cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

502
Views
0
Helpful
4
Replies
Ross Phillips
Beginner

Analysis Engine Crashed

Im looking at the IPS modules at the moment that seem to have an ongoing issue of the Analysis Engine crashing. This runs as a process called sensorApp located in /usr/cids/idsroot/bin/

When its originally launched it runs without problem using a -z switch and specifies the PID of the mainApp process.

Normally when this crashes the recommended action is to restart the module however what can i do if im unable to do that.

We have probably in the region of 400+ firewall pairs, i.e 800+ firewalls/IPS modules.

If the IPS module stops working in the active firewall, the restart it, the firewall in the failover pair gets marked as failed and therefore the firewalls failover to the standby.

How can I restart this process through a service account and make the IPS active again without restarting it?

I have tried logging in with a service account and starting the process manually. I get the PID of mainApp by doing a /etc/init.d/cids status. Then run the commands

su -

<password>

su cids

/usr/cids/idsroot/bin/sensorApp -z PID

It runs and loads signatures etc. But when doing a sh ver on the module it still shows the analysis engine as being down.

Someone please help or Cisco... if your listening break up the Analysis Engine from the mainapp and collaberation engine.

Thanks

Ross

4 REPLIES 4
sawgupta
Beginner

It is not recommended to start the Analysis Engine manually.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

I know its not recommended however for me it is a nessecity.

If in cases where I have a failover pair and the IPS in the active firewall has caused the sensorApp to crash, I could restart the app. Get the module back up and running then upgrade both modules at the same time which doesnt cause a firewall failover.

Given that you mentioned its not recommended that indicates there is a way to do it?

Cisco TAC will surely answer this query once you have a service request opened :-)

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

Thanks for that.

Content for Community-Ad