Re: IDS sensor and MC update

o.oresotu · ‎01-18-2005

Hi,

My organisation uses a Cisco IDS 4215 which i always update from ciscoworks VMS 1.0.3. However, on applying the last update (IDS-sig.4.1.4-S137), it only update the sensor but failed to update the MC. Futhermore, when i telnet to the sensor i could login but there is an error "can not communicate with processes system halted"

Can anyone give me a clue on how wo resolve this problems?.

nkhawaja · ‎01-21-2005

have you tried rebooting the sensor? try that and then on idsmc click on "query sensor"

thanks

Nadeem

o.oresotu · ‎01-25-2005

Hi,

Although i've restarted the sensor before now, i've equally done that again. the situation still remains the same i.e. sensor is being upgraded while MC is not.

sachinraja · ‎01-25-2005

Hi

try restarting the ciscoworks daemon manager service on your VMS server. make sure you start all service back. hope you have placed the zip file on the correct folder :

c:/programfiles/cscopx/mdc/etc/ids/updates.

Raj

o.oresotu · ‎01-25-2005

Hi Raj,

I've restarted the services and yet the problem still persist. Yes, the zip file is in the correct folder.

Segun

5mlattimore · ‎01-31-2005

I read on a post here that there is a 4.1.4(f) patch that corrects an out of memory condition.

Ive seen this many times but it usually responds to a reboot of the sensor

Once I also had to reboot the IDS MC to get it to recognize that the sensor had been updated

good lucj

o.oresotu · ‎02-02-2005

Hi 5mlattimore,

Are you saying this is an out of memory problem. If so can u direct me to the url for the patch 4.1.4(f).

Regards

craiwill · ‎02-02-2005

If you are not running the 'f' patch , 4.1.4(f), you should download and install that patch. It fixes some out-of-memory on upgrade issues that are most likely the cause of your problem.

http://www.cisco.com/cgi-bin/tablebuild.pl/ids-patches

o.oresotu · ‎02-02-2005

Hi Craiwill,

Thank you for the information. I realise i have not applied any of the patches (a,b,c,d,e,f). Do i have to start from 'a' or i should i just apply 'f'.I mean is it cumulative?

Thanks

craiwill · ‎02-02-2005

The patches are cumulative and can be applied to any sensor 4.1(4)S91 or later.

nkhawaja · ‎02-02-2005

if ou run audit log report, you will see some error messages there, usually it happens due to certificate expires on MC. in that case you need to regenerate the certificate.

o.oresotu · ‎02-02-2005

Hi nkhawaja,

The audit log has the ff errors but does not report anything on MC certificate expiration:

error 1)RDEP Collector (HQ-IDS-01) parsed an evError: errSyslog lastlog_perform_login: Couldn't stat /var/log/lastlog: No such file or directory

error 2)RDEP Collector (HQ-IDS-01) parsed an evError: errTransport WebSession::sessionTask(0) TLS connection exception: handshake incomplete.

error 3)RDEP Collector Client RuntimeException :HQ-IDS-01- HTTP connection failed [1,0]

error 4) The update of sensor HQ-IDS-01 was stopped because the MC could not determine the actual version of the sensor.(Communication error)

error 5) HQ-IDS-01.OrganizationName: Error importing sensor version from the sensor - Aborting the CLI command because it has not responded in over 0 hours 30 minutes 10 seconds

nkhawaja · ‎02-03-2005

can you try to remove the sensor from IDSMC and add it again (using auto discover settings)..

can you run mdcsupport.exe and attach the file mdcsupportinformation.zip (or send it to me may be i can find something out)

thanks

o.oresotu · ‎02-04-2005

where on the MC is the auto discovery setting? Also, the mdcsupport.exe is not available on the sensor?

thanks

o.oresotu · ‎02-07-2005

The patch (f) hung the sensor. i had to restart it. How can i run the mdcsupport.exe?. where exactly is this exe file?.

Thanks