03-26-2006 03:59 AM - edited 03-10-2019 01:57 AM
Hi,
I reimaged my IDSM2 sensor in the following sequence:
1. Installed WS-SVC-IDSM2-K9-sys-1.1-a-5.1-1.bin.gz
2. Installed IPS-sig-S222-minreq-5.0-5.pkg
I am able to launch IDM and work with it. But, I get the following errors when I type "show events" on IDSM-2 CLI.
-------------------------------
evError: eventId=1143377080627763538 severity=warning vendor=Cisco
originator:
hostId: RCIPS
appName: cidwebserver
appInstanceId: 2731
time: 2006/03/26 11:45:53 2006/03/26 14:45:53 UTC
errorMessage: name=errWarning received fatal alert: certificate_unknown
evError: eventId=1143377080627763539 severity=error vendor=Cisco
originator:
hostId: RCIPS
appName: cidwebserver
appInstanceId: 2497
time: 2006/03/26 11:45:53 2006/03/26 14:45:53 UTC
errorMessage: name=errTransport WebSession::sessionTask(10) TLS connection exception: handshake incomplete.
-------------------------------
I do not see the alerts that I am suppose to see.
Please help. Thanks.
03-27-2006 07:04 AM
"I do not see the alerts that I am suppose to see."
What type of alerts are you looking for? System events or signature alerts? You don't see alerts from IDM or from the CLI?
The two events you have in your post look certificate related. When you reimaged the IDSM a new TLS certificate was generated, then you'll have to update your TLS trusted-host. Just to start fresh I'd try doing the following, this process has resolved my TLS issues in the past.
sensor# tls generate-key
sensor# sh tls trusted-host (to see if any IP's are currently in the table)
sensor# conf t
If there are any trusted-host IP's in the table, then remove them.
(config)#no tls trusted-host ip-address x.x.x.x
Next, add IP's back into the trusted-host table.
(I have also been able to leave the trusted-host table empty and had cisco works IP's add themselves to the trusted host table automagically, but then other times I've had to manually add them.)
(config)# tls trusted-host ip-address (host IP that you will use to connect to the sensor webserver.)
This will ask if you want to add the host to the trusted host table, you will answer yes.
After that try IDM again. Then from the CLI you can verify that you aren't seeing the TLS events anymore with the "show events" command. And then you can also verify that your getting alerts with the show events alert past hh:mm:ss command. Or alternatively just confirm the IDSM is seeing traffic by logging in as tac, su to root, and then do a tcpdump on the sensing interface.
Maybe a little more information then you needed on verifying the traffic, but hopefully something in the above will help you.
03-27-2006 07:16 AM
Forgot something...since you just reimaged, ensure you get the device up to current patch levels. There were also some TLS issues that were resolved in the patches.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide