IPS auto-update vs manual download
Is there a delay in what's available via auto-update and updates that are available for manual download through cisco.com? I noticed today that S498 became available yesterday, but my IPS module in my ASA hasn't downloaded it automatically yet. When I do a #sh statistics host, I have a recent download attempt that says "Success: No installable auto update package found on server.
Just wondering if there is a delay between manual and auto updates or if I need to be concerned that my auto-udpates aren't working properly.
Thanks!
The "lastDirectoryReadAttempt" is when the last check occurred (should match your scheduled timing). If the status is that there is no available update, that is as far as the process goes. If an update is available, the sensor should attempt to download.
The "lastDownloadAttempt" will indicate the last time an update download was found and the download was attempted.
The "lastInstallAttempt" will indicate the last time an update was downloaded and install initiated.
It does look like it checked at a point today and did not find an available update. That your outputs are UTC, I cannot correlate when the check today was run in relation to the publishing of the latest update. It may be that there is a cache engine between your sensor and Cisco, and it is indicating that there is nothing available. I would give the process another 24 hours to update.
Scott
Similar Messages
-
Hi,
I have a couple of questions I hope people could answer:
1) What recommendations/options are available for downloading signature files to a HTTP/TFTP server prior to having the IOS IPS device pull them from the server? Is their a way to automate the HTTP/TFTP server downloading the signatures? (Cron job or such)
2) Does the signature file name change each time a new signature file is released? If it does, would I have to go back to the router to update the URL string that is configured in the ip ips auto-update section? I would hate to have to update 200 CPE devices each time a new signature file is released.
Hoping someone could answer these or help point me in the right direction to find the answer out.
regards MI found this link with answers my one question.
Cisco IOS Intrusion Prevention System (IPS)
Tuning, Deploying and Updating Cisco IOS IPS Signature Sets For Multiple-Device Deployments
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/white_paper_c11_549300.html -
WRVS4400NV2 IPS now blocking Cisco IPS Auto Update Server
Yesterday I noted that my ASA5505 AIP-SSC5 card was failing to auto update as it had been doing without issue for months. I looked in the logs and the IPS was showing an HTTP Error when attempting to update. I checked and nothing had changed in the IPS configuration. Then, on a hunch, I checked the IPS log of the WRVS4400N which is the edge router for the small business network.
The WRVS4400N IPS was blocking connections with the cisco auto update server because it detected an RPC Anomaly in the traffic. So apparently, something has changed in the cisco IPS auto update server (https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl) response that the cisco small business router misidentifies as a threat. . .
FYI-I also posted this issue to the small business router community discussion forum.Yesterday I noted that my ASA5505 AIP-SSC5 card was failing to auto update as it had been doing without issue for months. I looked in the logs and the IPS was showing an HTTP Error when attempting to update. I checked and nothing had changed in the IPS configuration. Then, on a hunch, I checked the IPS log of the WRVS4400N which is the edge router for the small business network.
The WRVS4400N IPS was blocking connections with the cisco auto update server because it detected an RPC Anomaly in the traffic. So apparently, something has changed in the cisco IPS auto update server (https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl) response that the cisco small business router misidentifies as a threat. . .
FYI-I also posted this issue to the small business router community discussion forum. -
IOS IPS auto-update without CSM
Hi,
We have 400 x 1811 router on which we need to update the IPS signature definition and custom signature.
What is the best way to do it withou running CSM ?
According to Cisco documentation, we need to add the auto-update command with an .XML extention. But when we load a .pkg in a router, the output is 4 different files. Unfortunalty we can auto-update only one file. Which one to I need to load on our TFTP server ?
All the exemples of Cisco are using one single XML file.
Does a single file with the signature defenition, category, default and type exist ?
Since all our router have the same IPS config, I tought I could use one router at the central office with the configuration we want. And by someway asking the remote routers to auto-update their XML file on that router on which I would have activated a TFTP server.
Anyone ever had to upgrade a lot of router IOS IPS signature?This can now be done in the 15.1T branch using cisco.com to download the update directly, see :
http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151TNEWF.html#wp1040750
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue.html#wp1137583 -
I am having an issue with the IPS. I have configured it for auto update and I am trying to download a new signature package. It seems to be working. However, once it comes across the package to download, it gives me this error:
evError: eventId=1232049941352795438 severity=error vendor=Cisco
originator:
hostId: xxxxips11
appName: mainApp
appInstanceId: 347
time: 2009/01/29 15:22:03 2009/01/29 10:22:03 GMT-05:00
errorMessage: name=errSystemError autoUpdate successfully selected a package () from the cisco.com locator service, however, package download failed: This package file does not have the required .pkg extension
I know that it is trying to download the correct package because I get this message prior:
evStatus: eventId=1232049941352795436 vendor=Cisco
originator:
hostId: xxxxips11
appName: mainApp
appInstanceId: 342
time: 2009/01/29 15:22:03 2009/01/29 10:22:03 GMT-05:00
autoUpgradeServerCheck:
uri: xxxxxx@//
packageFileName: IPS-sig-S378-req-E3.pkg
result: status=true
Does anyone know what this could possibly be?Upgrade IPS MC and Security Monitor to 2.2.
-
IPS Auto update - http error response
Hi
I am having trouble doing auto signature update on my AIP-SSM. This is what i am getting on #show statistics host
Auto Update Statistics
lastDirectoryReadAttempt = 11:00:08 GMT+08:00 Mon Jul 06 2009
= Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
= Error: http error response: 500
lastDownloadAttempt = N/A
lastInstallAttempt = N/A
nextAttempt = 12:00:00 GMT+08:00 Mon Jul 06 2009
Fyi..my CCO credentials are perfectly fine, as i am able to download signature files manually from Cisco Download site.
Please adviseIf you are looking at the Auto Update Statistics in your sh tech, you can see a "http error response: 500" This is an internal web server error. Are you sure there is nothing between the AIP-SSM and the internet besides the ASA? Maybe there is an embedded web server like Barracuda? Do you know if your ISP is providing proxy services for you?
-
Hi,
I have auto update enabled in my AIP SSM 10 , at the time of auto updates i have observed the following messages in Console
"Broadcast Message from IPS
Applying update IPS-sig-S766-req-E4"
It remains in this condition and then i have to do a hw-module reset to get it back again , moreover updates which were downloaded arent applied.
Kindly HelpWhen signature auto-update failures are diagnosed, look at the HTTP error codes.
IPS# show statistics host
Auto Update Statistics
lastDirectoryReadAttempt = 19:31:09 CST Thu Nov 18 2010
= Read directory: https://72.163.4.161//cgi-bin/front.x/ida/locator/locator.pl
= Error: AutoUpdate exception: HTTP connection failed [1,110] <--
lastDownloadAttempt = 19:08:10 CST Thu Nov 18 2010
lastInstallAttempt = 19:08:44 CST Thu Nov 18 2010
nextAttempt = 19:35:00 CST Thu Nov 18 2010
Message Meaning
Error: AutoUpdate exception: HTTP connection failed [1,110]
Authentication failed. Check the username and password.
status=false AutoUpdate exception: Receive HTTP response failed [3,212]
The request to the Auto Update server timed out.
Error: http error response: 400
Make sure the cisco-url setting is defaulted. If the CCO ID is greater than 32 characters in length, try a different CCO ID. This can be a limitation on the Cisco download server.
Error: AutoUpdate exception: HTTP connection failed [1,0]
Network issue prevented download or there is a potential issue with the download servers.
and also keep in mind that CCO username should not contain any special characters, for example, @ . Refer to Cisco bug ID CSCsq30139 (registered customers only) for more information. -
Hello,
I have two IPS ASA5525-IPS "module" of 5525-X Firewall.
I set the proxy connection in DNS/Proxy Settings for update the signatures, but, i receive an error above:
Auto Update Statistics
lastDirectoryReadAttempt = 11:03:09 GMT-03:00 Wed Jan 09 2013
= Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
= Error: AutoUpdate exception: HTTP connection failed [1,110]
lastDownloadAttempt = N/A
lastInstallAttempt = N/A
nextAttempt = 11:00:00 GMT-03:00 Thu Jan 10 2013
Auxilliary Processors Installed
Testing the connection i can see the packet direct in my firewall, and not passing over the proxy, i need the IPS use the proxy to update signatures.
The configuration looks okay for me.
Any sugestions?
Tks a lot.Hi,
This enhancement to use proxy server for updates would be available in future release. (CSCsv89560)
Regards,
Sawan Gupta -
Hello, Customers having IPS 4215 version 6.0(5)E3 are having their sensor crashing following auto update from an FTP server.
The web interface is no more accessible and the analysis engine stopped( I've attached the show tech-support)
The problem happened with different signatures S383 and S384, please adviseHaving a 4215 sensor crash on a signature update is a very common event.
The 4215 sensors only have 512 MB or RAM (most sensors have 1 or 2 GB), this has caused many problems during the update process.
You can try rebooting the sensor several times, if that doesnt bring it back to life, you can try resetting the signature policy back to default, if that doesn't help you'll need to open a TAC case to modify some of the signature build time memory parmeters. -
I've configured the signature auto update via the GUI and CLI but receive the same error:
evError: eventId=1210198298109812431 vendor=Cisco severity=error
originator:
hostId: LON-Sensor
appName: mainApp
appInstanceId: 341
time: Jun 06, 2008 03:00:07 UTC offset=60 timeZone=BST
errorMessage: MainApplication::downloadAndStartUpdate Error status returned with status str Found name=errSystemError
Any ideas? I've rebooted both the IPS & ASA in the hope that would resolve the problem to no avail. I have another ASA/IPS in a different site and that works ok.Hi, I got the information :)
show stat host
General Statistics
Last Change To Host Config (UTC) = 14-Jan-2009 14:38:43
Command Control Port Device = GigabitEthernet0/0
Network Statistics
= ge0_0 Link encap:Ethernet HWaddr 00:13:C4:80:C3:C1
= inet addr:192.168.1.11 Bcast:192.168.1.255 Mask:255.255.255.0
= UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
= RX packets:25375769 errors:0 dropped:0 overruns:0 frame:0
= TX packets:2411636 errors:0 dropped:0 overruns:0 carrier:0
= collisions:0 txqueuelen:1000
= RX bytes:2570835196 (2.3 GiB) TX bytes:657595036 (627.1 MiB)
= Base address:0xbc00 Memory:f8200000-f8220000
NTP Statistics
status = Not applicable
Memory Usage
usedBytes = 660455424
freeBytes = 372043776
totalBytes = 1032499200
CPU Statistics
Usage over last 5 seconds = 31
Usage over last minute = 40
Usage over last 5 minutes = 36
Memory Statistics
Memory usage (bytes) = 660455424
Memory free (bytes) = 372043776
Auto Update Statistics
lastDirectoryReadAttempt = 08:40:00 GMT-06:00 Wed Feb 04 2009
= Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
= Error: AutoUpdate exception: HTTP connection failed [1,111]
lastDownloadAttempt = N/A
lastInstallAttempt = N/A
nextAttempt = 08:40:00 GMT-06:00 Thu Feb 05 2009
Auxilliary Processors Installed.
! Current configuration last modified Mon Jan 19 17:15:14 2009
! Version 6.2(1)
! Host:
! Realm Keys key1.0
! Signature Definition:
! Signature Update S379.0 2009-01-30
! Virus Update V1.4 2007-03-02
service interface
exit
service authentication
exit
service event-action-rules rules0
overrides deny-attacker-inline
override-item-status Enabled
risk-rating-range 90-100
exit
exit
service host
network-settings
host-ip 192.168.1.11/24,192.168.1.1
host-name sensor
telnet-option disabled
access-list 10.254.254.0/24
access-list 192.168.1.0/24
exit
time-zone-settings
offset -360
standard-time-zone-name GMT-06:00
exit
auto-upgrade
cisco-server enabled
schedule-option calendar-schedule
times-of-day 08:40:00
days-of-week monday
days-of-week tuesday
days-of-week wednesday
days-of-week thursday
exit
user-name ********
password ********
cisco-url https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
exit
exit
exit
service logger
exit
service network-access
exit
service notification
exit
service signature-definition sig0
signatures 9430 1
status
enabled true
exit
exit
signatures 11018 1
status
enabled true
exit
exit
signatures 12000 0
status
enabled true
exit
exit
signatures 12003 0
status
enabled false
exit
exit
signatures 12020 0
status
enabled true
exit
exit
exit
service ssh-known-hosts
exit
service trusted-certificates
exit
service web-server
exit
service anomaly-detection ad0
exit
service external-product-interface
exit
service health-monitor
memory-usage-policy
enable true
exit
exit
service analysis-engine
virtual-sensor vs0
physical-interface GigabitEthernet0/1
exit
exit -
The auto update is not working on the IPS. The current signature version is S502 but my IPS is S479
show statistics host output
Auto Update Statistics
lastDirectoryReadAttempt = 05:35:12 GMT-05:00 Mon Jul 26 2010
= Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
= Success: No installable auto update package found on server
lastDownloadAttempt = N/A
lastInstallAttempt = N/A
nextAttempt = 05:35:00 GMT-05:00 Tue Jul 27 2010
Auxilliary Processors Installed
show version output
Application Partition:
Cisco Intrusion Prevention System, Version 6.1(1)E3
Host:
Realm Keys key1.0
Signature Definition:
Signature Update S479.0 2010-03-19
Virus Update V1.4 2007-03-02
OS Version: 2.4.30-IDS-smp-bigphys
Platform: ASA-SSM-10
Serial Number: JAF10241017
Licensed, expires: 03-Sep-2010 UTC
S479.It looks like the issue is that the IPS is running the E3 engine (6.1(1)E3). All new updates require the E4 engine, so you'll have to update the sensor to 6.2(2)E4 or 7.0(4)E4. Upgrade links and instructions can be found here:
https://supportforums.cisco.com/docs/DOC-12212 -
ASA IPS, auto update issue
Hi,
I am having an issue with auto update on the IPS module installed the ASA.
Auto Update Statistics
lastDirectoryReadAttempt = 06:00:34 UTC Wed Feb 23 2009
= Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/loca
tor.pl
= Error: AutoUpdate exception: Receive HTTP response failed [3,212]
lastDownloadAttempt = N/A
lastInstallAttempt = N/A
nextAttempt = 06:00:00 UTC Thu Feb 24 2009
I can see from the above that there is a HTTP response error, I have checked and there does not seem to be any other unit stopping the responses. With regards to the ASA config do I need to allow the IPS module though the ACL's or NAT statements?
Many thanks MJHi
Many thanks for the respose.
Sorry I have not made any progress with this as yet: the only thing I have done is us the packet tracer, which passed I am just going to check the route of the packet once it has left the interface as it has got to be that or the URL is wrong.
Regards MJ -
ITunes wont install using update or manual download! HELP!
having major problems with my iTunes. i currently have 16 videos trying to download and i keep getting error messages everytime. contacted iTunes support and they said i needed to update to the latest version of iTunes. When i then told them that it won't let me they suggested downloading onto a different system! hugely useful! the problem i am getting with updating iTunes is that if i use the Apple Update it comes up with an error saying "failed to install try downloading manually" so i do! download the installer files manually and then double click on it as usual. the installer check comes up and i click on run. then nothing happens! the run box dissapears but nothing installs and nothing else comes up in its place! highly annoying as you can imagine! anybody any ideas on how to fix this so i can finally watch my 16 shows!
the fix microsoft suggested didnt work. the windows installer comes up fine:
Windows ® Installer. V 3.01.4001.5512
msiexec /Option <Required Parameter> [Optional Parameter]
Install Options
</package | /i> <Product.msi>
Installs or configures a product
/a <Product.msi>
Administrative install - Installs a product on the network
/j<u|m> <Product.msi> [/t <Transform List>] [/g <Language ID>]
Advertises a product - m to all users, u to current user
</uninstall | /x> <Product.msi | ProductCode>
Uninstalls the product
Display Options
/quiet
Quiet mode, no user interaction
/passive
Unattended mode - progress bar only
/q[n|b|r|f]
Sets user interface level
n - No UI
b - Basic UI
r - Reduced UI
f - Full UI (default)
/help
Help information
Restart Options
/norestart
Do not restart after the installation is complete
/promptrestart
Prompts the user for restart if necessary
/forcerestart
Always restart the computer after installation
Logging Options
/l[i|w|e|a|r|u|c|m|o|p|v|x|+|!|*] <LogFile>
i - Status messages
w - Nonfatal warnings
e - All error messages
a - Start up of actions
r - Action-specific records
u - User requests
c - Initial UI parameters
m - Out-of-memory or fatal exit information
o - Out-of-disk-space messages
p - Terminal properties
v - Verbose output
x - Extra debugging information
+ - Append to existing log file
! - Flush each line to the log
* - Log all information, except for v and x options
/log <LogFile>
Equivalent of /l* <LogFile>
Update Options
/update <Update1.msp>[;Update2.msp]
Applies update(s)
/uninstall <PatchCodeGuid>[;Update2.msp] /package <Product.msi | ProductCode>
Remove update(s) for a product
Repair Options
/f[p|e|c|m|s|o|d|a|u|v] <Product.msi | ProductCode>
Repairs a product
p - only if file is missing
o - if file is missing or an older version is installed (default)
e - if file is missing or an equal or older version is installed
d - if file is missing or a different version is installed
c - if file is missing or checksum does not match the calculated value
a - forces all files to be reinstalled
u - all required user-specific registry entries (default)
m - all required computer-specific registry entries (default)
s - all existing shortcuts (default)
v - runs from source and recaches local package
Setting Public Properties
[PROPERTY=PropertyValue]
Consult the Windows ® Installer SDK for additional documentation on the
command line syntax.
Copyright © Microsoft Corporation. All rights reserved.
Portions of this software are based in part on the work of the Independent JPEG Group. -
iphone 5c is not updating its time properly using set automatically. is this an os bug?
Hi TheLongRider,
Thanks for visiting Apple Support Communities.
I recommend this advice if the incorrect time is being set automatically:
Follow these steps. Test after each step to see if the issue is resolved.
Ensure that the version of iOS on your device is up to date.
If the option to enable date and time automatically is available, turn it on. Tap Settings > General > Date & Time.
Ensure that your time zone is set up correctly. Tap Settings > General > Date & Time > Time Zone.
If the incorrect date, time, or time zone is being set up automatically on the device, please notify your cellular provider. In the meantime, tap General > Date & Time and turn off Set Automatically. Then set the appropriate time and time zone manually.
If you are setting the time manually and it is still incorrect, this advice may apply:
Note: If you find that your device's time is incorrect after you sync with your computer, your computer's time may be incorrect. Verify the computer's time in System Preferences > Date & Time (you may want to select the checkbox to set the computer's date and time automatically).
You can find this information here:
iOS: Troubleshooting issues with date and time
http://support.apple.com/kb/ts3920
Cheers,
Jeremy -
Firefox won't auto update or manually update, Opendns is blocking sites
Open dns blocks sites such as Victoria's secret and an art studio I want to go to for nudity, lol. I don't remember loading it onto my computer and I don't have admin access to Open dns. So I can't uninstall or unblock sites. Also I get a message that Firefox could not update. I have the latest version of Firefox.
I don't have an administrator, so I don't know who to ask. I contacted OpenDNS and they replied: You have a Netgear router on your network with Live Parental Controls enabled.
Please go to https://netgear.opendns.com/sign_in.php to change your Live Parental Controls settings.
Afterward, flush your web browser caches and DNS resolver caches.
Web Browser Cache Flushing Instructions: http://www.opendns.com/support/article/327
Computer/Local DNS Resolver Cache Flush Instructions: http://www.opendns.com/support/article/209
(Restarting your computer is an alternative to flushing your local DNS resolver caches manually)
I'm going to try and see if that helps.
Maybe you are looking for
-
I cannot open a pdf file with aol e-mail. I went to preferences in Adobe Reader but did not know what to enter for Incoming IMAP and outgoing SMTP. I can open pdf files from windows explorer as I have associated .pdf files with adobe reader. My oper
-
.ts files in Premiere CS5.5
I'm importing some transport stream files (.ts) into premiere pro cs 5.5. All files were captured from the same device which captures from a satelliete. Some files import fine, while others may either not import at all or import with only half of t
-
Error in XL reporter after upgrade to PL37
Hi, I have upgraded several databases from version 2007 A PL30 to PL37, on some databases XL Reporter works fine while on others, the SAPB1 freezes after launching XL Reporter and the following error message is shown "Unable to Connect to XL Reporte
-
SAP SCM 5.10 with F&R - Update SAP Netweaver 7.0 to 7.0 EHP2 (702)
Hello Experts, almost all of our SAP-System has now SAP Netweaver 7.0 EHP2 (702) Abap-Stack. The last system that we will update is a "SAP SCM 5.10" with the F&R component. The mean software level is: SAP Basis 700 SP23 SCM SCEMSRV
-
Safari/Explorer Unexpectedly Quit
My sister has been having a problem with her internet browsers unexpectedly quitting repatedly for the past couple fo days. She said it happens when she tried to type into search or login boxes and just started to quit all the time after that. below