Solved: Global Correlation Error

learnsec · ‎08-24-2011

dear all,

i newly enabled global correlation on my IPS-4240. the global correlation was working fine for several days.

suddenly it is no more working, although the config is not modified.

1-mgt interface can resolve Address.

2-clock is not synchronized with ntp but it is set manually to be same as ntp server(internet)

3- no proxy used .

i disbaled /enabled global config still the same issue.

sh statistics global-correlation

Network Participation:

Counters:

Total Connection Attempts = 0

Total Connection Failures = 0

Connection Failures Since Last Success = 0

Connection History:

Updates:

Status Of Last Update Attempt = Failed

Time Since Last Successful Update = 7392 minutes

Counters:

Update Failures Since Last Success = 1478

Total Update Attempts = 3060

Total Update Failures = 1481

Update Interval In Seconds = 300

Update Server = update-manifests.ironport.com

Update Server Address = 204.15.82.17

Current Versions:

config = 0

drop = 0

ip = 0

rule = 0

please advice.

Jennifer Halim · ‎08-24-2011

If there is no network changes, I would suggest that you reload the IPS and see if that resolves the issue.

If you would like to further investigate the issue, I would suggest that you open a case with TAC so it can be further investigated.

View solution in original post

Jennifer Halim · ‎08-24-2011

Pls check if there is any changes in the network infrastructure since the Global Correlation stops working.

Would need to confirm that access to update-manifests.ironport.com (204.15.82.17) is allowed through the network.

learnsec · ‎08-24-2011

no network change,

plz check the following error log:

errorMessage: A global correlation update failed: Failed download of ibrs/1.1/drop/default/1314000963 : URI does not contain a valid ip address Messages, like this one, in the category - Reputation update failure - were logged 25 times in the last 7495 seconds. name=errUnclassified

Jennifer Halim · ‎08-24-2011

If there is no network changes, I would suggest that you reload the IPS and see if that resolves the issue.

If you would like to further investigate the issue, I would suggest that you open a case with TAC so it can be further investigated.

learnsec · ‎09-06-2011

hello jennifer,

i didn't reload the device, i was checking after couple of days the issue and i found that it was automaticaly and alone resynchronizing with global correlation site.

right it is abnormal behavior but i don't have an explanation to what happened.

regards,

Jennifer Halim · ‎09-06-2011

Thanks for the update, and you might want to open a TAC case if it happens again in the future for further investigation.

learnsec · ‎09-06-2011

hello jennifer,

unfortunately the problem re-occured.

could it be that the update-manifests.ironport.com (global correllation site) is not stable?

praprama · ‎09-12-2011

Hi,

We will have to probably enable logs for global correlation using the service account and see what's going on. I would suggest what jennifer suggested above, that is, open a TAC case.

Regards,

Prapanch