IPS 4240 software 6.2(3)E4

Hello!
I have a sensor IPS-4240 which holds IPS software 6.2(3)E4. Right now we havn't got a license.
With the device wh have almost 100% cpu usage all the time:
show statistics host
General Statistics
   Last Change To Host Config (UTC) = 27-Dec-2010 14:51:19
   Command Control Port Device = Management0/0
Network Statistics
Memory Usage
   usedBytes = 1426128896
   freeBytes = 558419968
   totalBytes = 1984548864
Summertime Statistics
   start = 02:00:00 UTC Sun Mar 27 2011
   end = 03:00:00 UTC Sun Oct 30 2011
CPU Statistics
   Usage over last 5 seconds = 100
   Usage over last minute = 100
   Usage over last 5 minutes = 100
Memory Statistics
   Memory usage (bytes) = 1426128896
   Memory free (bytes) = 558419968
From service accont I see that only one process eats CPU - mainApp.
I even created addition virtual sensor vs1 where I have disabled all signatures. It gave me no result.
Situation can be changed for a while after the sensor's reboot, but not for long time.
show interfaces doesn't show a lot of input traffic too.
Event log contains only following warnings:
evError: eventId=1293461883161643337 severity=warning vendor=Cisco
  originator:
    hostId: XXXXXX
    appName: notification
    appInstanceId: 409
  time: 2011/01/19 15:22:56 2011/01/19 21:22:56 GMT+06:00
  errorMessage: name=errWarning - the subscription lost data [IdsEventStore::readSubscription()]
What can be a problem? How can I reduce CPU usage?
With hope to resolve the issue

It would be difficult to pin point what the exact issue is with the high CPU just by the information provided in the post. It seems that the mainApp is causing the high CPU, however, it is worth investigating further. I would suggest that you log a Cisco TAC case so further investigation can be performed.
Alternatively, you can try to upgrade the software to the latest version of 7.0.4(E4) which has engine improvement.

Similar Messages

  • Cisco IPS 4240 stops file downloads at 90%

    Hi everybody. I have a Cisco IPS 4240 with version 7.0.4 installed and upgraded to the last signature. But since it was installed i have the issue with some file downloads because the IPS stops the file at 90-99% of download percentage (in some cases, not all), The ips is inline in front of firewall, some partner say me that i have to change the mode to promiscuous for the solution of the issue, but i think that if the IPS was designed for work inline, i dont have to change anything and maybe some expert of the forum have the correct answer.  Or this issue have solution with configuration changes.
    Sorry by my write english.... I try to find some signature that causes the issue but if i disabled the sensor, the issue occurs. The firewall is not the problem because if i connect a laptop in front of the firewall and behind of IPS the issue occurs too. Well i have now some months trying of find a solution. In the page of Cisco not find some similar.... [:-(
    Pd. An example of files that stop when downloads is Apple Itunes... or Microsoft Patch, or Vmware software by example.
    Thanks for your response are greatly appreciated.

    Thnaks for your help this is the last packets before freeze the download:
    The size of the download with problems is random, sometimes ocurrs with small size downloads sometimes ocurrs with large downloads. The download of the example have 47 MB, I think that the traffic is dropped and the tcp conn timeout. Do you see some anomalies in this traffic portion?.
    14:55:20.536119 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.536122 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.536420 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.536718 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.536820 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537123 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537125 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537517 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537520 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537522 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537821 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537823 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.538116 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.538118 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.538415 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.538418 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.544207 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.544307 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638362 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638365 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638463 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638562 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638862 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638864 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638866 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639164 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639166 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639560 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639562 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639564 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639960 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.640260 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.640263 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.640568 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.641958 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.641960 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.642158 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742304 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742603 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742605 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742607 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742903 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.743202 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.743302 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.743601 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.745000 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.745100 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845347 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845548 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845550 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845647 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845845 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.846245 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.846247 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.846544 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.849040 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48010926 win 65335
    14:55:20.849439 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48012386 win 65335
    14:55:20.948787 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48015306 win 65335
    14:55:20.948789 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48018226 win 65335
    14:55:20.952982 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48021146 win 65335
    14:55:20.953679 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48024066 win 65335
    14:55:21.055723 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48029906 win 65335
    14:55:21.055725 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48032826 win 65335
    14:55:21.055930 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48035746 win 65178
    14:55:21.058919 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48037206 win 65335
    14:55:21.068809 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48040126 win 65335
    14:55:21.068812 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48043046 win 65335
    14:55:21.069006 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48045966 win 65335
    14:55:21.070103 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48048886 win 65335
    14:55:21.158967 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48051806 win 65335
    14:55:21.159265 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48054726 win 65335
    14:55:21.159465 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48057646 win 65335
    14:55:21.159864 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48060566 win 65335
    14:55:21.159867 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48063486 win 64605
    14:55:21.162162 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48066406 win 63875
    14:55:21.162260 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48066406 win 65335
    14:55:21.172245 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48069326 win 65335
    14:55:21.172248 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48072246 win 65335
    14:55:21.172545 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48075166 win 65335
    14:55:21.172645 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48078086 win 64605
    14:55:21.172744 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48078086 win 65335
    14:55:21.172844 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48081006 win 65335
    14:55:21.173144 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48083926 win 64605
    14:55:21.185225 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48083926 win 65335
    14:55:21.572333 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48116046 win 65335
    14:55:21.585313 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.585315 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.585414 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.585417 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.585512 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.677172 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.688654 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.688657 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48158386 win 65335
    14:55:21.688757 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48158386 win 65335
    14:55:21.780613 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335
    14:55:21.883755 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335
    14:55:21.986998 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335
    14:55:22.090639 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335

  • Upgrading IPS-4240-K9

    Hi,
         I have an IPS-4240-K9 with system Version 5.1(8)E2 and I need to upgrade to the last version Release 7.1(7)E4, I need to know if there is some way to do this without jumping from all the old versions (6.0 E2, 6.0 E3, 6.0E4, etc) do i need to make a reimage?? what is the process?? what files needs to download?
    Thanks,

    Hello Salvador,
    The upgrade path is: 5.1(8) >  6.0(6) > 7.1
    If you want to do it directly you will need to re-image the sensor.
    For upgrade use teh .pkg file and for re-image use the .img file.
    Download from:
    http://software.cisco.com/download/type.html?mdfid=278810718&flowid=4425
    For re-image:
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_system_images.html#wp1060091
    Hope it helps,
    Regards,
    Felipe.

  • IPS 4240 Sig Update License

    Is this the correct part no. for the IPS 4240 Sig Update License?  CON-SUSA-IPS4240S
    I can only find this part number in the ordering tool: CON-SUI-IPS4240 which also has SMARTNet Support?
    Which one do we need just for having Sig Updates?
    Thanks

    You can't purchase a standalone IPS subscription for IPS appliance.
    You have to purchase either of the following:
    1) CON-SUI-IPS4240 for example that includes Smartnet for hardware, software as well as the IPS subscription.
    OR/
    2) CON-SUSA-IPS4240 contracts are only sold to customer who have purchased a hardware and software support contract through a reseller/partner.
    CON-SUSA... can't be sold on its own, it must be sold in conjunction with the reseller/partner support contract.
    Hope that helps.

  • Bitcoin generator and Cisco IPS 4240

    I have a problem with Bitcoin generator installed somewhere in local network.
    I have IPS 4240 what connected as IPS (All traffic to internet passes through IPS.
    The software on IPS is very old.. and I can not upgade it.
    Version 6.0(6)E4
    Can I configure IPS tj detect and prevent bitcoin?

    Please any one can answer these questions...Your help is appreciable...Thse are blocking me...
    We have purchased Cisco IPS 4240 sensor, installed the license and that device is communicating with other computers in the network. The version installed is IPS 6.1(1)E1. Please can you answer me below questions.
    1) Please can you provide me the Document or link, that lists all the possible events that can be generated by Cisco IPS 4240 sensor.
    2)Where this IPS 4240 sensor will store all the generated events, Pls can u provide me the File names,location of that files and can you tell me how to acces that files?
    3) How many types of events will be generated by this IPS 4240 sensor.
    4) How to send all types of events to Syslog server (Windows Kiwi syslog OR Linux syslog) present on another system in the network through CLI,IDM and IME.
    5) Can you provide me some Examples to generate different events.
    6) What is the difference between CLI, IDM and IME?
    7) How we can know that configured IPS system is in Inline mode?

  • IPS 4240 upgrade

    hi,
    i am running version 6.2 on ips 4240. could please someone let me have the procedure to upgrade the OS to 7.1.8 please? is this upgrade same as cisco IOS using tftp ?
    what is the procedure to upgrade ? is it first os and then sensor ? cold you please post the commands ?
    Thanks                  

    Get the 7.18 upgrade pkg file from here:
    http://software.cisco.com/download/release.html?mdfid=283674966&flowid=24482&softwareid=282549759&release=7.1(8)E4&relind=AVAILABLE&rellifecycle=&reltype=latest
    The readme is available from the same link.
    In order to apply 7.1(8), the minimum required running version is 6.0(6) on 42xx series sensors, which you have, so you can simply apply the upgrade pkg. Apply it via IDM is probably the easiest way - or check the readme for CLI instructions.
    7.1(8) is packaged with signature level s735 - if you have a more recent level, that will be preserved, if not, you will end up @ s735. Then you can update the signature package to the most current level from here:
    http://software.cisco.com/download/type.html?mdfid=283674966&flowid=24482

  • IPS 4240 Inline deployment.

    Hi,
    I am trying to deploy IPS 4240 with Software version 4.1. My query is, will this version support inline prevention? If yes, what are the deployment & sensor interface configuration considerations. I believe the new 5.0 version supports this feature. But the documentation on v4.x is not clear.
    Thanks in advance.
    Ajay Dand

    Inline is implemented in software version 5.0.
    The upgrade image is available at:
    http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
    All IPS software is available at:
    http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/

  • Cisco IPS 4240 VS Cisco ASA AIP SSM-10 Modula

    I'm looking to replace another vendor's IPS system we have at our company. We do have an ASA 5510 in our envionment currently.
    Considering I don't need the extra bandwidth of the IPS 4240 series and the AIP SSM-10 requires an ASA 5510 what are the differences?

    Operationally the AIP-SSM1 and the 4240 run the same software, so they work pretty much the same.
    The AIP-SSM inside the ASA is less expensive alternateive, but becuase it sits inside an ASA there is more to configure and manage (the ASA plus the sensor), The ASA also has some built in inspections that may filter some traffic/attacks from being seen at the AIP-SSM sensor.
    - Bob

  • Deployment of Cisco IPS 4240 devices

    I can't seem to find any information regarding mass rollouts of Cisco IPS 4240 devices. I have 6 devices I intend to roll out to several remote offices and tie into a centralized Cisco MARS appliance. Without using any CSM/LMS software, is there an quick and dirty way to pull this off? I'm thinking to configure a single IPS device then pull and distribute its configuration file to the remaining devices. Would like to see how others have accomplished this...

    If all of your sensors are the same type (all 4240s in your situation) and will all run the extact same configuration, then the copy command will help you out.
    There was a new feature added into the copy command in IPS 6.1 that will help you in copying config from one sensor to another.
    You full configure one sensor (use IME, IDM, or CLI). When you are happy with the configuration then use the copy command to copy it TO an SCP server.
    Now bringup a second sensor and configure the basic networking parameters through setup (ip address, gateway, etc...).
    Now use the copy command on the second to copy the first sensors configuration FROM the SCP server into the running config of the second sensor.
    It will prompt you whether to overwrite the second sensor's networking parameters.
    Answer NO.
    The rest of the first sensor's configuration will copied into the second sensor.
    The second sensor will keep it's own unique IP but will gain the rest of the configuration from the first sensor's config.
    Continue doing this with any additional sensors.
    The process can then be repeated anytime additional changes are made to the first sensor.
    Keep in mind though that this only works if the sensor's configuration will be exactly duplicated (including what interfaces would be monitored and how).
    If each sensor will have some unique tunings then you will need to either manage each sensor on it's own, or purchase CSM that can be used to share only certain portions of the configuration across multiple sensors.

  • TCP RESET - CISCO IPS 4240 in IDS Mode - Block Teamviewer

    I would like to block teamviewer in my network. we are using CISCO IPS 4240 in IDS Mode. I found that there are signatures for teamviewer in latest Signatures.
    We have only configured promiscuous interface, I read that we can issue TCP resets thru promiscuous interface as well (recommended is dedicated tcp reset interface).
    However in my case, I found that Signatures for teamviewer is not getting fired even after getting successful teamviewer connections.
    I am a beginner is IPS, Any inputs will be valuable for me.

    We're talking about sigs 15002-0, -1, -2 here. They are by default shipped disabled and retired, so you'll want to enable and activate them.
    For these, the signature settings are not hidden and what they look for is pretty clearly documented in the sig description.
    -0 looks for some specific DNS requests on TeamViewer's startup. TCP resets will have no effect on this.
    -1 looks for specific traffic to tcp port 5938 which would indicate Teamviewer's direct-connection method
    -2 looks for traffic indicating use over http when teamviewer is configured to use a proxy
    TCP resets are a best effort response, they aren't going to be a 100% effective stop

  • Need Information about IPS 4240

    Hello,
    Could you please give me information about IPS 4240:
    Number of sessions
    Number of signature
    Number of protocol
    Thank you very much

    Refer to the following urls for moreinfo on using IPS 4240:
    http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliSgDef.html

  • New to IPS 4240 - What else can I use to manage it?

    I have just purchased a Cisco IPS 4240 and have it up and running. Have been using the IEV to view IPS information and that works ok. The VMS 2.2 that came included with the IPS will not work with the current Cisco works (LMS 2.5) installation that we have.
    My question is, is there any other tool besides the IEV and the VMS 2.2 that I can use to mange/monitor my IPS? the IEV seems so limited.
    I have downloaded the newer VMS from the Cisco site and am planning to test that this comming week, but wanted to know ahead of time if I needed to waste my time with this tool or not.
    Thanks!

    The latest CSMARS release is promising and honestly the netforensics solution offered by Cisco probably wouldn't be a good fit for the op, but I think Cisco needs to rething pushing the MARS in leui of everything else. As a previous customer of netforensics, and now a user of CSMARS...there are definitely many things that netforensics does better than CSMARS.
    My biggest beef with CSMARS is the seemingly casual way in which it treats time and "raw messages". IMHO, these should be sacred to any SIM. I can elaborate, but for the sake of brevity I'll just give a couple examples:
    The signature name reported in the "raw message" that MARS makes available is not always correct. Also, custom signature events report as "unknown" in the "raw message". Clearly this is not a "raw message" by any reasonable interpretation...MARS is writing bits that never existed in the original message.
    the event contextual information is very often truncated. If you rely on this a great deal, the MARS probably isn't for you. There's also no interface for decoding it, requiring a cut-and-paste into your favorite decoder.
    Believe me, I could go on. On the bright side, the MARS is showing promise...I was able to cross off my list quite a few issues after the latest upgrade.
    Matt

  • IPS-4240 Password Recovery

    Hi,
    I have a problem with IPS-4240. Nobody of my workmates knows the password and I read that the only way is to reinstall the version of IOS. Is there any other way to recover the password than reinstalling?
    thanks.
    GNU GRUB  version 1.0(11)2  (631K lower / 2096128K upper memory)
     0: Cisco IPS
     1: Cisco IPS Recovery
    Model=IPS-4240
    When you troubleshoot password recovery, pay attention to the following:
    • You cannot determine whether password recovery has been disabled in the sensor configuration
    from the ROMMON prompt, GRUB menu, switch CLI, or router CLI. If you attempt password
    recovery, it always appears to succeed. If it has been disabled, the password is not reset to cisco.
    The only option is to reimage the sensor.

    Hi,
    Before recovering you can 1st check the current state of password recovery with using this command: show settings | include password
    If you do password recovery without checking the recovery feature that it enabled or disabled than the password can not be set to cisco (It will show succeed) and you need to reimage the sensor. So, before using password recovery you should check that password recovery is allowed or not.
    Regards,
    Rahul Chhabra
    Network Engineer
    Spooster IT Services

  • How to configure IPS 4240 - K9 to send log file to syslog server

    I am looking for the commands in how to configure IPS 4240-k9 to send log file to SYSLOG server. If anybody has or came across similer issue please advice.
    Thanks in advanced.

    Ali -
    I am sorry to tell you, but the Cisco IPS Sensors do not send Syslog messages. Your only options for sending signature event information are:
    SDEE (an TLS Encrypted XML formatted message) the sensor is the SDEE Host and your event receiver (MARS, IME, Intelitactics, etc) is the client.
    SNMP Traps - You need to set the "Action" on each signature you want the sensor to send a trap.
    - Bob

  • Unable to load IPS 4240 IOS from Rom Mode

    Hi Experts,
    Kindl asist me in load the IPS IOS on the IPS 4240 from rommon mode.
    Note: I can only access the IPS via rommon only becuase the existing ios is cuppted and formatted.
    The rommon output is give bellow:
    rommon #2> set
    ROMMON Variable Settings:
      ADDRESS=192.168.2.16
      SERVER=192.168.2.58
      GATEWAY=192.168.2.1
      PORT=Management0/0
      VLAN=untagged
      IMAGE=C:\IOS\Tftpd32\IPS-4240-k9-sys-1.1-a-6.1-1-E2.img
      CONFIG=
      LINKTIMEOUT=20
      PKTTIMEOUT=4
      RETRY=20
    rommon #14> ping 192.168.2.16
    Sending 20, 100-byte ICMP Echoes to 192.168.2.16, timeout is 4 seconds:
    Success rate is 0 percent (0/20)
    rommon #15> ping 192.168.2.58
    Sending 20, 100-byte ICMP Echoes to 192.168.2.58, timeout is 4 seconds:
    Success rate is 95 percent (19/20)
    rommon #0> ping 192.168.2.1
    Sending 20, 100-byte ICMP Echoes to 192.168.2.1, timeout is 4 seconds:
    Success rate is 100 percent (20/20)
    rommon #1> ping 192.168.2.16
    Sending 20, 100-byte ICMP Echoes to 192.168.2.16, timeout is 4 seconds:
    Success rate is 0 percent (0/20)
    rommon #2>
    The major problem is that i cannot ping the ips interface address  192.168.2.16) while i can ping all the others.
    Thanks in anticipation!
    Regards

    Hi,
    From the error message the file was not found on the tftp server.
    I see that you have:
      IMAGE=C:\IOS\Tftpd32\IPS-4240-k9-sys-1.1-a-6.1-1-E2.img
    I am guessing that this should be:
      IMAGE=IPS-4240-k9-sys-1.1-a-6.1-1-E2.img
    as the tftp daemon on your machine probably is using  C:\IOS\Tftpd32\ as the 'root' directory of the files it is serving.
    You can check this in the settings of the tftp daemon.
    Best regards, Peter

Maybe you are looking for

  • APEX SSO - execution of regapp.sql failing

    Hi All, I have Database 11.1.0.6.0. APEX version is 3.0.1 I am trying to Configure SSO(single sign-on) with Apex. I am logged in as FLOWS_030100 into the database I am facing following issues when trying to execute the regapp.sql, which is extracted

  • How to get the value of an input text in a table

    all, i have an adf table component on my jsf page and i added an input text component to one of the table columns. how do i access the value of that input text in my backing bean? normally, i would just do a getValue(), but because the input text is

  • My Archie boot is very slow on my laptop

    Hi guys. I have a serious problem cause my boot time is about 3 minutes. I think that something happened with ata02 but I am not sure. What I must do to check where is the problem and to fix it? My demesg is: Linux version 2.6.23-ARCH (root@T-POWA-LX

  • Embedding video in PDF, keeps says it cant convert and need Acrobat Pro Extended?

    I have Acrobat Pro 9 and with using the tool to embed video which seems to convert to a flash format, it keeps coming back saying its unable to convert and that I would need Acrobat Pro Extended.  I tried a handfull of different video types and every

  • Very Urgent! Help!

    I have an eclipse application to open a new email message with an attachment (in the default mail client) clicking a button. Below are my codes:- Runtime.getRuntime().exec(new String[]{"cmd.exe","/c","start mailto:[email protected]?subject=MailTo&cc=