Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
901
Views
2
Helpful
4
Replies

IPS - Disruption in service

Go to solution
Rodney Mothersbaugh
Level 1
Level 1

‎08-30-2012 06:58 AM - edited ‎03-10-2019 05:45 AM

Hey all thanks for reading my post.

Can someone either tell me or point me to a doc that tells me 100% for sure what upgrades in regards to the ips are disruptive. IE: Signatures, Engine, Software.

Thanks guys for all your help.

Rodney

Sent from Cisco Technical Support iPad App

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
sawgupta
Level 1
Level 1
In response to Rodney Mothersbaugh

‎08-31-2012 07:53 PM

IPS would enter in Bypass state when a signature update is happening. Bypass will get triggered during an upgrade as well.

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bd008f.shtml#caveats

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎09-01-2012 01:24 AM

For Signature-Updates: (from the conf-guide, same link that turnera posted):

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_sensor_management.html#wp2016113

Signature Updates and Installation Time

There is a short period of time that traffic is not inspected while you are performing signature updates. However, traffic continues to flow if you have bypass enabled.

When a signature update adds or modifies signatures that contain regular expressions, the regular expression cache tables used by SensorApp have to be recompiled. The amount of recompile time varies by platform, number of signatures modified and/or added, and type of signatures modified and/or added.

If a signature update only adds one or two new signatures on a high-end platform, for example, IPS 4255 or IPS 4260, the recompile can be as fast as a few seconds.

The recompile takes several minutes and even up to a half hour under the following conditions:

When a signature update adds a large number of signatures, for example, when you are skipping several signature levels to install a newer one, for example, installing S258 on top of S240.

When a signature update modifies a large number of signatures, for example when a large number of older signatures is disabled and/or retired.

During the recompile, SensorApp stops monitoring packets. The interface driver detects this when the packet buffers begin filling up on the way to SensorApp and the driver stops receiving packets from SensorApp. If the sensor is in inline mode, the driver either turns on bypass if the bypass option is set to Auto, or brings down the interface links if bypass is set to Off.

Note Some packets can be dropped before the bypass setting begins operating. Once SensorApp completes the recompile of the regular expression cache files, SensorApp reconnects to the driver and begins monitoring again, and the driver begins passing packets to SensorApp for analysis, and if necessary, also brings the interface links back up.

And this is for all other updates:

Note The IDM and CLI connections are lost during the following updates: service pack, minor, major, and engineering patch. If you are applying one of these updates, the installer restarts the IPS applications. A reboot of the sensor is possible. You do not lose the connection when applying signature updates and you do not need to reboot the system.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
turnera
Level 1
Level 1

‎08-30-2012 08:06 AM

Rodney,

Your answer lies within the Cisco Intrusion Prevention System Device Manager Configuration Guide for your particular version of IPS.

Here is the link to version 7.0.

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idmguide7.html

Go to solution
Rodney Mothersbaugh
Level 1
Level 1
In response to turnera

‎08-31-2012 06:04 PM

Turnera,

Thanks for the info however i still dotn see anywhere that is states that it will be disruptive or it will not be disrutptive during a sugnature and or engine update. I did however see this which i already knew.

Major updates, minor updates, and service packs may force a restart of the IPS processes or even force a reboot of the sensor to complete installation.

Still unanswered. But again thanks for the help.

0 Helpful

Go to solution
sawgupta
Level 1
Level 1
In response to Rodney Mothersbaugh

‎08-31-2012 07:53 PM

IPS would enter in Bypass state when a signature update is happening. Bypass will get triggered during an upgrade as well.

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bd008f.shtml#caveats

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎09-01-2012 01:24 AM

For Signature-Updates: (from the conf-guide, same link that turnera posted):

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_sensor_management.html#wp2016113

Signature Updates and Installation Time

There is a short period of time that traffic is not inspected while you are performing signature updates. However, traffic continues to flow if you have bypass enabled.

When a signature update adds or modifies signatures that contain regular expressions, the regular expression cache tables used by SensorApp have to be recompiled. The amount of recompile time varies by platform, number of signatures modified and/or added, and type of signatures modified and/or added.

If a signature update only adds one or two new signatures on a high-end platform, for example, IPS 4255 or IPS 4260, the recompile can be as fast as a few seconds.

The recompile takes several minutes and even up to a half hour under the following conditions:

When a signature update adds a large number of signatures, for example, when you are skipping several signature levels to install a newer one, for example, installing S258 on top of S240.

When a signature update modifies a large number of signatures, for example when a large number of older signatures is disabled and/or retired.

During the recompile, SensorApp stops monitoring packets. The interface driver detects this when the packet buffers begin filling up on the way to SensorApp and the driver stops receiving packets from SensorApp. If the sensor is in inline mode, the driver either turns on bypass if the bypass option is set to Auto, or brings down the interface links if bypass is set to Off.

Note Some packets can be dropped before the bypass setting begins operating. Once SensorApp completes the recompile of the regular expression cache files, SensorApp reconnects to the driver and begins monitoring again, and the driver begins passing packets to SensorApp for analysis, and if necessary, also brings the interface links back up.

And this is for all other updates:

Note The IDM and CLI connections are lost during the following updates: service pack, minor, major, and engineering patch. If you are applying one of these updates, the installer restarts the IPS applications. A reboot of the sensor is possible. You do not lose the connection when applying signature updates and you do not need to reboot the system.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card