topic IPS update from CSM 4.3 in Network Security

IPS update from CSM 4.3

emmanuel.shoroma — Sun, 10 Mar 2019 12:52:22 GMT

Hi,

I am trying to download IPS updates from cisco.com using CSM (version 4.3) but it is not working. It was working fine all along until it stopped two days ago. I checked the server can connect to internet without any problems. I can use the same cisco credentials for manual updates and also works perfect.

confirmed the setti settings on CSM, all still intact. reconfigured the details and still the same issue. I am getting the following error

"unable to communicate with locator service to retrive available files"

Note i just just same crendentials on my LAB IPS and did setup auto update and it worked fine.

any idea what the problem might be?

Regards,

IPS update from CSM 4.3

sdata — Mon, 21 Jan 2013 10:53:39 GMT

Have the same problem

IPS update from CSM 4.3

mronayne — Tue, 22 Jan 2013 10:25:06 GMT

This might be CSCue16970 CSM: IPS Updates from Cisco.com Fail Due to Lack of Cybertrust Root Cert

You could check if your Apache Tomcat log file at

CSCOpx\MDC\tomcat\logs\stdout.log contains entries similar to the following:

"AutoDownloadJob:: get available files.....
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
     at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Unknown Source)"


If so, you could try the workaround associated with the defect

1.) Manually download the desired IPS signature update package file(s) from:
http://software.cisco.com/portal/pub/download/portal/select.html?&mdfid=280033778&softwareid=282773979

2.) Save or copy the file(s) into the CSCOpx\MDC\ips\updates directory. Default installation drive letters and paths are:
32-bit Operating Systems:
C:\Program Files\CSCOpx\MDC\ips\updates
64-bit Operating Systems:
C:\Program Files (x86)\CSCOpx\MDC\ips\updates

3.) From the CSM Configuration Manager (client application) > Tools menu > Security Manager Administration... > IPS Updates section, click the Refresh button.
4.) Deploy the package as desired (per normal).

IPS update from CSM 4.3

sdata — Wed, 23 Jan 2013 07:43:31 GMT

Thanks! The workaround works just fine.

The description of CSCue16970 at this moment is not available: it is under review.

IPS update from CSM 4.3

Ross Phillips — Wed, 23 Jan 2013 19:52:59 GMT

HI there, I had the same problem.

This is due to CSM going to www.cisco.com for its updates where everything else goes to cisco.com

If your server is going direct for updates then add the following into the host file

72.163.4.161 www.cisco.com

If using a proxy and your able then add that entry onto the proxys host file.

Im back online now with no problems.

IPS update from CSM 4.3

emmanuel.shoroma — Fri, 25 Jan 2013 10:13:34 GMT

Hi, I tried updating the hostfile but no luck. However, I did follow the workaround as on the link below, now the certificare error seem to be sorted as I don't see that anymore but I am getting the following error

(Fatal, Description: Handshake Failure) when tracing with wireshack.

https://www.cisco.com/cisco/psn/bssprt/bss?searchType=bstbugidsearch&page=bstBugDetail&BugID=CSCue16970

IPS update from CSM 4.3

emmanuel.shoroma — Fri, 25 Jan 2013 10:42:30 GMT

Sorry my bad. the certificate had some HTML code added. now resolved. the following workaround worked perfect.

https://www.cisco.com/cisco/psn/bssprt/bss?searchType=bstbugidsearch&page=bstBugDetail&BugID=CSCue16970

IPS update from CSM 4.3

mronayne — Fri, 25 Jan 2013 10:44:41 GMT

There is a new workaround for CSCue16970, based on adding the required certificate to the CSM server.

1.) Manually download Cybertrust's CA certificate from https://www.cybertrust.ne.jp/SureServer/file/root_ca/BCTRoot.txt .

2.) Save this file as 'trusted.998.crt' in text format and ensure that no extra characters or new lines are added to the original content. Keep in mind that certain Web browsers may add HTML codes when saving text files, so be sure to edit them out.

3.) Exit/close any/all instances of CSM client applications (Configuration Manager, Event Viewer, Health and Performance Monitor, Report Manager, etc.)

4.) On the CSM server, stop the 'Cisco Security Manager Daemon Manager' service by issuing the following command: 'net stop CRMDmgtd'.

5.) On the CSM server, copy the 'trusted.998.crt' file to the 'CSCOpx\MDC\Apache\conf\ssl' directory.

6.) On the CSM server, start the 'Cisco Security Manager Daemon Manager' service by issuing the following command: 'net start CRMDmgtd'.

IPS update from CSM 4.3

Sonderegger Patrik — Thu, 23 May 2013 08:30:11 GMT

I installed 4.3 SP2 in this release the IPS Update function should work.

I have in the 'CSCOpx\MDC\Apache\conf\ssl' the cert trusted.998.crt installed.

But still get this error when I try to Check for Updates via CSM:

Auto download log:

Trying to get available files on server ......

Unable to communicate with locator service to retrieve available files.