cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3077
Views
0
Helpful
9
Replies

Cisco IPS ASA 5505 module ASA-SSC-AIP-5 Auto Update

GORAN GRAFSTROM
Level 1
Level 1

Auto Update no longer work after 14 NOV 2014

Cisco Intrusion Prevention System, Version 6.2(5)E4 , SSC-AIP-5

Error: autoUpdate successfully selected a package (https://user@72.163.7.60//swc/esd/11/273556262/guest/IPS-sig-S838-req-E4.pkg) from the cisco.com locator service, however, package download failed: The host is not trusted. Add the host to the system's trusted TLS certificates.

Autoupdate have work without problem until 14 nov 2014 .

I have added host to the tls trusted hosts

#  show tls trusted-hosts
72.163.4.161
72.163.7.60

Still facing same issue

 

 

Understand How the Cisco IPS Automatic Signature Update Feature Works

http://www.cisco.com/c/en/us/support/docs/security/ips-sensor-software-version-71/113674-ips-automatic-signature-update-00.html

 

The IPS uses the file transfer

protocol defined in the file download data URL learned in the server manifest (currently uses HTTP

(TCP 80)).

The problem I see is that earlier before 14 nov it fetch signature file with HTTP ( works fine )

but now it tries with HTTPS instead .

One session against 72.163.4.161 (  always have been HTTPS )

One session against 72.163.7.60 , earlier HTTP now it uses HTTPS
 

Have anyone a solution ?

 

 

1 Accepted Solution

Accepted Solutions

correct.

 

the issue with locator service should be fixed now and you can continue to use the http auto-update

View solution in original post

9 Replies 9

shepp
Level 1
Level 1

We are fixing the locator service to return HTTP instead of HTTPS URLs for the older IPS versions - its not fixed yet but should be sometime soon.

If you can't wait for this to be resolved and you are on the 7.1/7.3 train, you could upgrade to 7.1.9/7.3.2 which will use the HTTPS download correctly and which also resolve several other issues.

I'm not sure if/when 6.2.5 will be upgraded to work with https urls.

Otherwise, maybe manual updates or CSM could bridge the gap.

Thx for reply

It will sure solve the problem.

Comment 

As I can see there is no support for version 7 on module SSC-AIP-5

the last Version supported is 6.2(5)E4 ,  correct ?

correct.

 

the issue with locator service should be fixed now and you can continue to use the http auto-update

Hi

We've got a pair of 4325 sensors that we've recently upgraded to 7.3.3e4 and with that the update url is now;

https://www.cisco.com//cgi-bin/front.x/ida/locator/locator.pl

But when trying to auto-update it comes back with Error: AutoUpdate exception: TLS connection failed

The time is correct (synched to NTP) on both appliances, yet the updates fail.  Any thoughts?

 

Thanks

 

Hello ips0000011,

We just updated to 7.3.3e4 IPS code on our 5512x and 5515x software ips units and we are experiencing the same symptoms that you are.  I have opened a Cisco TAC case on this, but we haven't made much progress on this yet.  Any new developments on your end?  If so, can you share?  I will post what I learn as well.

Thanks

Hello

Samme issue here with 5512x IPS units, TLS connection failed.

One of things I see ,  version  7.3.2  or 7.3.3 do not include in "Trusted Root certificate" store in IPS module the root certificate from  Baltimore Cybertrust

https://www.cisco.com//cgi-bin/front.x/ida/locator/locator.pl

Testing the link in browser will using the Baltimore Root certificate

But this maybe is wrong direction to solve it with adding it to IPS trusted store.

Thanks

Hello,

I have an update to this situation.  Cisco TAC said to replace the URL

https://www.cisco.com//cgi-bin/front.x/ida/locator/locator.pl with the URL

https://72.163.4.161//cgi-bin/front.x/ida/locator/locator.pl

Basically, they just had me use a hard-coded IP address rather than the www.cisco.com host name.  This actually worked.  The "on demand" update pulled the new signature with no error message.  No explanation was forthcoming as to WHY it worked.  I will check tomorrow to see if my scheduled nightly update worked.

Question for GORAN GRAFSTROM:  Have you tried adding the root certificate from  Baltimore Cybertrust to the IPS sensor yet?  I am curious as to whether or not that is a fix.

Hi

It works also for me to change URL.

No I haven´t added the root certificate into IPS yet

**********

thanks for information

GORAN GRAFSTROM
Level 1
Level 1

Thx a lot , Today it working fine again

Review Cisco Networking for a $25 gift card