68.22.72.67?  That is the hop just before my router.
    FYI, here is what else I have done to try to narrow down the problem:
    - use aircard and it works perfect, but that uses a different path which leads me to believe the path is the issue
    - turn off all other devices connected to the router
    - trace routes, endless ping tests, pathping, speedtest.net, pingtest.net, all tested good
    - bridge tap was removed lessening my distance to the CO from 9000 ft to 8000 ft
    - replaced corroded connectors
    - reprovisioned line to the red back (ATT's term)
    - changed pair from the CO
    - attempted adobe connect sessions on multiple computers with both Windows 7 and XP
    - instructor reduced connection speed from LAN to DSL and reduced frame rate at my request with no change
    - she records the classes and the recordings are perfect except for the times when the class pauses.
    The latency I am experiencing is when she shares a screen and then it can go as high as 8s, but mostly it is between 2 and 4s.  That is enough to make the audio completely drop out or it is just uninteligible with the short bursts that come out.
    Please help.  If you can help identify where the problem is in the return path, I will attempt to take it from there.  Scott

  • Which IDS/IPS module for 10 GB WAN/LAN

    I have a question about present scenario in a network where the wan connectivity is 4 GB and Lan network is 10 GB. The firewall for the WAN is cisco 5580-20 with 10 GB ethernet interface and on the LAN 6500 series switch with 10 GB ethernet module. The issue about how to implement IPS in this network. Because cisco 5580 series firewall doesn't support any IPS module even 6500 series switch support IDSM-2 module. But only for 2 GB ethernet module. So what can be the solution for such a network?

    On a machine that can do 10Gb firware rate, it is well advisable to have your IDS/IPS to be a separate box.  IDS/IPS "cost" alot of CPU power.  It gets more expensive when you are talking about pushing beyond 1Gb.  This is why you'll find several forums stating that if you have a firewall with 10Gb speed, separate IDS/IPS is the way to go.  Otherwise, a firewall with IDS/IPS will not necessarily push 10Gb all together.

  • Does PIX 515 Support IDS/IPS?

    Recently I need to provide a firewall solution to my customer. I would like to propose Cisco PIX 515E to my customer. I knwo Cisco has a separate IDS (Intrusion Detection System) appliance, they didnt put too much effor into this category for their PIX firewall.
    Anyhow, does the pix support IPS (Intrusion Prevention System) and IDS?

    The pix does have some ids built-in. It's a small subset of the IDS/IPS signatures offered by the appliances. The signature ID's are kept the same across hardware (so signature ID 1000 on a pix is the same signature as on an IDS/IPS appliance).
    You add IDS functionality on the pix via "ip audit xxx" commands.
    PIX OS 6.3:
    http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html
    PIX OS 7.1:
    http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a00805fb9f7.html
    (The 7.1 docs have a nice table of what signatures are supported natively by pis OS)
    Those two links should provide you and overview of the IDS/IPS functionality and signatures available on the PIX itself.

  • ARP Poisoning & Cisco IDS/IPS Solutions

    I am trying to find out if someone familiar with Cisco's IDS/IPS (network and/or host-based) solutions can tell me if the product(s) can identify and/or prevent ARP poison routing attacks. If so, does it require customizing signatures or is there out of the box detection signatures?
    Thanks for any information

    There are some. Go here and do a search for "arp":
    http://tools.cisco.com/security/center/search.x?search=Signature
    Perhaps it goes without saying, but remember that the sensor has to see the relevant layer 2 traffic for these to work.

Maybe you are looking for