Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2935
Views
0
Helpful
9
Replies

Cisco IPS ASA 5505 module ASA-SSC-AIP-5 Auto Update

Go to solution
GORAN GRAFSTROM
Level 1
Level 1

‎12-03-2014 05:43 AM - edited ‎03-10-2019 06:17 AM

Auto Update no longer work after 14 NOV 2014

Cisco Intrusion Prevention System, Version 6.2(5)E4 , SSC-AIP-5

Error: autoUpdate successfully selected a package (https://user@72.163.7.60//swc/esd/11/273556262/guest/IPS-sig-S838-req-E4.pkg) from the cisco.com locator service, however, package download failed: The host is not trusted. Add the host to the system's trusted TLS certificates.

Autoupdate have work without problem until 14 nov 2014 .

I have added host to the tls trusted hosts

#  show tls trusted-hosts
72.163.4.161
72.163.7.60

Still facing same issue

 

 

Understand How the Cisco IPS Automatic Signature Update Feature Works

http://www.cisco.com/c/en/us/support/docs/security/ips-sensor-software-version-71/113674-ips-automatic-signature-update-00.html

 

The IPS uses the file transfer

protocol defined in the file download data URL learned in the server manifest (currently uses HTTP

(TCP 80)).

The problem I see is that earlier before 14 nov it fetch signature file with HTTP ( works fine )

but now it tries with HTTPS instead .

One session against 72.163.4.161 (  always have been HTTPS )

One session against 72.163.7.60 , earlier HTTP now it uses HTTPS
 

Have anyone a solution ?

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
shepp
Level 1
Level 1
In response to GORAN GRAFSTROM

‎12-04-2014 08:48 AM

correct.

 

the issue with locator service should be fixed now and you can continue to use the http auto-update

View solution in original post

0 Helpful
9 Replies 9

Go to solution
shepp
Level 1
Level 1

‎12-03-2014 10:15 AM

We are fixing the locator service to return HTTP instead of HTTPS URLs for the older IPS versions - its not fixed yet but should be sometime soon.

If you can't wait for this to be resolved and you are on the 7.1/7.3 train, you could upgrade to 7.1.9/7.3.2 which will use the HTTPS download correctly and which also resolve several other issues.

I'm not sure if/when 6.2.5 will be upgraded to work with https urls.

Otherwise, maybe manual updates or CSM could bridge the gap.

0 Helpful

Go to solution
GORAN GRAFSTROM
Level 1
Level 1
In response to shepp

‎12-03-2014 12:33 PM

Thx for reply

It will sure solve the problem.

Comment 

As I can see there is no support for version 7 on module SSC-AIP-5

the last Version supported is 6.2(5)E4 ,  correct ?

0 Helpful

Go to solution
shepp
Level 1
Level 1
In response to GORAN GRAFSTROM

‎12-04-2014 08:48 AM

correct.

 

the issue with locator service should be fixed now and you can continue to use the http auto-update

0 Helpful

Go to solution
ips0000011
Level 1
Level 1
In response to shepp

‎03-05-2015 09:15 AM

Hi

We've got a pair of 4325 sensors that we've recently upgraded to 7.3.3e4 and with that the update url is now;

https://www.cisco.com//cgi-bin/front.x/ida/locator/locator.pl

But when trying to auto-update it comes back with Error: AutoUpdate exception: TLS connection failed

The time is correct (synched to NTP) on both appliances, yet the updates fail.  Any thoughts?

 

Thanks

 

0 Helpful

Go to solution
flgranv
Level 1
Level 1
In response to ips0000011

‎03-18-2015 01:58 PM

Hello ips0000011,

We just updated to 7.3.3e4 IPS code on our 5512x and 5515x software ips units and we are experiencing the same symptoms that you are.  I have opened a Cisco TAC case on this, but we haven't made much progress on this yet.  Any new developments on your end?  If so, can you share?  I will post what I learn as well.

Thanks

0 Helpful

Go to solution
GORAN GRAFSTROM
Level 1
Level 1
In response to flgranv

‎03-19-2015 02:11 AM

Hello

Samme issue here with 5512x IPS units, TLS connection failed.

One of things I see ,  version  7.3.2  or 7.3.3 do not include in "Trusted Root certificate" store in IPS module the root certificate from  Baltimore Cybertrust

https://www.cisco.com//cgi-bin/front.x/ida/locator/locator.pl

Testing the link in browser will using the Baltimore Root certificate

But this maybe is wrong direction to solve it with adding it to IPS trusted store.

Thanks

0 Helpful

Go to solution
flgranv
Level 1
Level 1
In response to GORAN GRAFSTROM

‎03-19-2015 02:19 PM

Hello,

I have an update to this situation.  Cisco TAC said to replace the URL

https://www.cisco.com//cgi-bin/front.x/ida/locator/locator.pl with the URL

https://72.163.4.161//cgi-bin/front.x/ida/locator/locator.pl

Basically, they just had me use a hard-coded IP address rather than the www.cisco.com host name.  This actually worked.  The "on demand" update pulled the new signature with no error message.  No explanation was forthcoming as to WHY it worked.  I will check tomorrow to see if my scheduled nightly update worked.

Question for GORAN GRAFSTROM:  Have you tried adding the root certificate from  Baltimore Cybertrust to the IPS sensor yet?  I am curious as to whether or not that is a fix.

0 Helpful

Go to solution
GORAN GRAFSTROM
Level 1
Level 1
In response to flgranv

‎03-20-2015 08:48 AM

Hi

It works also for me to change URL.

No I haven´t added the root certificate into IPS yet

**********

thanks for information

0 Helpful

Go to solution
GORAN GRAFSTROM
Level 1
Level 1

‎12-04-2014 11:33 AM

Thx a lot , Today it working fine again

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card