02-02-2013 12:23 AM - edited 03-10-2019 05:53 AM
Dear all,
we have cisco ips Version 7.0(2)E4 recently its analysis engine stopped working , folowwing is the logs for the IPS devices and also please check the attached screen shot for detail.
# show health
Overall Health Status Red
Health Status for Failed Applications Red
Health Status for Signature Updates Green
Health Status for License Key Expiration Green
Health Status for Running in Bypass Mode Red
Health Status for Interfaces Being Down Green
Health Status for the Inspection Load Green
Health Status for the Time Since Last Event Retrieval Green
Health Status for the Number of Missed Packets Green
Health Status for the Memory Usage Not Enabled
Health Status for Global Correlation Green
Health Status for Network Participation Not Enabled
***********************************
# show version
Application Partition:
Cisco Intrusion Prevention System, Version 7.0(2)E4
Host:
Realm Keys key1.0
Signature Definition:
Signature Update S692.0 2013-01-29
OS Version: 2.4.30-IDS-smp-bigphys
Platform: IPS4270-20-K9
Serial Number: USE003NAFG
Licensed, expires: 04-Aug-2015 UTC
Sensor up-time is 10 days.
Using 1904545792 out of 4029317120 bytes of available memory (47% usage)
system is using 17.4M out of 38.5M bytes of available disk space (45% usage)
application-data is using 48.5M out of 174.7M bytes of available disk space (29% usage)
boot is using 41.6M out of 75.9M bytes of available disk space (58% usage)
application-log is using 494.0M out of 513.0M bytes of available disk space (96% usage)
MainApp B-BEAU_2009_OCT_15_08_07_7_0_1_111 (Ipsbuild) 2009-10-15T08:09:06-0500 Running
AnalysisEngine BE-BEAU_E4_2010_MAR_25_02_09_7_0_2 (Ipsbuild) 2010-03-25T02:11:05-0500 NotRunning
CollaborationApp B-BEAU_2009_OCT_15_08_07_7_0_1_111 (Ipsbuild) 2009-10-15T08:09:06-0500 Running
CLI B-BEAU_2009_OCT_15_08_07_7_0_1_111 (Ipsbuild) 2009-10-15T08:09:06-0500
Upgrade History:
* IPS-sig-S691-req-E4 16:00:16 UTC Thu Jan 24 2013
************************************
#show events
evError: eventId=1344469454269784178 severity=error vendor=Cisco
originator:
hostId: DC-IPS-4270-01
appName: collaborationApp
appInstanceId: 475
time: 2013/02/02 07:32:22 2013/02/02 10:32:22 GMT+03:00
errorMessage: name=errSystemError connect timed out [ClientPipe::connect]
evError: eventId=1344469454269784179 severity=fatal vendor=Cisco
originator:
hostId: DC-IPS-4270-01
appName: collaborationApp
appInstanceId: 475
time: 2013/02/02 07:32:22 2013/02/02 10:32:22 GMT+03:00
errorMessage: name=errUnclassified ct-sensorApp.449 not responding, please check system processes - The connect to the specified Io::ClientPipe failed.
evError: eventId=1344469454269784180 severity=error vendor=Cisco
originator:
hostId: DC-IPS-4270-01
appName: collaborationApp
appInstanceId: 475
time: 2013/02/02 07:33:32 2013/02/02 10:33:32 GMT+03:00
please give us your suggestion for the solution of this issue.
Regards
Sher
02-02-2013 03:20 PM
Hello Sher,
Have you reset the IPS already??
If not please proceed with that, afterwards let us know if the issue persists,
We will go from there
02-03-2013 09:18 PM
Julio,
I have having similar issues with my IPS. Any methods that i get notifications when the Analysis Engine stops? It would not be feasible for me to check the IPS from time to time to see if Analysis Engine still running.
Thanks
Regards
Wong
02-03-2013 09:46 PM
Is this a sensor or an AIP-SSM?
02-03-2013 09:52 PM
ASA-SSM-20
We have the following turned on.
error-filter warning|error|fatal
enable-detail-traps true
enable-notifications true
----------------------------------
MainApp B-2012_MAY_18_20_17_7_0_7_16 (Ipsbuild) 2012-05-18T20:22:54-0500 Running
AnalysisEngine B-2012_MAY_18_20_17_7_0_7_16 (Ipsbuild) 2012-05-18T20:22:54-0500 NotRunning
CollaborationApp B-2012_MAY_18_20_17_7_0_7_16 (Ipsbuild) 2012-05-18T20:22:54-0500 Running
CLI B-2012_MAY_18_20_17_7_0_7_16 (Ipsbuild) 2012-05-18T20:22:54-0500
02-04-2013 07:42 PM
You need to regulalrly monitor IPS for events. If the Analysis Engine goes down, it will generate an event.
Also, you need to collect show-tech and contact Cisco TAC to get the issue resolved.
Regards,
Sawan Gupta
02-06-2013 12:20 AM
Hi,
I have 3 suggestions:
- maybe you're hitting bugs : CSCuc34812, CSCty05171
- in IPS Threat Defense Bulletin 7.0.2 is not supported (first supported is 7.0.6)
- contact TAC if one of previous is true
Regards,
Pavel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide