Restarting Analysis Engine on IDSM-2

Similar Messages

• Analysis Engine

  The sensor IDS 4250XL 5.1 reports that the daemon AnalysisEngine has a status of not Runnnig. What does it mean? What i have to do? It is probably this is the source of the problem i have with the deployment of this sensor from the IPS Manager??
  Thank you

  If the Analysis Engine is not running, the sensor will not analyze traffic and will therefore be useless (won't generate alerts..). To restart the analysis engine, make a service account then log into the service account and run the command below (you must su to root first).
  /etc/init.d/cids restart
  Hope this helps.

• Analysis engine fails frequently.

  hi, Recently i deployed ips4240 inline -with software versions -
  IPS-K9-sp-5.0-6
  IPS-sig-S242-minreq-5.0-6.pkg
  I found that the Analysis engine keeps failing (please refer the screen msg below).
  I am using one pair of interface for in-line configuration and I have modified quite a few signature response to drop the packets.
  egsensor# SH STATISTICS ANALysis-engine
  Error: getAnalysisEngineStatistics : ct-sensorApp.338 not responding, please che
  ck system processes - The connect to the specified Io::ClientPipe failed.

  Try restarting the analysis engine...
  1. Log into service account
  2. su to root
  3. Type /etc/init.d/cids restart
  4. su to cisco
  5. Type sho stat analysis-engine
  6. Send me the printout

• How can i stop only the Analysis Engine?

  As i have problems to upddate the version IPS 4250 XL i want to stop it because when i try to upgrade the sw to the sensor its appears a message saying Analysis Engine is currently busy...
  Is it possible?

  To restart the analysis engine...
  1. Log into service account
  2. su to root
  3. Type /etc/init.d/cids restart
  If this helps, please rate.
  Thanks.
  Jay

• 4215 IPS 5.x analysis engine woes

  I've got about 20 4215's that i'm upgrading from 4.1 to 5.x
  Like everyone else I've had nothing but problems with the 5.1x (analysis engine just stops running)
  I've tried upgrading using a brand new image, using both the 5.0(1) and 5.0(2) images. However, with both of those I get the following errors:
  Modify virtual sensor "vs0" configuration?[no]: yes
  Warning: The AnalysisEngine is initializing, virtual-sensor "vs0" can not be configured.
  and..
  sensor# conf t
  sensor(config)# serv analysis-engine
  sensor(config-ana)# virtual-sensor vs0
  sensor(config-ana-vir)# physical-interface fast
  fastEthernet0/0 fastEthernet1/0 fastEthernet1/2
  fastEthernet0/1 fastEthernet1/1 fastEthernet1/3
  sensor(config-ana-vir)# physical-interface fastEthernet1/3
  sensor(config-ana-vir)# ex
  sensor(config-ana)# ex
  Apply Changes:?[yes]:
  Error: editConfigDeltaAnalysisEngine : Analysis Engine is busy
  What's the deal with this? It sometimes takes several resets just to work. Sometimes I have to wait 10 minutes. Sometimes it just doesn't work at all. I can't even upgrade to 5.0(6) or anything because, you guessed it, my analysis engine is busy.
  Does it normally take that long for it to allow me to make changes? Anybody have any ideas?

  After a re-image there will always be a period of time when the Analysis Engine is busy.
  The Analysis Engine can take up to about 30 minutes on a low end sensor like the IDS-4215 to completely initialize itself.
  It takes all of the regular expression signatures and will compile the regular expressions together into what you can consider one giant regular expression. It was what we call a regular expression cache file.
  The creation of the regular expression cache file was speeded up as part of a bug fix in the 5.0(6) Service Pack.
  So what to do:
  After you do a re-image of the sensor just let it sit for 20 to 30 minutes. Then execute "iplog-status". If it tells you analaysisEngine is busy then keep waiting. It is tells you No Ip Logs are available then it is ready to go. (Any other command that queries the AnalysisEngine would work as well) This way you can also check the Analysis Engine status before going through and typing up all of the config changes.
  Resetting the sensor while the Analsysis Engine is busy just prolongs the initialization, the Analysis Engine will have to redo some of the intialization.
  My recommendation for versions right now is to load 5.0(1) or 5.0(2) base image. Wait for 20 to 30 minutes till Analysis Engine is responding, then load the 5.0(6) Service Pack. When you load the 5.0(6) Service Pack there will once again be a big jump in signatures so there will be another initialization period.
  Once that initialization is done, then load the latest Signature Update.
  As for version 5.1(1) there are some known issues that cause Analysis Engine to stop Running. Don't confuse these bugs with the standard initialization time for Analysis Engine. Analysis Engine veing busy is normal and expected after a re-image or upgrade, an Analysis Engine "Not Running" is a bug.
  If you are seeing "Not Running" for Analysis Engine when executing "show version" then please contact the TAC. There is a engineering patch for some of these issues, but it does requiring running special engineering builds that are in the process of going through testing.
  Cisco is working on these issues and will be releasing an official update as soon as the fixes have been fully tested at Cisco.
  Until those 5.1(1) issues are addressed, your options would be to contact the TAC and possibly obtain the special engineering build, or downgrade to the 5.0(6) version as mentioned above.

• Analysis Engine is Not Running

  Hi Guys!
  I´m looking for your help about an issue with an Cisco IPS (B-BEAU) that is showing the Analysis Engine=NotRunning
  These are the SO and Version of my IPS:
  Version: 7.0(6)E4
  OS Version: 2.4.30-IDS-smp-bigphys
  If I execute the show events command I get the following lines:
  ct-sensorApp.650 not responding
  evStatus: eventId=1326914865100530240 vendor=Cisco
    originator:
      hostId: XXXXXXXX
      appName: modprobe
      appInstanceId:
    time: 2013/07/13 02:11:05 2013/07/12 20:11:05 CST
    syslogMessage:
      description: Note: /etc/modules.conf is more recent than /lib/modules/2.4.30-IDS-smp-bigphys/modules.dep
  The following lines show the result for the show status command:
  XXXXXX# show health
  Overall Health Status                                   Red
  Health Status for Failed Applications                   Red
  Health Status for Signature Updates                     Not Enabled
  Health Status for License Key Expiration                Red
  Health Status for Running in Bypass Mode                Red
  Health Status for Interfaces Being Down                 Red
  Health Status for the Inspection Load                   Green
  Health Status for the Time Since Last Event Retrieval   Not Enabled
  Health Status for the Number of Missed Packets          Green
  Health Status for the Memory Usage                      Not Enabled
  Health Status for Global Correlation                    Not Enabled
  Health Status for Network Participation                 Not Enabled
  Security Status for Virtual Sensor vs0   Green
  Security Status for Virtual Sensor vs1   Green
  Do you have any idea what's wrong here?
  I'll appreciate any help about it,
  Thanks folks!!!

  Hi Manuel,
  Pre-7.0.8 versions have issues with the latest signature updates, so most likely you will face this issue after every signature upgrade. So I suggest you to upgrade at least to 7.0.8 or 7.1.7.
  HTH
  Luis Silva
  "If you need PDI (Planning, Design, Implement) assistance feel free to reach"
  http://www.cisco.com/web/partners/tools/pdihd.html

• Is posible restart a engine over the network whith DSC?

  is posible restart a engine over the network whith DSC?

  You can stop/launch the DSC Engine from a remote application using the VI Server.
  A remote VI can launch the engine using the Launch Engine.VI or stop it using the Engine Shutdown.VI.
  They are located at
  C:\Program Files\National Instruments\LabVIEW 6.1\vi.lib\lvdsc\_engine\User\
  If you are going to use VI Server, just make sure that you enable the VI Server on the Computer that has the Engine.
  There is also an executable that launches the engine called DSCEngine.exe located at
  C:\Program Files\National Instruments\LabVIEW 6.1\
  that you could access remotely if you share the LabVIEW 6.1 directory. This executable can be used to launch the engine also.
  I would recommend using the VI Server, since sharing the LabVIEW directory might not be a good idea.

• Missing App server in GRC Analysis Engine Daemon Manager

  Hi,
  We have two app servers for our GRC AC 5.3.The Analysis Engine Daemon Manager(http://<host>:5<nn>00/sap/CCADStatus.jsp) lists only one of the app servers .If I try the URL for the Daemon manager using the URL with app1 or app2 it lists only the background job workers and web services workers for the app1 only and not the app2.I checked the entry for table VIRSA_CC_CONFIG which has entry for the first app server ('107', 0,http://app1:5<nn>00/webdynpro/dispatcher/virsa/ccappcomp/BgJobStart', 'BgJobStart URL').Do I need to add the other URL for the other app server also.If yes how.If any one has faced this issue please help me.Your help is greatly appreciated.
  Thanks,
  Max

  Since the Instance number (i.e. <nn> ) is a mandatory part of the URL so the URL for two app. server should be different. But first of all what is the necessity for keeping two different Instances (Java) for GRC AC? One is enough with proper hardware and system parameter sizing - right?
  Also, the Batch Jobs are not App server specific stuff.. so it is not correct to say that there are Jobs from only one App server and not from the other.
  regards,
  Dipanjan
  Edited by: Dipanjan Sanpui on Sep 27, 2010 2:51 PM

• CCADStatus.jsp not showing up (Analysis Engine Daemon Manager)

  We are in GRC5.3 SPS19 and I have configured our system as per the note 999785.  I am able to see the http://<server>:<port>/sap/CCBgStatus.jsp, I am seeing that the job is being run, but when I try "http://<server>:<port>/sap/CCADStatus.jsp" while I am not getting other than the heading "Analysis Engine Daemon Manager"
  Heap is already at 2048M as per the note 999785. Can somebody advise what needs tobe checked.

  Hi,
  try note 1176262 - Analysis Daemon Page is Blank/ BG Jobs stay in ready status.
  /Vit

• Analysis Enginer showing not running

  Analysis Engine is not running and giving Error:
  Error: getAnalysisEngineStatistics : ct-sensorApp.598 not responding, please check system processes - The connect to the specified Io::ClientPipe failed

  I fixed this issue once using the following procedure:
  https://supportforums.cisco.com/docs/DOC-3589
  If the above procedure or reload does not fix the issue as suggested on the following link:
  https://supportforums.cisco.com/docs/DOC-5121/diff;jsessionid=82FA4EB3696EC0C97B6394F996EEAA5E.node0?secondVersionNumber=2
  You have to contact TAC, as mentioned below:
  http://www.cisco.com/en/US/docs/security/ips/6.0/installation/guide/hwTS.html#wp1122031
  Regards
  Farrukh
  Message was edited by: Farrukh Haroon

• Analysis Engine Not running for IPS in AIPSSM Module

  Hi all,
    The Analysis Engine is not running for IPS module in AIPSSM Module. Please let me know how can i resolve this issue and get the analysis engine of IPS to running status.
  Regards
  Kiran

  Hi Kiran,
  Ideally, what you can do is to remove the configuration on the ASA that sends traffic to IPS.
  The crash in sensorapp or analysis engine might be traffic, configuration related.
  We can try to reboot the IPS with no load on it by stopping sending traffic to it.
  You can remove the IPS policy from the ASA configuration.
  http://tools.cisco.com/squish/2f7A3
  What this will do is stop ASA from sending any traffic to IPS.
  Now do the hw-module module 1 reset command.
  See if the IPS module comes back up.
  If that also fails, then you can re-image the module.
  This will however erase the configuration on the module.
  The re-image procedure for SSM module:
  http://tools.cisco.com/squish/ee66a
  Hope this helps.
  Sid

• Failed to retrieve Analysis Engine Service How to fix

   my Shorepoint is 2013  And i now is search is have proplem
  On event logs show Failed to retrieve Analysis Engine Service
  how to fix it please help me  T_T
  Best Regrads
  chatchai-netd

  Hi,
  Per my knowledge, SharePoint 2013 Search services should not be required to the SQL analysis service, however, you can try to install it in SQL Server 2012 with SP1.
  For this issue, you can try to just Ctrl+F5 and reset the index, also check if there is any URL not exist in the Start Addresses of the Local SharePoint Sites.
  http://techchucker.wordpress.com/2013/04/12/sharepoint-2013-search-stopped-working/
  http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/MS-SharePoint/Q_28095194.html
  And, you can recreate a new search service application in the Central Administration.
  If it not works, you can use the PowerShell to recreate the search service application as below.
  http://jsuhail.blogspot.com/2014/01/search-has-encountered-problem-that.html
  http://microsoft-techies.blogspot.com/2014/03/search-has-encountered-problem-that.html
  What’s more, to quickly and accurately find the issue, you can check the event log and ULS log to see if anything unexpected occurred.
  For SharePoint 2013, by default, ULS log is at C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS.
  For more information, you can refer to:
  http://sp-vinod.blogspot.com/2014/02/getting-results-failed.html
  https://social.technet.microsoft.com/Forums/exchange/en-US/3f1e94ce-aa3e-4a0a-ab14-8d1e3bee5e78/sharepoint-2013-search-has-encountered-a-problem?forum=sharepointdevelopment
  https://social.technet.microsoft.com/Forums/exchange/en-US/73019f94-54f5-4308-9cf8-a7025ecd3228/search-has-encountered-a-problem-that-prevents-results-from-being-returned-if-the-issue-persists?forum=sharepointsearch
  https://social.technet.microsoft.com/Forums/exchange/en-US/88fc7028-290f-4a09-9e47-ec7b0bf2c980/search-has-encountered-a-problem-that-prevents-results-from-being-returned?forum=sharepointsearch
  Thanks,
  Yumi Fu
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected].

• ASA-SSC-AIP-5 Analysis Engine Not Responding

  Every couple of days I have been noticing that the IPS is in bypass mode and the Analysis Engine Status is often shown as not responding or is still loading something, and naturally, the CPU is pegged at 100%... so I have been reloading the IPS when this happens.
  2 Questions:
  Any general pointers of what often causes this, or things that I should look for when this is happening?  I know I did not give enough details for specific answers, but I am just looking for general ideas to start with.
  More importantly, what syslog messages might show up in the logs when the IPS goes into Bypass mode?  I'd like to setup a notification for these syslog messages so that I can troubleshoot immediately and determine the cause.
  IPS Version 6.2(2)E4
  Signature Version 559.0
  Cisco Adaptive Security Appliance Software Version 8.3(2)13
  Thanks.

  I would suggest that you upgrade the AIP-5 software to the latest version: 6.2.3(E4).
  Here is the release notes where a number of memory related bugs have been resolved:
  http://www.cisco.com/web/software/282549758/38029/IPS-6_2-3-E4_readme.txt
  You might also want to check if the AIP-5 module is overloaded with traffic, which can cause that issue.

• "show statistics analysis-engine" output

  Hello, Support Community.
  I have ASA 5512-x with IPS.
  I have issue with http traffic performane.
  Can someone explaine me "show statistics analysis-engine"?
  Command reference:    
       The Analysis Engine now displays the relative load percentage.
       You can display the relative load percentage by running the show statistics analysis-engine command.
       The relative load is calculated as the percentage of time spent in a particular inspector with the
       total of all utilized inspectors adding up to 100. Load percentage is shown when the SensorApp starts.
  What does fields "active, call, create, delete, createPct, callPct" means?
  My ips show next output
     Inspection Stats         Inspector        active   call       create   delete   createPct   callPct            AtomicAdvanced   1        33869337   1        0        0           84                 Fixed            72       916301     832936   832864   2           2        
           MSRPC_TCP        77       418874     260023   259946   0           1        
           MultiString      58       3400698    232373   232315   0           8        
           ServiceDnsUdp    1        2532286    1        0        0           6        
           ServiceDnsTcp    0        96         90       90       0           0        
           ServiceFtp       0        301        34       34       0           0        
           ServiceGeneric   1        2893468    361183   361182   0           7        
           ServiceHttp      33       577255     101163   101130   0           1        
           ServiceNtp       16       5064572    675330   675314   1           12       
           ServiceP2PTCP    22       530879     361182   361160   0           1        
           ServiceRpcUDP    1        2532286    1        0        0           6        
           ServiceRpcTCP    137      9457236    360501   360364   0           23       
           ServiceSnmp      1        2532286    1        0        0           6        
           ServiceTNS       2        295359     293070   293068   0           0        
           String           82       4518775    261993   261911   0           11       
           SweepICMP        1        12         2        1        0           0        
           SweepTCP         248      62673184   562290   562042   1           156      
           SweepOtherTcp    125      31336592   297967   297842   0           78     

  Please find attached core.txt and version is
  Output from show version
  Application Partition:
  Cisco Intrusion Prevention System, Version 7.0(2)E4
  Host:                                                       
  OS Version:             2.4.30-IDS-smp-bigphys               
  Platform:               IPS-4240-K9                         
  Sensor up-time is 355 days.
  Using 1482727424 out of 1984548864 bytes of available memory (74% usage)
  Upgrade History:
    IPS-sig-S492-req-E4.pkg   00:01:02 UTC Sun Jun 06 2010 
  Recovery Partition Version 1.1 - 7.0(2)E3
  Look forward for your quick response.

• Restarting j2ee engine

  I have done some maintenance work and got to restart j2ee engine. I have gone through the previous threads available on the forum and they says
  1) REBOOT : Right click the Dispacher Node or the Server node and choose the option 'reboot'
  But if I right click on node I am getting only 2 options. i.e start and stop. I am not getting the reboot option. So is it like that to restart the J2EE engine I can only stop and start the engine or else is there any other option. And one more thing is in MMC i am not able to see anything like j2ee engine. I am only able to see the process instance named "Dispatcher".
  thanks
  kumar

  Kumar,
  You will not see J2ee Engine. You will see only dispatcher.
  Check this help:
  http://help.sap.com/saphelp_nw04/helpdata/en/c3/6fff40e39ba854e10000000a1550b0/frameset.htm
  Also from SMICM you can do a restart with Soft Shutdown and Hard Shutdown.
  Check this help:
  http://help.sap.com/saphelp_nw04/helpdata/en/86/43b14041ecf10fe10000000a1550b0/content.htm
  ---Satish
  PS: Also please close your previous threads if you have got the information on what you are looking.