Im looking at the IPS modules at the moment that seem to have an ongoing issue of the Analysis Engine crashing. This runs as a process called sensorApp located in /usr/cids/idsroot/bin/
When its originally launched it runs without problem using a -z switch and specifies the PID of the mainApp process.
Normally when this crashes the recommended action is to restart the module however what can i do if im unable to do that.
We have probably in the region of 400+ firewall pairs, i.e 800+ firewalls/IPS modules.
If the IPS module stops working in the active firewall, the restart it, the firewall in the failover pair gets marked as failed and therefore the firewalls failover to the standby.
How can I restart this process through a service account and make the IPS active again without restarting it?
I have tried logging in with a service account and starting the process manually. I get the PID of mainApp by doing a /etc/init.d/cids status. Then run the commands
/usr/cids/idsroot/bin/sensorApp -z PID
It runs and loads signatures etc. But when doing a sh ver on the module it still shows the analysis engine as being down.
Someone please help or Cisco... if your listening break up the Analysis Engine from the mainapp and collaberation engine.
I know its not recommended however for me it is a nessecity.
If in cases where I have a failover pair and the IPS in the active firewall has caused the sensorApp to crash, I could restart the app. Get the module back up and running then upgrade both modules at the same time which doesnt cause a firewall failover.
Given that you mentioned its not recommended that indicates there is a way to do it?