IPS-K9-min-5.1-1c.pkg

Similar Messages

• IPS-K9-min-5.1-1a.pkg install loop???

  I have updated our various IPS sensors to this latest version. Many [or all] of them seem to be caught in a loop where they are reinstalling IPS-K9-min-5.1-1a.pkg. Anybody else having this problem? Is this a known issue?

  I have verified that any attempts to put the IPS-K9-min-5.1-1a.pkg file into the autoupdate directory will result in the sensors repeatedly applying the package.
  so, you can't use autoupdate to install this package....at least not without renaming the package once all the sensors are upgraded. May I suggest:
  IPS-K9-min-5.1-1a.pkg_CISCO_HAS_NO_QA
  sigh...another work day wasted.

• NeedHelp Is it bug at IDSM-2 with IPS-K9-7.0-2-E3.pkg??

  Dear All,
  i have idsm with IPS-K9-7.0-2-E3.pkg installed,
  i use inline mode for this idsm, and idsm place is front on server farm
  but i have some problem that one segment in my network cant access the server
  but another segment can access that server,
  that server is oracle database aplication (real time)
  in this is happend only for that server.
  when i filter the traffic with idsm, the result that transaction match with
  signature number 7000, evenly that signature dont have action to deny the traffic,
  the traffic still cannot bypass, then ill try to disable but nothing impact to that segment
  evenly other segment can access that server normally.
  anyone can explain to me why this happen??
  ill try to downgrade to IPS-K9-7.0-2-E3.pkg with IME but always error..
  anyone can help me please..

  Hi Josh..
  This is my answer
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  First off, you cannot downgrade the version  without a re-image.  You can only downgrade signatures.  Second, you  mention 7.0(2)E3 as the version you are on and the version you want to  downgrade to.  Can you verify what version you are running?
  Im not yet  downgrade to 7.0(2) because I don’t have yet permission from my bos . And now my isdm still use 7.0(2)E3
  This is capture from my isdm
  OTIDSM# sh ver
  Application Partition:
  Cisco Intrusion Prevention System, Version 7.0(2)E3
  Host:                                                        
      Realm Keys          key1.0                               
  Signature Definition:                                        
      Signature Update    S425.0                   2009-08-17  
      Virus Update        V1.4                     2007-03-02  
  OS Version:             2.4.30-IDS-smp-bigphys               
  Platform:               WS-SVC-IDSM-2                        
  Serial Number:          SAD132802TL                          
  Licensed, expires:      20-Oct-2010 UTC                      
  Sensor up-time is 2 days.
  Using 1415421952 out of 1983504384 bytes of available memory (71% usage)
  system is using 17.4M out of 38.5M bytes of available disk space (45% usage)
  application-data is using 38.6M out of 166.8M bytes of available disk space (24% usage)
  boot is using 41.5M out of 68.6M bytes of available disk space (64% usage)
  MainApp            B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running  
  AnalysisEngine     B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running  
  CollaborationApp   B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running  
  CLI                B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500            
  Upgrade History:
    IPS-K9-7.0-2-E3   07:43:07 UTC Thu Oct 15 2009  
  Maintenance Partition Version 2.1(3)
  Recovery Partition Version 1.1 - 7.0(2)E3
  Host Certificate Valid from: 27-Apr-2010 to 27-Apr-2012
  On  the traffic not passing issue, if you put the sensor in bypass does  that resolve the issue. That will eliminate any signature related  actions from impacting the traffic.  If you are still unable to access  the servers then you should look for a routing or network layer issue
  What you mean about bypass? Is it to released the idsm from network? If that so, I had do that and the server can access from segment that before cant access it. I had done to check the network layer problem but everything is ok,
  And I want to clarify the other segment that cant access the server only for some application (real time application) in that server but the server can ping and telnet from that segment ( I think this is to clarify the network issue problem)
  If that clears things up, the next step would be to create an Event  Action Override to produce alert for all signatures.  Then you can  review IME for any signatures firing related to these servers.  Please  remove the Override once you are done testing as this can have a  performance impact on the sensor over time and should only be used  temporarily to troubleshoot a specific issue.
  Well, I will try your suggestion, But I will wait permission to execute it. I hope this is work for my idsm-2
  If you  are still having trouble, if may help to get some info about the config  of the sensor and the switch.  Specifically, how the VLAN or Interface  Pairs are setup, etc.
  Oke,  I will…
  Btw, thanks for your help boss
  GBU …

• ASA SSM IPS module upgrade won't work

  Hello all,
  I'm trying to upgrade the IPS sig's on an ASA5520 with a SSM IPS module. I'm trying to upgrade the system to 5.1.1 to further upgrade the device with no luck.
  I followed these steps provided by Cisco.com:
  1. Log in to the ASA.
  2. Enter enable mode:
  asa# enable
  3. Configure the recovery settings for ASA-SSM:
  asa (enable)# hw-module module 1 recover configure
  NOTE: If you make an error in the recovery configuration, use the
  hw-module module 1 recover stop command to stop the system reimaging
  and then you can correct the configuration.
  4. Specify the TFTP URL for the system image:
  Image URL [tftp://0.0.0.0/]:
  Example:
  Image URL [tftp://0.0.0.0/]: tftp://10.20.30.40/IPS-SSM-K9-sys-1.1-a-5.1-1.img
  5. Specify the command and control interface of ASA-SSM:
  Port IP Address [0.0.0.0]:
  Example:
  Port IP Address [0.0.0.0]: 11.21.31.41
  6. Leave the VLAN ID at 0.
  VLAN ID [0]:
  7. Specify the default gateway of the ASA-SSM:
  Gateway IP Address [0.0.0.0]:
  Example:
  Gateway IP Address [0.0.0.0]: 11.22.33.44
  8. Execute the recovery:
  asa# hw-module module 1 recover boot
  9. Periodically check the recovery until it is complete.
  NOTE: The status reads "Recovery" during recovery and reads "Up" when
  reimaging is complete.
  AFter #8 it just goes back to the enable prompt. A 'sh module' lists the device as 'recover' and hangs FOREVER.... I tested the TFTP server which the new image resides on, and the TFTP is working fine. I don't see any attempts or downloads from the TFTP server for over an hour.
  I opened a Ciscop TAC on this and not receiving alot of help...
  Please help!!!:)
  Thanks
  Chris Serafin
  [email protected]

  The recovery using this method can takes upwards of 30 minutes, and in some cases even longer.
  How long have you left the SSM in the "recovery" state?
  There may be something wrong in the config you entered. when that happens the SSM can go into a continuous reboot cycle trying to do the recovery.
  Execute "debug module-boot" on the console of the ASA.
  The debug output will show you the ROMMON output of the SSM itself. (The SSM has it's own ROMMON. The recovery boot command sends the settings made during the recover configure command to the SSM's ROMMON).
  If the ROMMON is experiencing a problem in trying to download the tftp image you should now see that ROMMON error message.
  Some typical problems I have seen:
  1) Wrong IP given for the sensor.
  2) Wrong IP given for the gateway (the gateway must exist on the same network as the sensor) this problem usually happens when using a non-standard netmasked network.
  3) Not having the sensor's command and control port plugged into the right network. The external port of the SSM itself is where the IP is being applied. You need to ensure that the extenral port of the SSM is plugged into the right network for that IP.
  4) The tftp server is not reachable from the network where the sensor's command and control port is attached. Some users think that if the ASA itself can reach the tftp server that the SSM will also be able to. This is not always the case. It is best to use a tftp server on the same network as the IP provided to the SSM. Or to test the tftp server from another machine on the same network as the SSM.
  5) The file name is wrong. Check the captialization especially.
  6) The file is not in the default directory on the tftp server. If the file is in a subdirectory you will need to add that subdirectory to the URL:
  tftp://10.20.30.40/subdirectoryname/filename
  7) The tftp is timing out.
  There are 2 things that can cause this:
  a) The tftp server is remote, and it takes too long to download the file. The ROMMON does have limits on the number of retries and per packet timeouts (but they are not user configurable). Try using a tftp server local to the SSM.
  b) The switch that the SSM connects to has spanning-tree running and spanning-tree does not complete before the SSM ROMMON times out for the tftp attempt. The tftp attempt happens immediately upon ROMMON startup and link up. But with a switch the switch port may be in a "Listen" or "Learn" state for 40 seconds before the box can actually talk on the network. In some cases the tftp download attempts started as soon as link up, and may timeout even before the spanning-tree completes. To work around this configure "spanning-tree portfast" on the switchport. Spanning-tree will connect the port into the vlan immediately rather than 40 seconds later.
  If it was a config problem when configuring the recovery settings, then there is a "recover stop" command on the ASA.
  It will stop the reboot cycle from happening.
  Let the module come up with the old image.
  Then correct your "recover configure" settings, and try the "recover boot" again.
  Another alternative:
  Stop the recovery "recover stop"
  Let it boot into the old image.
  If it was a 5.0 version, then you can actually upgrade to 5.1 using the sensor's own CLI "upgrade" command. It is actually the preferred method.
  The "recover" from the ASA will wipe the box clean and load a fresh image.
  The "upgrade" from the sensor will convert your 5.0 config into a 5.1 config while installing 5.1.
  5.1 upgrade file:
  IPS-K9-min-5.1-1g.pkg
  http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
  It can be applied through the sensor's CLI upgrade command, or pushed directly through IDM, or applied by CSM.
  The "recover" should be limited to disaster recovery. When you can't access the SSM at all, or the files on the SSM have been corrupted.
  For normal upgrades you want to use "upgrade" files done through the sensor itelf (CLI, IDM, or CSM).

• Upgrade IDSM2 from 4.1(5)S225 to 5,1 using application partition

  can i upgrade an IDSM2 (WS-SVC-IDSM2-BUN)in a 6513 from 4.1(5)S225 to 5.1 by copying the 5.1 application partition to the sensor
  [from the cisco userguide]
  Chapter 10 Configuring the Sensor Using the CLI
  Reimaging Appliances and Modules
  Reimaging the IDSM-2
  This section contains the following topics:
  • Catalyst Software, page 10-124
  • Cisco IOS Software, page 10-126
  Catalyst Software
  To reimage the application partition, follow these steps:
  Step 1 Obtain the application partition file from Software Center on Cisco.com and copy
  it to an FTP server.
  Step 2 Log in to the switch CLI.
  Step 3 Boot the IDSM-2 to the maintenance partition:
  cat6k> (enable) reset module_number cf:1
  Step 4 Log in to the maintenance partition CLI:
  login: guest
  Password: cisco
  Step 5 Reimage the application partition:
  [email protected]# upgrade ftp://user@ftp server IP/directory
  path/image file
  Step 6 Specify the FTP server password.
  After the application partition file has been downloaded, you are asked if you
  want to proceed:
  Upgrading will wipe out the contents on the hard disk. Do you want to
  proceed installing it [y|n]:
  Step 7 Type y to continue.
  When the application partition file has been installed, you are returned to the
  maintenance partition CLI.
  Step 8 Exit the maintenance partition CLI and return to the switch CLI.
  Step 9 Reboot the IDSM-2 to the application partition:
  cat6k> (enable) reset module_number hdd:1
  Step 10 When the IDSM-2 has rebooted, check the software version.
  Step 11 Log in to the application partition CLI and initialize the IDSM-2.
  See Initializing the Sensor, page 10-2, for the procedure.
  IF NOT, THEN IS THERE A SHORT CUT FROM 4.1 to 5.1 ?

  Just wanted to clarify some things.
  As Scott has already confirmed you can re-image using the method described and following Scott's advice on what additional updates to install.
  BUT understand that any configuration you have your 4.1 sensor will be lost during that method of re-imaging to 5.1.
  Another alternative is to first upgrade from 4.1(5)S225 to 5.0(1), and then to upgrade to 5.1(1).
  The upgrade to 5.0(1) will convert the 4.1 configuration into a compatible 5.0 format.
  I saw another post you made implying that you had to downgrade back to 4.1(5)S189 to do the 5.0(1) upgrade. This is not the case. You can upgrade directly from your current 4.1(5)S225 to 5.0(1).
  You can install the IPS-K9-maj-5.0-1-S149.rpm.pkg file directly on your current 4.1(5)S225 sensor.
  When S225 was installed on your 4.1(5) sensor, it also placed in storage the corresponding S225 update for your 5.0 sensor.
  So when IPS-K9-maj-5.0-1-S149.rpm.pkg is installed on the sensor it will detect that stored off S225 for 5.0 and install it at the same time.
  So once installed you will be immediately at 5.0(1)S225.
  Once at 5.0(1)S225, then you can upgrade directly to 5.1(1) using the IPS-K9-min-5.1-1d.pkg upgrade.
  (NOTE: 5.1-1d file was created to fix some upgrade bugs, but still installs the same 5.1(1) files as the original 5.1(1) upgrade package).
  So you will wind up at 5.1(1)S225.
  Now at this point I would recommend installing at least one later signature update (S226 or higher in your case) BEFORE installing the 5.1(1p1) patch.
  And AFTER the signature update, then install the 5.1(1p1) Engineering Patch (contact the TAC for this patch).
  Because of this specific upgrade path, the best way to avoid some issues is to install at least one signature update before installing the 5.1(1p1) patch. The signature update helps to ensure the sensor is ready for the 5.1(1p1) upgrade. Some of the files needed for the 5.1(1p1) upgrade have been seen to not get carried forward properly in the upgrade from 5.0(1) to 5.1(1), but a signature update corrects those issues.
  NOTE: This precaution of installing the signature update BEFORE the 5.1(1p1) is only needed when upgrading from 5.0(1) to 5.1(1). If imaging directly to 5.1(1) using the maintenance partition, then the 5.1(1p1) can be installed before a signature update without an issue.
  Once 5.1(1p1) is up and running and monitoring packets and generating alarms, then additional signature updates can be installed afterwards.

• Auto upgrades failing

  First of all, we use the autoupdate functionality to upgrade our sensors. I have a test sensor that was upgraded to IPS-K9-min-5.1-1d (from 5.0.6) some time ago. I'm now trying to upgrade the signatures. It is not updating. Instead it seems it has been trying to re-apply the IPS-K9-min-5.1-1d upgrade over and over. I imagine it's been doing this since the upgrade. This is not the first time I've noticed this behavior. Is this a known bug?
  evStatus: eventId=1147301912612292606 vendor=Cisco
  originator:
  hostId: 88-nsmc-c1
  appName: mainApp
  appInstanceId: 32588
  time: June 14, 2006 6:17:00 PM UTC offset=-300 timeZone=GMT-06:00
  autoUpgradeServerCheck:
  uri: scp://[email protected]//data1/edrm/test/sensorUpdates/
  packageFileName: IPS-K9-min-5.1-1d.pkg
  result: status=true
  evStatus: eventId=1147301912612292610 vendor=Cisco
  originator:
  hostId: 88-nsmc-c1
  appName: mainApp
  appInstanceId: 32588
  time: June 14, 2006 6:17:04 PM UTC offset=-300 timeZone=GMT-06:00
  downloadUpgradeFile:
  uri: scp://[email protected]//data1/edrm/test/sensorUpdates/IPS-K9-min-5.1-1d.pkg
  result: status=true
  evStatus: eventId=1147301912612292611 vendor=Cisco
  originator:
  hostId: 88-nsmc-c1
  appName: mainApp
  appInstanceId: 32588
  time: June 14, 2006 6:17:04 PM UTC offset=-300 timeZone=GMT-06:00
  softwareUpgradeInitiated:
  description: Minor update initiated
  upgradeName: IPS-K9-min-5.1-1d
  oldVersion: IPS-K9-min-5
  evStatus: eventId=1147301912612292619 vendor=Cisco
  originator:
  hostId: 88-nsmc-c1
  appName: mainApp
  appInstanceId: 32588
  time: June 14, 2006 6:17:38 PM UTC offset=-300 timeZone=GMT-06:00
  softwareUpgradeCompleted:
  description: Update completed with errors
  upgradeName: n/a
  oldVersion: n/a
  newVersion: n/a
  result: 5.1(1) is already installed on this system. status=false

  Auto-download is not working for me either. It seems to be a server issue.

• Upgrading IDS 4210 from 4.1 to 5.2

  I received the S253 sig update notification yesterday and for the first time it appears the text indicates that I can upgrade my IDS 4210 to the 5.2 version needed to have continued sig support. What is the upgrade path? What do I need to order? Everytime I use the PUT it only shows me the upgrade package for my current 4.1 version. I think I would much rather upgrade my current sensor than spend $$$ on purchasing a whole new one. Thanks.

  Just to add a little more information.
  The IDS-4210 has been End of Saled, but not yet End Of life.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_eol_notice09186a008032d508.html
  The IDS-4210 IS capable of running IPS version 5.1 software and will continue to receive signature updates as long as IPS 5.1 signature updates continue to be created.
  No date has yet been announced for when IPS 5.1 signature updates will stop, but I would expect no less that 18 months from now.
  An IPS Service Contract and associated Signature Update License is required for installing signature updates in IPS 5.1.
  If you already have an IPS Service Contract then you can upgrade to 5.1 and request the associated License for your sensor.
  (NOTE: A Service Contract has always been required for the installation of signature updates, but was previously not enforced by software. It is now being enforced by the IPS 5.1 software through the use of the License received through the Service Contract)
  As for memory requirements. The following is stated in the 5.0(1e) Readme file:
  - 512 MB of RAM memory on the IDS-4210, IDS-4210-K9, and IDS-4210-NFR (NOTE: this upgrade is no longer available as the IDS-4210-MEM-U= part has been end-of-saled).
  If you previously upgraded to 512MB then you are fine.
  If not, you would need to open the IDS-4210 and determine what the memory part number is and attempt to purchase additional memory matching that part number from any vendor that you can find (does not have to have been specifically sold by Cisco, but should match the part number of the memory already in the system). The memory is longer being manufactured so Cisco was no longer able to sell that part.
  You should NOT attempt to install 5.0 or 5.1 on a sensor running only 256MB of memory. The sensor will never run properly.
  Specific upgrade files to use:
  http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
  IPS-K9-maj-5.0-1e-S149.rpm.pkg
  IPS-K9-min-5.1-1g.pkg
  IPS-K9-sp-5.1-3.pkg
  If you do not already have an IPS Service Contract for your sensor, then you need to contact your Cisco Sales Representative. The last day you could have purchased a new service contract for the IDS-4210 was back on December 6, 2004.
  Yoru Cisco Sales Representative may be able to give you a discount on upgrading your IDS-4210 to a newer IDS-4215.

• Troubleshooting "AnalysisEngine is currently busy"

  Greetings all. I have a 4215 appliance running 5.0(5)S203.0. I'm attempting to apply IPS-K9-min-5.1-1a.pkg via the 'upgrade' CLI command but keep receiving the "AnalysisEngine is currently busy and unable to process this update. Please wait several minutes before attempting update again." message. I've tried this several times over two days.
  The 4215 is running in traditional IDS mode and it's monitoring interface is seeing very little tcp/udp traffic.
  - A 'show events alert' shows no events
  - A 'top' from the OS level shows the mainApp process using almost no CPU or memory
  Anyone have ideas on the best way to troubleshoot this?

  Just a quick update for folks...
  I stopped and restarted all processes via /etc/init.d/cids stop|start and the update took.
  Still curious why Analysis Engine was busy for 2+ days..

• Auto Apply IPS Updates

  I want to auto-update the signatures of some IDS 4250 from IPS Manager (automatic). I suppose it must be done in Admin>System Configuration, but it does not work.
  How is it synchronized the sensor with the MC from the IPS Manager?
  Thanks for all,
  Cristina

  The features of the sensor i want to update are:
  IDS 4250XL Version:5.1(3)S253.0V1.2
  I suppose it must be done in Admin>System Configuration, but it does not work.
  Local MC: Upgrade
  A sensor update for version IPSv5 Service Pack update; 5.1(3) has started.
  The update for version IPSv5 Service Pack update; 5.1(3) has completed.
  Synchronization message to Tomcat sent successfully.
  Local MC: Auto Sig Download
  Automatic Signature Download Started
  Fetching new signature update packages...
  No new signature update files available for download
  Auto download: The following files are supported by the MC and available on
  server:
  IPS-K9-min-5.1-1.zip
  IPS-K9-sp-5.1-3.zip
  Readme-IPS-min-5.1-1g.txt
  Readme-IPS-sp-5.1-3.txt
  IDS-K9-min-4.1-1-S47.zip
  IDS-K9-sp-4.1-4-S91.zip
  IDS-K9-sp-4.1-5-S189.zip
  IDS-sig-4.0-2-S47.zip
  Readme-4.1-4-S91.txt
  Readme-IDS-K9-min-4.1-1-S47a.txt
  Readme-IDS-sig-4.0-2-S47.txt
  Readme-IDS-sp-4.1-5-S189.txt
  IDS-sig-4.1-5-S209.zip
  IDS-sig-4.1-5-S210.zip
  IDS-sig-4.1-5-S211.zip
  IDS-sig-4.1-5-S213.zip
  IDS-sig-4.1-5-S214.zip
  Readme-sig-4.1-5-S248.txt
  Readme-sig-4.1-5-S249.txt
  Readme-sig-4.1-5-S250.txt
  Readme-sig-4.1-5-S251.txt
  Readme-sig-4.1-5-S252.txt
  128MB.sdf
  256MB.sdf
  Cisco_SDF_Release_Note_v6.0.pdf
  Cisco_SDF_Release_v6.0_Signature_List.pdf
  IPS-sig-S212-minreq-5.0-1.zip
  IPS-sig-S237-minreq-5.0-6.zip
  IPS-sig-S253-minreq-5.1-2.zip
  IPS-sig-S254-minreq-5.1-2.zip
  IPS-sig-S255-minreq-5.1-2.zip
  IPS-K9-maj-5.0-1-S149.zip
  IPS-K9-sp-5.0-6.zip
  Read-me-IPS-K9-sp-5.0-6.txt
  Readme-IPS-maj-5.0-1e-S149.txt
  Updating MC database with meta-data from signature update packages...
  A sensor update for version IPSv5 Service Pack update; 5.1(3) has started.
  The update for version IPSv5 Service Pack update; 5.1(3) has completed.
  Synchronization message to Tomcat sent successfully.
  A sensor update for version IPSv5 Minor update; 5.1(1) has started.
  The update for version IPSv5 Minor update; 5.1(1) has completed.
  Synchronization message to Tomcat sent successfully.
  The update for version IPSv5 Service Pack update; 5.0(6) has completed.
  Synchronization message to Tomcat sent successfully.
  A sensor update for version IPSv5 Major update; 5.0(1) has started.
  The update for version IPSv5 Major update; 5.0(1) has completed.
  Synchronization message to Tomcat sent successfully.
  A sensor update for version IPSv5 Signature update; S255.0 requires 5.1(2)
  has started.
  The update of sensor sace was stopped because of the following error:An
  error ocurred while trying to determine the sensor version for sensor sace.
  Detail=null.
  Regards,

• IPS automatic update to E4 engine

  Hi,
  Is there a way for the IPS to automatically download the E4 engine through an FTP server like the signature auto update?
  I need the answer the the below scnearios
  1- upgrade from 7.0(2)E3 to 7.0(2)E4
  1- upgrade from 7.0(1)E3 to 7.0(2)E4 -> In this case the whole SP should be downloaded, I doubt this can be done automatically but just in case there is a new way to do it???

  - Upgrade from 7.0(2)E3 to 7.0(2)E4 can be done automatically through the auto-update from cisco.com. When you perform the signature auto update, it will automatically update the engine to E4.
  - Upgrade from 7.0(1)E3 to 7.0(2)E4 needs to be done as per normal upgrade process, ie: download the upgrade package "IPS-K9-7.0-2-E4.pkg", and update the sensor.
  Hope that helps.

• User account to download Cisco IPS signature

  Hi All,
  I wanted to enable the Autoupdate in IPS but it asks for Cisco acc with cryptographic privileges to download Cisco IPS signature and signature engine updates from Cisco.com.
  is their any default acc for this ?
  I have CCO acc whether is this can be used ?
  You must have a Cisco.com user account with cryptographic privileges to download Cisco IPS signature and signature engine updates from Cisco.com.

  Using your cisco.com account go to this link and see if you can download the IPS-K9-6.1-2-E3.pkg file to your own desktop machine.
  http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=6.1%282%29E3&mdfid=280302728&sftType=Intrusion+Prevention+System+%28IPS%29+System+Upgrades&optPlat=&nodecount=2&edesignator=null&modelName=Cisco+IPS+4260+Sensor&treeMdfId=278875311&treeName=Intrusion+Prevention+System+%28IPS%29&modifmdfid=null&imname=&hybrid=Y&imst=N&lr=Y
  If you can download this file with your account, then you can use that account and password when configuring the sensor for the cisco.com automatic upgrades.
  If you can not download the file with your account, then your account does not have the right settings.
  Either your account does not have crypto access or your account is not properly linked to your service contract for your sensors.
  There are a handfull of countries not allowed to have crypto access, users from all other countries would just need to get their account modified for crypto access (I am not sure what that procedure is).

• Can't apply IPS-K9-patch-5.1-1p1

  Upgraded my 5.0-1c IDSM2 blade to 5.1-1f and then to 5.1-3 but had not applied the 5.1-1p1 patch before this last upgrade. Monitoring ports kept becoming error-disabled. Downgraded to 5.1-1f in order to apply the patch but now keep getting:
  Error: execUpgradeSoftware : This update requires that version IPS-K9-min-5.1-1 be installed prior to update.
  even though a "sh ver" tells me I am at 5.1(1)
  Has anybody come across this before?

  You do not have to apply the p1 patch. It is rolled up into 5.1(2) and now 5.1(3). If your ports are becoming err-disabled, its for something not associated with the p1 patch. The usual cause is trying to hard-code the port speed or duplex.

• CSM to update IPS AIP -SSM

  Hi all,
  I need some help. I am configuring my CSM 3.1 to apply update on my IPS AIP-SSM.
  I went to the apply IPS Tab and choose to update from cisco.com. But it is always like processing for a long time.
  I tried to enter my username and password for the sensors or the CCO account but still no improvement. Does anyone knows how to configure this. I tried reading the user guide there is no examples.
  Thanks

  The IPS-engine-E2-req-5.1-7.pkg Engine Update file is just to upgrade an existing 5.1(7)E1 sensor to 5.1(7)E2.
  It only changes the "engine" features of the sensor that are necessary for installing signature updates requiring E2. It does not change other files on the sensor.
  The IPS-K9-5.1-8-E2.pkg Service Pack file is for upgrading the entire image to the next service pack level as well as upgrading the "engine" features. So you get all of the latest bug fixes.
  So which to use?
  If you are running 5.1(7)E1 then you will eventually want to get to 5.1(8)E2. But the upgrade to 5.1(8)E2 WILL require a reboot and so if running in an inline mode it should only be done during a scheduled network downtime. For most networks this could be a week or even a month before the downtime can be scheduled to do this type of upgrade. So the IPS-engine-E2-5.1-7.pkg file is a short term solution to get you to the E2 level required for signature updates, until you can schedule the upgrade to 5.1(8)E2.
  The IPS-engine... file will NOT reboot the sensor. It will temporarilly stop analysis and if Software ByPass is set to auto then traffic will be allowed to pass through the sensor unanalyzed while the engine update takes place. Because the traffic will continue to flow with Software ByPass most companies will allow an Engine update to be installed without having to schedule network downtime.
  Of course, the above discussion was really only applicable when E2 was the latest Engine release. Now that E3 is out, the discussion really becomes how to get to E3.
  There is Not an IPS-engine-E3-req-5.1-7.pkg engine update file.
  So you must get to 5.1(8)E3 if you want to keep getting recent signature updates.
  So then it just depends on your current IPS version.
  If you are running 5.1(7)E2 or earlier version then you must schedule a downtime and install the IPS-K9-5.1-8-E3.pkg file in order to install the latest E3 required signature updates.
  If you are running 5.1(8)E2 already, then you need to install the IPS-engine-E3-req-5.1-8.pkg file because the only thing needing to be upgraded is the Engine level to E3.
  General Rules of Thumb:
  Always ensure you are at the latest Service Pack level for the major/minor version train you are using. (5.1(8) in this case)
  If you are running the latest Service Pack then you will be able to simply install an Engine Update when the next Engine Update comes out without having to schedule downtime.
  If you are not at the latest Service Pack level then you will want to schedule a network downtime to do that upgrade within 60 days of the Service Pack being released.
  If an Engine Update comes out before you get a chance to upgrade to the next Service Pack, then install the Engine Update for the prior Service Pack (that you should at least be at) as a temporary measure to keep getting signature updates. And schedule a Service Pack upgrade as soon as possible.
  Why 60 days?
  If a new Engine Update is released within 60 of a Service Pack release, then the Engine Update will be released for both the latest Service Pack AND the one prior. But if the new Engine Update is longer than 60 days after the latest Service Pack, then an Engine Update will be created only for the latest Service Pack and not for the prior. This is why E3 was only released for 5.1(8). E3 was released more than 60 days after 5.1(8) so there was not an E3 for the prior 5.1(7).
  So you see that an Engine Update for a prior Service Pack should be considered a temporary measure until you can get the next Service Pack installed.
  If you wait too long another Engine Update might come out, and you might be forced into an immediate network downtime to get to the latest Service Pack.
  As for do you HAVE to install IPS-engine-E2-req-5.1-7.pkg before installing IPS-K9-5.1-8-E2.pkg (or more importantly IPS-K9-5.1-8-E3.pkg).
  The answer is NO.
  You can go directly from any 5.0 or 5.1 version directly to IPS-K9-5.1-8-E3.pkg.

• IPS Engine Upgrade

  Hi all
  I have an IPS running 6.1(1) image with E1 engine.I want to upgrade this to E3.Is to possible to upgrade directly to E3?.What are the things to consider for upgrading the Engine(i want to upgrade manually)? Is there any advange on E3 over E2 or E1?
  Thanks In Advance

  Yes, you can go directly from 6.1(1)E1 to 6.1(1)E3.
  Go to this link, select your model sensor, select the IPS System Upgrades link, and select All Releases->E3->6.1->6.1(1)E3.
  http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=278875311
  Download the IPS-engine-E3-req-6.1-1.pkg file, and install it on your sensor.
  The "engine" upgrade changes just the E level of the sensor.
  HOWEVER, I recommend that on your next scheduled network downtime that you upgrade all the way to 6.1(2)E3.
  Instead of selecting 6.1(1)E3 you would instead select 6.1(2)E3 on that download page.
  You can then download IPS-K9-6.1-2-E3.pkg file (name might differ for the AIM and NME platforms).
  Installing this file will upgrade not only the Engine level from E1 to E3, but will also upgrade you to the next Service Pack level (2).
  Why should you upgrade to E3 instead of E2?
  All new signature updates are only released for E3. Signatures stopped being developed for E2 as soon as E3 was released. You always need to stay at the latest E level to get the latest signature updates.
  Why should you upgrade all the way to 6.1(2)E3 instead of just 6.1(1)E3?
  You get additional bug fixes by going to 6.1(2)E3.
  In addition you need to keep in mind that there will at some point be an E4, and there are rules as to which versions E4 will be available for.
  The next Engine Update (in this case E4) will be available for the latest service pack of each Major.Minor version. With 6.1 that latest Service Pack is 6.1(2). It will not be available for the prior Service Pack level unless the most recent service pack has been released less than 60 days ago.
  Explanation:
  6.1(2)E3 was released on Dec 19, 2008.
  If E4 has been released any time between Dec 19, 2008 and Feb 19, 2009; then we would have released both an E4 for 6.1(2) AS WELL AS 6.1(1). After Feb 19, 2009 Cisco will no longer release an Engine Update for 6.1(1). So E4 will be released for 6.1(2), and NOT 6.1(1).
  So to be prepared for E4 you need to be running 6.1(2)E3 right now.
  Any time a new Service Pack is released you should be scheduling to upgrade to that next Service Pack within 60 days if you want to be sure you are always able to install the latest signature and engine updates.

• Post Upgrade from 4.x to 5.0 to 5.1 questions

  All, I have upgraded my first sensor 4.x to 5.0 to 5.1. Here is my process
  1) Upgraded from 4.x to 5.0 using FTP with this file IPS-K9-maj-5.0-1c-S149.rpm.pkg
  2) Installed License Key
  3) Using VMS, I went from 5.0 to 5.1 using file IPS-K9-min-5.1-1.zip
  4) Now, my switchport is down, down monitoring.
  Am I missing a patch?
  Did I upgrade properly?
  Why is it down down monitoring and not up down monitoring on the switchport that my sensing port connects to in the switch.

  You may be hitting a common issue with 5.1.1 where the senorApp process becomes unresponsive. You should not stay at 5.1.1 - you need to upgrade to 5.1.3. If you are seeing this issue then:
  1) disable the sniffing interfaces
  2) reboot the sensor
  3) upgrade to 5.1.3
  4) enable the sniffing interfaces