WRVS4400NV2 IPS now blocking Cisco IPS Auto Update Server
Yesterday I noted that my ASA5505 AIP-SSC5 card was failing to auto update as it had been doing without issue for months. I looked in the logs and the IPS was showing an HTTP Error when attempting to update. I checked and nothing had changed in the IPS configuration. Then, on a hunch, I checked the IPS log of the WRVS4400N which is the edge router for the small business network.
The WRVS4400N IPS was blocking connections with the cisco auto update server because it detected an RPC Anomaly in the traffic. So apparently, something has changed in the cisco IPS auto update server (https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl) response that the cisco small business router misidentifies as a threat. . .
FYI-I also posted this issue to the small business router community discussion forum.
Yesterday I noted that my ASA5505 AIP-SSC5 card was failing to auto update as it had been doing without issue for months. I looked in the logs and the IPS was showing an HTTP Error when attempting to update. I checked and nothing had changed in the IPS configuration. Then, on a hunch, I checked the IPS log of the WRVS4400N which is the edge router for the small business network.
The WRVS4400N IPS was blocking connections with the cisco auto update server because it detected an RPC Anomaly in the traffic. So apparently, something has changed in the cisco IPS auto update server (https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl) response that the cisco small business router misidentifies as a threat. . .
FYI-I also posted this issue to the small business router community discussion forum.
Similar Messages
-
Auto Update Server 4.2 funktion update now doesn't work
hello,
in the new 64 Bit version I got the follwoing error if I using the the update now funktion.
HTTP Status 500 -
type Exception report
message
description The server encountered an internal error () that prevented it from fulfilling this request.
exception
javax.servlet.ServletException: Servlet execution threw an exception
com.cisco.nm.cmf.util.AccessLogFilter.doFilter(AccessLogFilter.java:128)
root cause
java.lang.NoClassDefFoundError: Could not initialize class com.cisco.nm.callhome.executor.RequestAutoUpdateScheduler
com.cisco.nm.callhome.executor.DeviceExecutor.callHomeImmediate(DeviceExecutor.java:1850)
com.cisco.nm.callhome.ui.application.CHAccess.ForCH(CHAccess.java:556)
com.cisco.nm.callhome.ui.action.s100.perform(s100.java:400)
org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet.java:1786)
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1585)
org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:509)
javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
com.cisco.nm.cmf.util.AccessLogFilter.doFilter(AccessLogFilter.java:128)
note The full stack trace of the root cause is available in the Apache Tomcat/5.5.17 logs.
In old 32Bit Version it was working fine.
Any idea ?
Best regards
SteffenHello ,
some additional infomation.
the first time after reload the server I got the message IA32bit.dll can't load on a 64bit system.
alle addtional tries a got the internal error.
It seem for me there is an old 32bit- dll in the CSM 4.2.
First error message:
type Exception report
message
description The server encountered an internal error () that prevented it from fulfilling this request.
exception
javax.servlet.ServletException: Servlet execution threw an exception
com.cisco.nm.cmf.util.AccessLogFilter.doFilter(AccessLogFilter.java:128)
root cause
java.lang.UnsatisfiedLinkError: C:\Program Files (x86)\CSCOpx\MDC\bin\SSLClient.dll: Can't load IA 32-bit .dll on a AMD 64-bit platform
java.lang.ClassLoader$NativeLibrary.load(Native Method)
java.lang.ClassLoader.loadLibrary0(Unknown Source)
java.lang.ClassLoader.loadLibrary(Unknown Source)
java.lang.Runtime.loadLibrary0(Unknown Source)
java.lang.System.loadLibrary(Unknown Source)
com.cisco.nm.callhome.executor.RequestAutoUpdateScheduler.(RequestAutoUpdateScheduler.java:308)
com.cisco.nm.callhome.executor.DeviceExecutor.callHomeImmediate(DeviceExecutor.java:1850)
com.cisco.nm.callhome.ui.application.CHAccess.ForCH(CHAccess.java:556)
com.cisco.nm.callhome.ui.action.s100.perform(s100.java:400)
org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet.java:1786)
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1585)
org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:509)
javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
com.cisco.nm.cmf.util.AccessLogFilter.doFilter(AccessLogFilter.java:128)
note The full stack trace of the root cause is available in the Apache Tomcat/5.5.17 logs.
second, third .... error message
type Exception report
message
description The server encountered an internal error () that prevented it from fulfilling this request.
exception
javax.servlet.ServletException: Servlet execution threw an exception
com.cisco.nm.cmf.util.AccessLogFilter.doFilter(AccessLogFilter.java:128)
root cause
java.lang.NoClassDefFoundError: Could not initialize class com.cisco.nm.callhome.executor.RequestAutoUpdateScheduler
com.cisco.nm.callhome.executor.DeviceExecutor.callHomeImmediate(DeviceExecutor.java:1850)
com.cisco.nm.callhome.ui.application.CHAccess.ForCH(CHAccess.java:556)
com.cisco.nm.callhome.ui.action.s100.perform(s100.java:400)
org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet.java:1786)
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1585)
org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:509)
javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
com.cisco.nm.cmf.util.AccessLogFilter.doFilter(AccessLogFilter.java:128)
note The full stack trace of the root cause is available in the Apache Tomcat/5.5.17 logs. -
Hi,
I have auto update enabled in my AIP SSM 10 , at the time of auto updates i have observed the following messages in Console
"Broadcast Message from IPS
Applying update IPS-sig-S766-req-E4"
It remains in this condition and then i have to do a hw-module reset to get it back again , moreover updates which were downloaded arent applied.
Kindly HelpWhen signature auto-update failures are diagnosed, look at the HTTP error codes.
IPS# show statistics host
Auto Update Statistics
lastDirectoryReadAttempt = 19:31:09 CST Thu Nov 18 2010
= Read directory: https://72.163.4.161//cgi-bin/front.x/ida/locator/locator.pl
= Error: AutoUpdate exception: HTTP connection failed [1,110] <--
lastDownloadAttempt = 19:08:10 CST Thu Nov 18 2010
lastInstallAttempt = 19:08:44 CST Thu Nov 18 2010
nextAttempt = 19:35:00 CST Thu Nov 18 2010
Message Meaning
Error: AutoUpdate exception: HTTP connection failed [1,110]
Authentication failed. Check the username and password.
status=false AutoUpdate exception: Receive HTTP response failed [3,212]
The request to the Auto Update server timed out.
Error: http error response: 400
Make sure the cisco-url setting is defaulted. If the CCO ID is greater than 32 characters in length, try a different CCO ID. This can be a limitation on the Cisco download server.
Error: AutoUpdate exception: HTTP connection failed [1,0]
Network issue prevented download or there is a potential issue with the download servers.
and also keep in mind that CCO username should not contain any special characters, for example, @ . Refer to Cisco bug ID CSCsq30139 (registered customers only) for more information. -
When auto update the new version installed is English and different from the original language installed. Probably the same thing happens with thunderbird. When I have a language installed I want an update in the same language without having to reinstall the wanted language.
I already thought of that but it can't be the way it is suppossed to be. Firefox, and Thunderbird, offer an auto update function so the update automatically sould be in the same language and not in English as it does now. Downloading and installing your own language you can hardly call auto update.
For now I have stopped auto update till a solution is presented. -
Ios 7: app auto updates even if auto update is off
ios 7: app auto updates even if auto update is off.
i get notice i have 12 updates waiting. i open app. go to updates. the 12 updates come up then go away and and it says "all apps are up to date."
ii have app auto update OFF i.e., NOT slid over and green.
and now they fully listed and paused after doing this 10 times. ARRRRGGGGHHHH !!! o.k. going to so update manually like imlike to do. sometimes there is a WARNING ... DO NOT DO THIS UPDATE IT IS BAD ... or do this first BEFORE you do this (like a few apps said to run BEFORE updating to iOS 7) ... HOW DO,I SEE THESE MESSAGES IF THEY DISAPPEAR INSTANTLY ????
and now they just all auto updated ARRRRGGGHHH ,!!
what is going on ???now. SEEMS to be working o.k. again. but for how long ?
do iDevices need a pre-update update in order to be able to install and apply an iOS update ??? -
ASA 5520 auto-update polling error
Hi,
the polling service for auto-update on my ASA 5520 is not working properly. Does anyone have ideas which could be the reason for this?
Platform: ASA 5520
Version: 8.4(2)
Config:
auto-update device-id hostname
auto-update poll-at thursday 5:00 randomize 3 3
auto-update server https://*@X.X.X.X/autoupdate/AutoUpdateServlet
Output of sh auto-update:
Server: https://X.X.X.X/autoupdate/AutoUpdateServlet
Poll thursday randomly between 5:00 and 5:03, retry count: 3, retry period: 5 minutes
Timeout: none
Device ID: host name [dontletthemin]
Under normal circumstances i would expect additional lines from the sh auto-update command like:
Next poll in 4.93 minutes
Last poll: 11:36:46 PST Tue Nov 13 2012
But this output does not appear. I've searced the bug-Toolkit but did not found a entry which could explain this behaviour.Hi
Many thanks for the respose.
Sorry I have not made any progress with this as yet: the only thing I have done is us the packet tracer, which passed I am just going to check the route of the packet once it has left the interface as it has got to be that or the URL is wrong.
Regards MJ -
Itunes update server could not be contacted
I am trying to update itunes for my computer (with windows 7) but every time I press "Check for updates" under the "Help" tab in itunes, a box pops up and tells me that "The itunes update server could not be contacted." It tells me to test my internet connection. My internet is fine (I can even surf through the itunes store and buy music). I also adjusted my firewall for itunes like the diagnostics test suggested. No luck. Same message over and over. It's pretty frustrating because I have a brand new ipod touch that I want to activate, but I can't until I update my itunes. Any help would be greatly appreciated!
Are you running AVG as an AV? I have had problems since last week with iTunes losing my library, think I've sorted this by making iTuness an exception in the AV but now can't contact the update server, coincidence?
I know that the latest update of AVG has been conflicting through other posts, what do you think, sorry it isn't a solution! -
hi,
the new 6.1 IPS ios has a new feature which is the auto update directly from cisco, but it seems its not working, i have entered my correct username and password , but the site already put by default for auto update seems to be not working.
anyone tried it ?
Thank youplz check below my auto update settings:
secondary(config-hos-aut)# show settings
auto-upgrade
cisco-server
enabled
schedule-option
calendar-schedule
times-of-day (min: 1, max: 24, current: 1)
time: 15:40:00
days-of-week (min: 1, max: 7, current: 5)
day: monday
day: tuesday
day: wednesday
day: thursday
day: friday
user-name: i removed it
password:
cisco-url: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl default: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
user-server
disabled
now if this thing is fixed , i will have the other problem mentioned above and that is my username (which i removed) contains an @ in it.
Thank you -
IOS IPS auto-update without CSM
Hi,
We have 400 x 1811 router on which we need to update the IPS signature definition and custom signature.
What is the best way to do it withou running CSM ?
According to Cisco documentation, we need to add the auto-update command with an .XML extention. But when we load a .pkg in a router, the output is 4 different files. Unfortunalty we can auto-update only one file. Which one to I need to load on our TFTP server ?
All the exemples of Cisco are using one single XML file.
Does a single file with the signature defenition, category, default and type exist ?
Since all our router have the same IPS config, I tought I could use one router at the central office with the configuration we want. And by someway asking the remote routers to auto-update their XML file on that router on which I would have activated a TFTP server.
Anyone ever had to upgrade a lot of router IOS IPS signature?This can now be done in the 15.1T branch using cisco.com to download the update directly, see :
http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151TNEWF.html#wp1040750
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue.html#wp1137583 -
Updating IPS sig using Cisco Works LMS 2.5
I'm a new and novice user of Cisoworks
I have been navigating through the package for two days now and have discoved how powerful the tools are
Can some direct me to the area to udpate a Sig of an IPS I believe that it may be in the Software Mangement section of RMEYesterday Cisco announced a new tool for managing IPS sensors at smaller sites (less than 5 sensors).
The Cisco IPS Manager Express (IME):
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5715/ps9610/data_sheet_c78-459033_ps4077_Products_Data_Sheet.html
IME is the next generation of IEV. It is designed for small deployments of up to 5 sensors. It can do event monitoring and reporting (it can do the Top 10 Attacker, and Top 10 Signature reports you asked about).
But new in IME it can also do configuration when managing IPS version 6.1 sensors.
IME and IPS version 6.1 are not yet available. Both are in the final stages of testing.
Both should be available in the next month or 2.
IME (just like IEV) is available at no additional cost for users with active Cisco Service for IPS contracts for their sensors.
NOTE: The same contract also includes entitlement to the IPS 6.1 version, as well as the Signature Update License. If your signature license is up to date, then your contract is up to date and you are entitled to both IME and IPS 6.1.
For small deployments of 5 sensors or less we currently recommend using IEV 5.2 for monitoring and IDM for configuration.
With the release of IME we would recommend IME for both monitoring and configuration.
NOTE: IME can be used to monitor the new IPS 6.1 sensors, but can also be used for monitoring the older 6.0 and 5.1 sensors as well. When using IPS 6.1 you could choose between IME or IDM for configuration. But if using IPS 6.0 or 5.1, then configuration would still be done through IDM.
For larger sensor deployments of 6 or more sensors, then CSM is recommended for configuraiton, and CS MARS is recommended for monitoring. -
Hi,
I have a couple of questions I hope people could answer:
1) What recommendations/options are available for downloading signature files to a HTTP/TFTP server prior to having the IOS IPS device pull them from the server? Is their a way to automate the HTTP/TFTP server downloading the signatures? (Cron job or such)
2) Does the signature file name change each time a new signature file is released? If it does, would I have to go back to the router to update the URL string that is configured in the ip ips auto-update section? I would hate to have to update 200 CPE devices each time a new signature file is released.
Hoping someone could answer these or help point me in the right direction to find the answer out.
regards MI found this link with answers my one question.
Cisco IOS Intrusion Prevention System (IPS)
Tuning, Deploying and Updating Cisco IOS IPS Signature Sets For Multiple-Device Deployments
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/white_paper_c11_549300.html -
I am having an issue with the IPS. I have configured it for auto update and I am trying to download a new signature package. It seems to be working. However, once it comes across the package to download, it gives me this error:
evError: eventId=1232049941352795438 severity=error vendor=Cisco
originator:
hostId: xxxxips11
appName: mainApp
appInstanceId: 347
time: 2009/01/29 15:22:03 2009/01/29 10:22:03 GMT-05:00
errorMessage: name=errSystemError autoUpdate successfully selected a package () from the cisco.com locator service, however, package download failed: This package file does not have the required .pkg extension
I know that it is trying to download the correct package because I get this message prior:
evStatus: eventId=1232049941352795436 vendor=Cisco
originator:
hostId: xxxxips11
appName: mainApp
appInstanceId: 342
time: 2009/01/29 15:22:03 2009/01/29 10:22:03 GMT-05:00
autoUpgradeServerCheck:
uri: xxxxxx@//
packageFileName: IPS-sig-S378-req-E3.pkg
result: status=true
Does anyone know what this could possibly be?Upgrade IPS MC and Security Monitor to 2.2.
-
I've configured the signature auto update via the GUI and CLI but receive the same error:
evError: eventId=1210198298109812431 vendor=Cisco severity=error
originator:
hostId: LON-Sensor
appName: mainApp
appInstanceId: 341
time: Jun 06, 2008 03:00:07 UTC offset=60 timeZone=BST
errorMessage: MainApplication::downloadAndStartUpdate Error status returned with status str Found name=errSystemError
Any ideas? I've rebooted both the IPS & ASA in the hope that would resolve the problem to no avail. I have another ASA/IPS in a different site and that works ok.Hi, I got the information :)
show stat host
General Statistics
Last Change To Host Config (UTC) = 14-Jan-2009 14:38:43
Command Control Port Device = GigabitEthernet0/0
Network Statistics
= ge0_0 Link encap:Ethernet HWaddr 00:13:C4:80:C3:C1
= inet addr:192.168.1.11 Bcast:192.168.1.255 Mask:255.255.255.0
= UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
= RX packets:25375769 errors:0 dropped:0 overruns:0 frame:0
= TX packets:2411636 errors:0 dropped:0 overruns:0 carrier:0
= collisions:0 txqueuelen:1000
= RX bytes:2570835196 (2.3 GiB) TX bytes:657595036 (627.1 MiB)
= Base address:0xbc00 Memory:f8200000-f8220000
NTP Statistics
status = Not applicable
Memory Usage
usedBytes = 660455424
freeBytes = 372043776
totalBytes = 1032499200
CPU Statistics
Usage over last 5 seconds = 31
Usage over last minute = 40
Usage over last 5 minutes = 36
Memory Statistics
Memory usage (bytes) = 660455424
Memory free (bytes) = 372043776
Auto Update Statistics
lastDirectoryReadAttempt = 08:40:00 GMT-06:00 Wed Feb 04 2009
= Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
= Error: AutoUpdate exception: HTTP connection failed [1,111]
lastDownloadAttempt = N/A
lastInstallAttempt = N/A
nextAttempt = 08:40:00 GMT-06:00 Thu Feb 05 2009
Auxilliary Processors Installed.
! Current configuration last modified Mon Jan 19 17:15:14 2009
! Version 6.2(1)
! Host:
! Realm Keys key1.0
! Signature Definition:
! Signature Update S379.0 2009-01-30
! Virus Update V1.4 2007-03-02
service interface
exit
service authentication
exit
service event-action-rules rules0
overrides deny-attacker-inline
override-item-status Enabled
risk-rating-range 90-100
exit
exit
service host
network-settings
host-ip 192.168.1.11/24,192.168.1.1
host-name sensor
telnet-option disabled
access-list 10.254.254.0/24
access-list 192.168.1.0/24
exit
time-zone-settings
offset -360
standard-time-zone-name GMT-06:00
exit
auto-upgrade
cisco-server enabled
schedule-option calendar-schedule
times-of-day 08:40:00
days-of-week monday
days-of-week tuesday
days-of-week wednesday
days-of-week thursday
exit
user-name ********
password ********
cisco-url https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
exit
exit
exit
service logger
exit
service network-access
exit
service notification
exit
service signature-definition sig0
signatures 9430 1
status
enabled true
exit
exit
signatures 11018 1
status
enabled true
exit
exit
signatures 12000 0
status
enabled true
exit
exit
signatures 12003 0
status
enabled false
exit
exit
signatures 12020 0
status
enabled true
exit
exit
exit
service ssh-known-hosts
exit
service trusted-certificates
exit
service web-server
exit
service anomaly-detection ad0
exit
service external-product-interface
exit
service health-monitor
memory-usage-policy
enable true
exit
exit
service analysis-engine
virtual-sensor vs0
physical-interface GigabitEthernet0/1
exit
exit -
IPS auto-update vs manual download
Is there a delay in what's available via auto-update and updates that are available for manual download through cisco.com? I noticed today that S498 became available yesterday, but my IPS module in my ASA hasn't downloaded it automatically yet. When I do a #sh statistics host, I have a recent download attempt that says "Success: No installable auto update package found on server.
Just wondering if there is a delay between manual and auto updates or if I need to be concerned that my auto-udpates aren't working properly.
Thanks!The "lastDirectoryReadAttempt" is when the last check occurred (should match your scheduled timing). If the status is that there is no available update, that is as far as the process goes. If an update is available, the sensor should attempt to download.
The "lastDownloadAttempt" will indicate the last time an update download was found and the download was attempted.
The "lastInstallAttempt" will indicate the last time an update was downloaded and install initiated.
It does look like it checked at a point today and did not find an available update. That your outputs are UTC, I cannot correlate when the check today was run in relation to the publishing of the latest update. It may be that there is a cache engine between your sensor and Cisco, and it is indicating that there is nothing available. I would give the process another 24 hours to update.
Scott -
The auto update is not working on the IPS. The current signature version is S502 but my IPS is S479
show statistics host output
Auto Update Statistics
lastDirectoryReadAttempt = 05:35:12 GMT-05:00 Mon Jul 26 2010
= Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
= Success: No installable auto update package found on server
lastDownloadAttempt = N/A
lastInstallAttempt = N/A
nextAttempt = 05:35:00 GMT-05:00 Tue Jul 27 2010
Auxilliary Processors Installed
show version output
Application Partition:
Cisco Intrusion Prevention System, Version 6.1(1)E3
Host:
Realm Keys key1.0
Signature Definition:
Signature Update S479.0 2010-03-19
Virus Update V1.4 2007-03-02
OS Version: 2.4.30-IDS-smp-bigphys
Platform: ASA-SSM-10
Serial Number: JAF10241017
Licensed, expires: 03-Sep-2010 UTC
S479.It looks like the issue is that the IPS is running the E3 engine (6.1(1)E3). All new updates require the E4 engine, so you'll have to update the sensor to 6.2(2)E4 or 7.0(4)E4. Upgrade links and instructions can be found here:
https://supportforums.cisco.com/docs/DOC-12212
Maybe you are looking for
-
Questions about Using Itunes for Nano. New User
Hi everyone! i am a new ipod user that is new to the itunes software. I have a few questions regarding making playlists and transferring them into the ipod nano and deleting songs from the ipod nano thru itunes or the device. Can someone provide a li
-
HP Photosmart 7520 e-All-in-O​ne Printer
I am using Win 7 32 bit OS and have this printer on my network wireless hookup! I can print from all devices, but My computers can not detect the card reader! The reader works, because I can print pictures from the memory card while it is in the read
-
How can I get my AE to work in 802.11n mode with my dlink router?
Hi all, I have a dlink 655 wireless n router that I use for my network and a recent AE with 802.11n capability that I use to connect iTunes to my home stereo. I have a mix of computers at home and only my imac has 802.11n capability. I work alone in
-
Request for sample ZXRSRU01 code- pass to VKF
Hello, I wrote an earlier mssg but I fear I may have been too complicated in my request. I would like to pull a BEx variable user entry in and use it to calculate a key figure. I have the virtual KF code working fine. I just need help pulling the use
-
Distiller crashes immediately with "Error Couldn't start up Distiller"
OS X/10.5.5/MacPro/4Gb RAM I'm only getting this on one user account. It does this as soon as you launch Distiller. You get the splash screen for a second. I've deleted prefs, uninstalled and reinstalled. Removed fonts.... not sure what else to do.