Upgrade to 7.0(6) or 7.1.  Update 6.2.4 also resolves the issue.

This is unacceptable. I've attempted to upgrade 4 devices to 7.0.6 today and three have failed. 

You released signature update that only works on the latest code

...which has only been released for a month

... which automatically applies to all devices in the field

... without any ability to remove short of a reimage

... without sufficient (any?) testing on other versions

What if you released a 602 sig file that is actually 600? Would that roll back?  If so, do that and release 601 as 603 when it's actually been tested!

EDIT:  I have found that rebooting before attempting the upgrade seems to increase the chance of success.

Mr. Anderson,

We apologize for the problems you have been experiencing with our sensors.  The root cause is a memory segmentation problem that is fixed in the 7.0(6) software release and cannot be reliably fixed via a signature update. Signature update S601 merely brought us to the threshold where the problem manifests itself more frequently.  Our updates are tested and due to the nature of this problem its occurrence is fairly random and we did not observe it.  We apologize for the problems this has caused and are reviewing our internal processes to avoid a reoccurrence.

We recomend that customers be at the latest signature update level to provide the max protection, and it is important to be at the latest code level as well to ensure reliable and effective functionality. 

At this time, we are asking you to open a TAC case to document your upgrade woes and resolve them.

http://www.cisco.com/cisco/web/support/index.html

Thank you for your patience in this matter.

Nicholas Smith

Cisco IPS Signature Team

Hoyle,

I had the same problem, this is what I did to get it downgraded.

---------

Downgrade from console---

....unplug  monitor port (prevent engine from running) .... reset IPS.....downgrade  from command line to 600....go to gui turn off auto update....plug  ports back in.

Downgrade from ssh---

shutdown  monitor port (prevent engine from running) .... reset IPS.....downgrade  from command line to 600....go to gui turn off auto update....plug  ports back in.

At this point you should be able initiate the system upgrade.

Thanks,

Will

Nick, you said "Update 6.2.4 also resolves the issue".

Does that mean that also the 6.0.x, 6.1.x and 6.2.[1,2,3] are affected by this bug?

Thank you,

C.

I belive that is correct.  We reccomend that customers be at the latest sig update level to provide the max protection, and it is important to be at the latest code level as well to ensure reliable and effective functionality.

What is the reccommended course of action for those of us that have AIP-SSM's inside our firewalls? 

Question:  should we wait until 602 is released?  and will the automatic upgrade work for them i.e. will they automatically update to 602?

I cannot upgrade any of our AIP-SSM's currently running 7.0.4 (E4) to the current release via the GUI either with ASDM or with IEV.  This is pretty bad.

I would like to avoid downtime since they are inside redundant fw pairs.  Upgrades of the AIP-SSM typically require a FW failover when upgrading, so waiting for a sig update to 602 is preferable if it will automatically update.  Otherwise I need to know if this will not work in order to schedule downtime / change control to get this fixed.

From a customer support standpoint, if this was a know issue which it evidently was ... Cisco needs to tell customers beforehand to upgrade to the most recent code rev.  

The fact that a sig update can kill off the IPS inside a FW is pretty lame.  It also shows the lack of regression testing in your software process.  You need to fix that but I guess since you guys outsource so much to foreign countries, I'm not surprised when stuff like this happens.  I've learned how to suffer being a Cisco customer.

Upgrading to S602 will not solve the problem.

Signature Update S601 aggravated a bug (CSCtn23051) existing in some older versions of the sensor software. 

To resolve this issue, upgrade the sensor software to version 6.2(4) (released June 2011) or 7.0(5) (released May 2011) or greater (7.0(6) (released Sept 2011) is recommended).  Sensors running 7.1(x) software are not affected.

A signature update will not resolve the problem.  While the problem may not immediately manifest itself with future signature updates, unless the sensor is updated, the problem can occur, depending on the sensor configuration, the traffic being inspected, and the state of the memory.

For the best protection it is critical to apply the appropriate service packs to the sensor to ensure reliable and accurate operation.

The root issue is with the sensor software (CSCtn23051) and was addressed a number of months ago in the 7.0(5) SP.  We reccomend upgrading to 7.0(6) due to other issues with 7.0(5).

S601 happens to fairly reliably reproduce the memory condition that triggers the bug.  The only way to reliably fix the problem is to upgrade the sensor software.

Nicholas,

Thank you for taking the time to respond to this thread.

H