Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
720
Views
0
Helpful
2
Replies

IDSM 5.1(1) S222 certificate unknown errors

yvasanthk
Level 1
Level 1

‎03-26-2006 03:59 AM - edited ‎03-10-2019 01:57 AM

Hi,

I reimaged my IDSM2 sensor in the following sequence:

1. Installed WS-SVC-IDSM2-K9-sys-1.1-a-5.1-1.bin.gz

2. Installed IPS-sig-S222-minreq-5.0-5.pkg

I am able to launch IDM and work with it. But, I get the following errors when I type "show events" on IDSM-2 CLI.

-------------------------------

evError: eventId=1143377080627763538 severity=warning vendor=Cisco

originator:

hostId: RCIPS

appName: cidwebserver

appInstanceId: 2731

time: 2006/03/26 11:45:53 2006/03/26 14:45:53 UTC

errorMessage: name=errWarning received fatal alert: certificate_unknown

evError: eventId=1143377080627763539 severity=error vendor=Cisco

originator:

hostId: RCIPS

appName: cidwebserver

appInstanceId: 2497

time: 2006/03/26 11:45:53 2006/03/26 14:45:53 UTC

errorMessage: name=errTransport WebSession::sessionTask(10) TLS connection exception: handshake incomplete.

-------------------------------

I do not see the alerts that I am suppose to see.

Please help. Thanks.

Labels:
0 Helpful
2 Replies 2

john.stephens
Level 1
Level 1

‎03-27-2006 07:04 AM

"I do not see the alerts that I am suppose to see."

What type of alerts are you looking for? System events or signature alerts? You don't see alerts from IDM or from the CLI?

The two events you have in your post look certificate related. When you reimaged the IDSM a new TLS certificate was generated, then you'll have to update your TLS trusted-host. Just to start fresh I'd try doing the following, this process has resolved my TLS issues in the past.

sensor# tls generate-key

sensor# sh tls trusted-host (to see if any IP's are currently in the table)

sensor# conf t

If there are any trusted-host IP's in the table, then remove them.

(config)#no tls trusted-host ip-address x.x.x.x

Next, add IP's back into the trusted-host table.

(I have also been able to leave the trusted-host table empty and had cisco works IP's add themselves to the trusted host table automagically, but then other times I've had to manually add them.)

(config)# tls trusted-host ip-address (host IP that you will use to connect to the sensor webserver.)

This will ask if you want to add the host to the trusted host table, you will answer yes.

After that try IDM again. Then from the CLI you can verify that you aren't seeing the TLS events anymore with the "show events" command. And then you can also verify that your getting alerts with the show events alert past hh:mm:ss command. Or alternatively just confirm the IDSM is seeing traffic by logging in as tac, su to root, and then do a tcpdump on the sensing interface.

Maybe a little more information then you needed on verifying the traffic, but hopefully something in the above will help you.

0 Helpful

john.stephens
Level 1
Level 1
In response to john.stephens

‎03-27-2006 07:16 AM

Forgot something...since you just reimaged, ensure you get the device up to current patch levels. There were also some TLS issues that were resolved in the patches.

http://www.cisco.com/cgi-bin/tablebuild.pl/ids-patches

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card