10-17-2015 02:37 AM - edited 03-10-2019 06:28 AM
Hi, I have two ASA5585-SSP-10 with two ASA5585-SSP-IPS10. I configured two ASAs as active, standby. When I try to send all traffic to IPS, after awhile, my IPS's AnalysisEngine state becomes notRunning.
Here is part of show version output:
Cisco Intrusion Prevention System, Version 7.1(1)E4
MainApp S-SPYKER_2011_MAR_03_00_29_7_1_0_399 (Release) 2011-03-03T00:33:03-0600 Running
AnalysisEngine S-SPYKER_2011_MAR_03_00_29_7_1_0_399 (Release) 2011-03-03T00:33:03-0600 NotRunning
CollaborationApp S-SPYKER_2011_MAR_03_00_29_7_1_0_399 (Release) 2011-03-03T00:33:03-0600 Running
CLI S-SPYKER_2011_MAR_03_00_29_7_1_0_399 (Release) 2011-03-03T00:33:03-0600
Could you help me to solve the problem?
best regards
Solved! Go to Solution.
10-18-2015 12:16 AM
Hi,
Please share the output of 'main.log' (search this from the 'show tech' of IPS).
Also if you wish, you could upgrade the IPS to latest version as current 7.1.(1) E4 is a very old version and it might be hitting some defects as well.
Regards,
Akshay Rastogi
10-18-2015 12:16 AM
Hi,
Please share the output of 'main.log' (search this from the 'show tech' of IPS).
Also if you wish, you could upgrade the IPS to latest version as current 7.1.(1) E4 is a very old version and it might be hitting some defects as well.
Regards,
Akshay Rastogi
10-18-2015 11:37 PM
Thank you for your response.
As you wanted me, I shared with you 'show tech' output in txt formats. I used putty and 'show tech-support' command and try to save it as a text file. I hope it would be informative for solving my problem.
And also, I bought these devices (two ASAs and two IPSs) about 7 months ago. Current 7.1.(1) E4 IPS ios was on my IPSs by default. It would be very helpful if I had some information about IPS ios latest version and how to upgrade it.
best regards.
10-21-2015 06:24 AM
Hi,
From the show tech i could see that Signature update was performed on below dates :
* IPS-sig-S888-req-E4 12:50:01 UTC Tue Oct 06 2015 IPS-sig-S889-req-E4.pkg 11:50:01 UTC Sat Oct 10 2015
Also i could see a global correlation is failing a lot and it is not working from a long time:
Output from show statistics global-correlation Network Participation: Counters: Total Connection Attempts = 0 Total Connection Failures = 0 Connection Failures Since Last Success = 0 Connection History: Updates: Status Of Last Update Attempt = Failed Time Since Last Successful Update = 2671 minutes Counters: Update Failures Since Last Success = 533 Total Update Attempts = 1379 Total Update Failures = 543 Update Interval In Seconds = 300 Update Server = update-manifests.ironport.com Update Server Address = Unknown Current Versions: config = 1236210407 drop = 1445070439 ip = 1445073547 rule = 1445066948
14Oct2015 12:12:06.080 0.000 sensorApp[30782] Syslog/F cidAssert: Condition failed: (allThreadsRunning == true), Exiting due to unexpected thread exit (FILE: /view/ipsbuild-spyker/vob/csids_3/dev/apps/sensorApp/SensorApp. 14Oct2015 12:12:06.081 0.000 sensorApp[30782] Syslog/F errSystemError threadStart catch(CIDS logic exception) cidAssert: Condition failed: (allThreadsRunning == true), Exiting due to unexpected thread exit (FILE: /view/ip 14Oct2015 12:12:07.337 835.393 mainApp[30431] Cid/W errWarning AppManager::ApplicationEntry::updateProcessStatus - Application "AnalysisEngine " terminated by request 14Oct2015 12:12:07.337 0.000 mainApp[30431] Cid/W errWarning - Sensor stopped normally 14Oct2015 12:18:24.541 377.204 collaborationApp[30836] rep/E A global correlation update failed: ExecLoadCollabUpdate control transaction failed: Unknown control transaction name
Try fixing global correlation on IPS and then check if the issue resolves( try resetting the module as well)
Find the link below to fix global correlation:
http://www.cisco.com/c/en/us/td/docs/security/ips/7-0/configuration/guide/idm/idmguide7/idm_collaboration.html
I believe latest image for this model is 7.3.4 E4:
IPS-SSP_10-K9-7.3-4-E4.pkg
http://www.cisco.com/c/en/us/td/docs/security/ips/7-3/release/notes/release7-3-4.html
I would also recommend to have case open with tac during the upgrade.
Regards,
Akshay Rastogi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide