We have approximately 63 sensors (IDS 4235's all running v4.1)) on our management network that monitor our network. We use the CiscoWorks Management Center to push our sig updates. We usually:
1. load the ZIP file for the updates in the proper directory.
2. Go to configuration > updates > update network IDS signatures
3. From the drop down menu, we pick the newest ZIP file (in this case v4.1-4 sig155)
4. It finds all the sensors it manages and I put a check next to all the sensors I want to update.
5. I then click finish, and I wait a few hours.
This is the way we have always done it, and short of the time it took, everything always worked. Now, however, it just goes back to the signature drop-down screen (where I would choose which signature to push), and sits there. I waited 6 hours for it to finish (so far I can't tell when it's done, I just wait a long time), and when I brought the MC back up, it showed all the IDS sensors at version 152 still. However, if I log into each sensor's IDM by itself, it shows that 155 is in fact loaded.
Does anyone know of a solution? I have rebooted our CiscoWorks MC server and tried again, as I have also rebooted individual sensors to see if that does it, but it never reports the correct signature from within the Management Console.
I would suggest making sure the sensor themselves have the latest updates for the Sensor OS. The latest updates are available at:
Also, make sure VMS itself and all the MCs also have the latest patches and updates. These are available at:
I run into this problem quite often. Just recently tried loading S171, job runs to completion but sysbase database doesn't seem to update. Within VMS if I select a sensor under configuration then select identification then hit query sensor it comes back with S171. I have approx 50 NIDS, a mix of appliances and IDSM-2s. Opened a ticket on this but could not get it resolved. The suggestion by Cisco was to delete the sensor then add it back into VMS. Couldn't do that, next sig update came out and things worked right that time.
I don't know for the other issues but S171 was a particular case. The MC file that was initially posted on cisco.com was corrupted (bad checksum).
It has later been replaced by the correct file (MD5 Checksum: 8d8bf893296c246e25666edb57d27e0e) but you have probably downloaded the corrupted file.
We are still investigating to figure out how/why this happened.