09-08-2010 06:07 AM - edited 03-10-2019 05:07 AM
I have configured the internal IDSM cards for auto update, and I see hits against our firewall ACL for this traffic but the update seems out of date on the IPS.. can anyone tell me how to troubleshoot this?
many thanks
Solved! Go to Solution.
09-08-2010 08:42 PM
Hi,
yes once you have HTTP also allowed, you should see auto update working.
The way you have configured the ACL is interesting :-) and i dont see any reason why it should not work. Lets wait for the next auto-update attempt by the IPS and see what happens. let me know how it goes!!
regards,
prapanch
09-08-2010 06:39 AM
Hi,
On the IDSM, can enter the command "show statistics host" and it should tell you all details regarding auto-update and the reason for failure as well. Please paste the entire output over here and we can have a look.
Regards,
Prapanch
09-08-2010 07:07 AM
Error: autoUpdate successfully selected a package (http://myaccount@198.133.219.243//swc/esd/04/273556262/contract/IPS-sig-S511-req-E4.pkg) from the cisco.com locator service, however, package download failed: HTTP connection failed
I only had https allowed, I have allowed http also now.. should this fix it?
Also all my IPS's are 10.x.1.10 (with x being the subnet).. can you write an ACL in the format:
access-list inside_in permit ip 10.0.1.10 255.0.255.255 any
Thanks in advance
09-08-2010 08:42 PM
Hi,
yes once you have HTTP also allowed, you should see auto update working.
The way you have configured the ACL is interesting :-) and i dont see any reason why it should not work. Lets wait for the next auto-update attempt by the IPS and see what happens. let me know how it goes!!
regards,
prapanch
09-17-2010 01:07 AM
Hi,
Was wondering if you managed to get the Auto Update working. If so, please do mark this thread as Answered.
Regards,
Prapanch
09-17-2010 05:23 AM
Well, yes and no. Enabling http did not solve the issue, but if I permit ip they update.. so I am not quite sure what other ports are needed. I will have to create a packet capture to find out.
09-17-2010 08:19 AM
Hmmm. That's interesting. What did the access-list look like when you ocnfigured it to allow HTTP alone? The captures will certainly help.
Regards,
Prapanch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide