Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
978
Views
0
Helpful
4
Replies

ASA-SSM-20 Error: AutoUpdate exception: HTTP connection failed

Go to solution
N3t W0rK3r
Level 3
Level 3

‎04-27-2016 09:10 AM - edited ‎03-10-2019 06:36 AM

Autoupdate has been working for years, but now is not.

I have verified that the sensor is establishing a connection with the peer at https://72.163.4.161//cgi-bin/front.x/ida/locator/locator.pl

CCO creds have not changed.

What is going here?  I have two sensors behaving this way, btw.

Thanks.

John

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-27-2016 12:10 PM

I had this at one of my customers. I dug into it and found the following:

Cisco updated their SSL certificates earlier this year to use SHA2 signed certificates. They are signed by a different Root CA (Verizon if I recall correctly) and the IPS system image needs to be updated to the latest version (7.3(5)) in order to trust the certificates from that root CA.

This is mentioned in the IPS 7.3(5) release notes:

http://www.cisco.com/c/en/us/td/docs/security/ips/7-3/release/notes/release7-3-5.html#pgfId-1381236

  • You need IPS 7.3(5) to use auto update, global correlation, and network participation after migration of the SHA-2 Certificates on the Cisco web sites.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-27-2016 12:10 PM

I had this at one of my customers. I dug into it and found the following:

Cisco updated their SSL certificates earlier this year to use SHA2 signed certificates. They are signed by a different Root CA (Verizon if I recall correctly) and the IPS system image needs to be updated to the latest version (7.3(5)) in order to trust the certificates from that root CA.

This is mentioned in the IPS 7.3(5) release notes:

http://www.cisco.com/c/en/us/td/docs/security/ips/7-3/release/notes/release7-3-5.html#pgfId-1381236

  • You need IPS 7.3(5) to use auto update, global correlation, and network participation after migration of the SHA-2 Certificates on the Cisco web sites.
0 Helpful

Go to solution
Jetsy Mathew
Cisco Employee
Cisco Employee
In response to Marvin Rhoads

‎04-28-2016 01:38 AM

Hello John,

Could you please specify what all auto updates you are referring to ? Is it includes the product updates and SRU updates also ?

Regards

Jetsy

0 Helpful

Go to solution
N3t W0rK3r
Level 3
Level 3
In response to Jetsy Mathew

‎04-28-2016 08:21 AM

Hello Jetsy,

The updates I'm referring to are signature updates accessed via the URL referenced in the first message.

My platforms are ASA-SSM-20 and ASA-SSM-40.  Running version 7.1(7)E4 on both IPS modules.

Thanks,

John

0 Helpful

Go to solution
N3t W0rK3r
Level 3
Level 3
In response to Marvin Rhoads

‎04-28-2016 08:10 AM

Thanks Marvin... I will take a look at this and see if it applies to my platform.


Cheers.

John

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card