Cisco IPS auto update failure on Cisco IDSM-2

AdoJay · ‎02-17-2012

Hi Guys,

I am having issues getting my Cisco IPS to automatically download and install signature updates from Cisco. I have Cisco 6513 which houses my IPS module. The Proxy and DNS settings are configured correctly in line with our IP address parameters. I also configured Cisco.com URL as https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl. On my firewall, I have allowed my IPS management IP address access to 198.133.219.25:443 and 198.133.219.243:80. When it's time for the scheduled signature update, it fails.

Find below the output on the firewall;

6|Feb 17 2012|16:16:20|302014|*******|52948|198.133.219.25|443|Teardown TCP connection 144816393245560712 for inside:*********/52948 to outside:198.133.219.25/443 duration 0:00:20 bytes 78 SYN Timeout
6|Feb 17 2012|16:15:59|302013|198.133.219.25|443|*******|52948|Built outbound TCP connection 144816393245560712 for inside:**********/52948 (172.23.1.65/52948) to outside:198.133.219.25/443 (198.133.219.25/443)

Output of sh stat host;

Auto Update Statistics

lastDirectoryReadAttempt = 15:09:09 UTC Fri Feb 17 2012

= Read directory:

https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

= Error: AutoUpdate exception: HTTP connection failed [1,110]

lastDownloadAttempt = N/A

lastInstallAttempt = N/A

nextAttempt = 15:06:00 UTC Fri Feb 24 2012

Auxilliary Processors Installed

Could someone please help me with the reason for the failure?

Regards

Austin

rhermes · ‎02-20-2012

Looking at your firewall logs you can see the sensor start the TCP session at Feb 17 2012|16:15:59. The firewall waits for the response from your server hosting the update files (198.133.219.25/443), after 20 seconds of no response (SYN Timeout) the firewall tears down the connection.

Can you do a packet capture on the outside interface of your firewall to see what response you're setting from your server?

- Bob