cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5287
Views
35
Helpful
17
Replies

IDSM-2 Signature Updates from Cisco.com URL?

NPT_2
Level 2
Level 2

THE IDSM-2 IPS Sensor in my 6509 switch was not auto updating from version 6.1(1)E3 S297, so I manually updated it to 7.0(2)E4 S480.  Unfortunately it still won't auto update from cisco.com and I think the url it is using is not correct.  My IDSM-2 Configuration has the url of:

https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

Is there a more current URL I should be using?

Jim

1 Accepted Solution

Accepted Solutions

Scott Fringer
Cisco Employee
Cisco Employee

Jim;

  The URL you provided is the correct URL.

  You can see what might be occurring by reviewing the output of the command sh stat host from the CLI.  The very end of the output will display the auto-update status.

  With that output you can either post here, and time permitting we can try to work through the issue, or you can open a service request with TAC for directed assistance.

Scott

View solution in original post

17 Replies 17

Scott Fringer
Cisco Employee
Cisco Employee

Jim;

  The URL you provided is the correct URL.

  You can see what might be occurring by reviewing the output of the command sh stat host from the CLI.  The very end of the output will display the auto-update status.

  With that output you can either post here, and time permitting we can try to work through the issue, or you can open a service request with TAC for directed assistance.

Scott

Ok, the strange thing is that last night the latest signature update installed without issue automatically.  Strange, oh well, all is working now.  Thanks for the info, if it reoccurs I'll either post again or open a TAC case.

Jim

Jim;

  Glad to hear it was successful.

  There is a known issue when the signature update is scheduled to occur on the hour boundary (i.e. 03:00) that it can fail to update fequently but not always.  Skewing the update check time off the boundary (i.e. 03:06) corrects the issue.

  Again, you can receive a quick view of a potential issue in the 'sh stat host' output.

Scott

That could have very well been the problem.  I just switched it to update

offset from the exact hour.  Thanks Again.

Hi,

Auto update of signatures are not happening.

output of sh stat host:- Auto Update Statistics

   lastDirectoryReadAttempt = 08:25:45 UTC Wed Apr 06 2011

    =   Read directory: http://www.cisco.com/cisco/software/download.html#

    =   Error: AutoUpdate exception: HTTP connection failed [1,0]

   lastDownloadAttempt = 10:00:51 UTC Wed Dec 22 2010

   lastInstallAttempt = N/A

   nextAttempt = 09:25:00 UTC Wed Apr 06 2011

Auxilliary Processors Installed

OS Version:             2.4.30-IDS-smp-bigphys
Recovery Partition Version 1.1 - 6.2(3)E4

Abhishek;

  The automatic IPS signature update process does not perform DNS lookups.  Your system is configured to use the following update URL:

http://www.cisco.com/cisco/software/download.html#

  This is invalid.

  The correct URL is:

https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

  This is the only valid URL; the double-forward slash (//) after the IPS address is not a typographical error.

Scott

Hello Scott,

I change the URL to https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl  still the IDSM not updating the signature automatically.

output of sh stat host: Auto Update Statistics

   lastDirectoryReadAttempt = 14:43:19 GMT+05:30 Thu Apr 07 2011

    =   Read directory: http://Rn@72.163.7.55//swc/esd/04/273556262/guest/

    =   Success

   lastDownloadAttempt = 14:43:19 GMT+05:30 Thu Apr 07 2011

    =   Download: http://Rn@72.163.7.55//swc/esd/04/273556262/guest/IPS-sig-S557-req-E4.pkg

    =   Error: autoUpdate successfully selected a package (http://Rn@72.163.7.55//swc/esd/04/273556262/guest/IPS-sig-S557-req-E4.pkg) from the cisco.com locator service, however, package download failed: HTTP status : 403 -  Webcat Access denied

   lastInstallAttempt = 15:46:59 GMT+05:30 Wed Dec 22 2010

   nextAttempt = 15:41:00 GMT+05:30 Thu Apr 07 2011

Auxilliary Processors Installed

Abhishek;

  The new output indicates that the IDSM-2 is successfully connecting to the update website.

  The IDSM-2 is encountering issue when attempting to retrieve the actual update package.  Is there a firewall, proxy server or URL filter (i.e. WebSense) between the IDSM-2 management IP address and the Internet?  If so, you will need to create an exception for the IDSM-2's management IP address so it can access the Internet without restriction.

Scott

Hello,

Any update on this issue? I see the same behavior on two IDSM-2s. I didn't see any traffic being blocked on the firewall but still opened all IP traffic from the sensors to 198.133.219.25 and there was already an exception from Websense for anything to 198.133.219.0 /24.

This behavior only started recently. A while ago they had stopped updating then started up again without any intervention. Now they've stopped again. My last update is 566.

Thanks.

Vincent

Vincent;

  What does the output of 'sh stat host' show about the last attempts to update signatures?

Scott

Hi Scott,

Same thing as for Abhishek Kala:

Auto Update Statistics
   lastDirectoryReadAttempt = 10:24:05 UTC Tue May 31 2011
    =   Read directory: http://vpersaud001@72.163.7.55//swc/esd/05/273556262/guest/
    =   Success
   lastDownloadAttempt = 10:24:05 UTC Tue May 31 2011
    =   Download: http://vpersaud001@72.163.7.55//swc/esd/05/273556262/guest/IPS-sig-S570-req-E4.pkg
    =   Error: autoUpdate successfully selected a package (http://vpersaud001@72.163.7.55//swc/esd/05/273556262/guest/IPS-sig-S570-req-E4.pkg) from the cisco.com locator service, however, package download failed: Failed to receive the HTTP response
   lastInstallAttempt = 14:11:02 UTC Sat May 14 2011
   nextAttempt = 10:24:00 UTC Wed Jun 01 2011

Thanks.

Vincent;

  It looks as if the IDSM-2's managment IP address does not have access to 72.163.7.55, or the Websense is intercepting that access and causing issue. The 198.133.219.25 address is used to determine if a new update is available. If an update is available, the IDSM-2 is redirected to another server to retrieve the actual signature update.

Scott

Scott,

I allowed all IP access from the sensors out to the Internet and excepted all traffic from them to websense. They both updated. However, I'd like to restrict traffic to specific hosts or subnets. Do you know what server IPs are accessed for the updates? Bearing in mind this worked fine for about three years and only started having problems recently. Did something change on Cisco's side?

Thanks very much for your help.

Vincent

Vincent;

  I do not have a list of specific IP addresses that are used for signature updates. At this time, the initial IP address for the check is hard-coded as 198.133.219.25. The servers hosting the signature updates were relocated; this apparently resulted in new IP addresses being assigned. I do not know the full range currently in use, but certainly adding an exception for the 72.163.7.0/24 should cover this new range.

Scott

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: