Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1149
Views
5
Helpful
4
Replies

4215 IPS 5.x analysis engine woes

Go to solution
jblalock1337
Level 1
Level 1

‎05-17-2006 03:49 PM - edited ‎03-10-2019 03:01 AM

I've got about 20 4215's that i'm upgrading from 4.1 to 5.x

Like everyone else I've had nothing but problems with the 5.1x (analysis engine just stops running)

I've tried upgrading using a brand new image, using both the 5.0(1) and 5.0(2) images. However, with both of those I get the following errors:

Modify virtual sensor "vs0" configuration?[no]: yes

Warning: The AnalysisEngine is initializing, virtual-sensor "vs0" can not be configured.

and..

sensor# conf t

sensor(config)# serv analysis-engine

sensor(config-ana)# virtual-sensor vs0

sensor(config-ana-vir)# physical-interface fast

fastEthernet0/0 fastEthernet1/0 fastEthernet1/2

fastEthernet0/1 fastEthernet1/1 fastEthernet1/3

sensor(config-ana-vir)# physical-interface fastEthernet1/3

sensor(config-ana-vir)# ex

sensor(config-ana)# ex

Apply Changes:?[yes]:

Error: editConfigDeltaAnalysisEngine : Analysis Engine is busy

What's the deal with this? It sometimes takes several resets just to work. Sometimes I have to wait 10 minutes. Sometimes it just doesn't work at all. I can't even upgrade to 5.0(6) or anything because, you guessed it, my analysis engine is busy.

Does it normally take that long for it to allow me to make changes? Anybody have any ideas?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎05-17-2006 05:02 PM

After a re-image there will always be a period of time when the Analysis Engine is busy.

The Analysis Engine can take up to about 30 minutes on a low end sensor like the IDS-4215 to completely initialize itself.

It takes all of the regular expression signatures and will compile the regular expressions together into what you can consider one giant regular expression. It was what we call a regular expression cache file.

The creation of the regular expression cache file was speeded up as part of a bug fix in the 5.0(6) Service Pack.

So what to do:

After you do a re-image of the sensor just let it sit for 20 to 30 minutes. Then execute "iplog-status". If it tells you analaysisEngine is busy then keep waiting. It is tells you No Ip Logs are available then it is ready to go. (Any other command that queries the AnalysisEngine would work as well) This way you can also check the Analysis Engine status before going through and typing up all of the config changes.

Resetting the sensor while the Analsysis Engine is busy just prolongs the initialization, the Analysis Engine will have to redo some of the intialization.

My recommendation for versions right now is to load 5.0(1) or 5.0(2) base image. Wait for 20 to 30 minutes till Analysis Engine is responding, then load the 5.0(6) Service Pack. When you load the 5.0(6) Service Pack there will once again be a big jump in signatures so there will be another initialization period.

Once that initialization is done, then load the latest Signature Update.

As for version 5.1(1) there are some known issues that cause Analysis Engine to stop Running. Don't confuse these bugs with the standard initialization time for Analysis Engine. Analysis Engine veing busy is normal and expected after a re-image or upgrade, an Analysis Engine "Not Running" is a bug.

If you are seeing "Not Running" for Analysis Engine when executing "show version" then please contact the TAC. There is a engineering patch for some of these issues, but it does requiring running special engineering builds that are in the process of going through testing.

Cisco is working on these issues and will be releasing an official update as soon as the fixes have been fully tested at Cisco.

Until those 5.1(1) issues are addressed, your options would be to contact the TAC and possibly obtain the special engineering build, or downgrade to the 5.0(6) version as mentioned above.

View solution in original post

4 Replies 4

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎05-17-2006 05:02 PM

After a re-image there will always be a period of time when the Analysis Engine is busy.

The Analysis Engine can take up to about 30 minutes on a low end sensor like the IDS-4215 to completely initialize itself.

It takes all of the regular expression signatures and will compile the regular expressions together into what you can consider one giant regular expression. It was what we call a regular expression cache file.

The creation of the regular expression cache file was speeded up as part of a bug fix in the 5.0(6) Service Pack.

So what to do:

After you do a re-image of the sensor just let it sit for 20 to 30 minutes. Then execute "iplog-status". If it tells you analaysisEngine is busy then keep waiting. It is tells you No Ip Logs are available then it is ready to go. (Any other command that queries the AnalysisEngine would work as well) This way you can also check the Analysis Engine status before going through and typing up all of the config changes.

Resetting the sensor while the Analsysis Engine is busy just prolongs the initialization, the Analysis Engine will have to redo some of the intialization.

My recommendation for versions right now is to load 5.0(1) or 5.0(2) base image. Wait for 20 to 30 minutes till Analysis Engine is responding, then load the 5.0(6) Service Pack. When you load the 5.0(6) Service Pack there will once again be a big jump in signatures so there will be another initialization period.

Once that initialization is done, then load the latest Signature Update.

As for version 5.1(1) there are some known issues that cause Analysis Engine to stop Running. Don't confuse these bugs with the standard initialization time for Analysis Engine. Analysis Engine veing busy is normal and expected after a re-image or upgrade, an Analysis Engine "Not Running" is a bug.

If you are seeing "Not Running" for Analysis Engine when executing "show version" then please contact the TAC. There is a engineering patch for some of these issues, but it does requiring running special engineering builds that are in the process of going through testing.

Cisco is working on these issues and will be releasing an official update as soon as the fixes have been fully tested at Cisco.

Until those 5.1(1) issues are addressed, your options would be to contact the TAC and possibly obtain the special engineering build, or downgrade to the 5.0(6) version as mentioned above.

Go to solution
jblalock1337
Level 1
Level 1
In response to marcabal

‎05-18-2006 09:34 AM

Thanks for the info. I'm not too familiar with the inner workings of the engine.

Is there some place in the documentation that discusses these long wait periods?

Thanks again!

0 Helpful

Go to solution
rhermes
Level 7
Level 7
In response to marcabal

‎07-05-2006 02:01 PM

Marcabal -

Do you know if the 4215 Analysis Engine issues in 5.1 have been resolved? The EOL sales date for 5.0 is July 17th 2006.

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_eol_notice0900aecd803e6f9d.html

Your posts to this forum are gold. We love hearing your advice.

0 Helpful

Go to solution
marcabal
Cisco Employee
Cisco Employee
In response to rhermes

‎07-05-2006 06:53 PM

The 5.1(2) Service Pack is proceeding through final testing. Watch for an IPS Bulletin anouncing it's release.

I will talk with marketing about that EOL Announcement. The announcement was made back in January, but those dates are now being extended.

Because of delays in the release of 5.1(2), the EOL dates for 5.0 will likely be extended out by at least one month (and possibly 2 or 3 months).

So you are OK to stay running 5.0(6) for now and likely through the end of the summer. But go ahead and begin to plan your migration to 5.1 once the 5.1(2) Service Pack has been made available.

I will talk with marketing tomorrow and get them to update this notification with what the new dates will be.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card