cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2774
Views
0
Helpful
8
Replies

IPS update from CSM 4.3

Hi,

I am trying to download IPS updates from cisco.com using CSM (version 4.3) but it is not working. It was working fine all along until it stopped two days ago. I checked the server can connect to internet without any problems. I can use the same cisco credentials for manual updates and also works perfect.

confirmed the setti settings on CSM, all still intact. reconfigured the details and still the same issue. I am getting the following error

"unable to communicate with locator service to retrive available files"

Note  i just just same crendentials on my LAB IPS and did setup auto update and it worked fine.

any idea what the problem might be?

Regards,                  

1 Accepted Solution

Accepted Solutions

There is a new workaround for CSCue16970, based on adding the required certificate to the CSM server.

1.) Manually download Cybertrust's CA certificate from https://www.cybertrust.ne.jp/SureServer/file/root_ca/BCTRoot.txt .

2.) Save this file as 'trusted.998.crt' in text format and ensure that no extra characters or new lines are added to the original content. Keep in mind that certain Web browsers may add HTML codes when saving text files, so be sure to edit them out.

3.) Exit/close any/all instances of CSM client applications (Configuration Manager, Event Viewer, Health and Performance Monitor, Report Manager, etc.)

4.) On the CSM server, stop the 'Cisco Security Manager Daemon Manager' service by issuing the following command: 'net stop CRMDmgtd'.

5.) On the CSM server, copy the 'trusted.998.crt' file to the 'CSCOpx\MDC\Apache\conf\ssl' directory.

6.) On the CSM server, start the 'Cisco Security Manager Daemon Manager' service by issuing the following command: 'net start CRMDmgtd'.

View solution in original post

8 Replies 8

sdata
Level 1
Level 1

Have the same problem

mronayne
Level 1
Level 1

This might be CSCue16970 CSM: IPS Updates from Cisco.com Fail Due to Lack of Cybertrust Root Cert

You could check if your Apache Tomcat log file at

CSCOpx\MDC\tomcat\logs\stdout.log contains entries similar to the following:

"AutoDownloadJob:: get available files.....
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
     at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Unknown Source)"


If so, you could try the workaround associated with the defect
1.) Manually download the desired IPS signature update package file(s) from:
http://software.cisco.com/portal/pub/download/portal/select.html?&mdfid=280033778&softwareid=282773979

2.) Save or copy the file(s) into the CSCOpx\MDC\ips\updates directory. Default installation drive letters and paths are:
32-bit Operating Systems:
C:\Program Files\CSCOpx\MDC\ips\updates
64-bit Operating Systems:
C:\Program Files (x86)\CSCOpx\MDC\ips\updates

3.) From the CSM Configuration Manager (client application) > Tools menu > Security Manager Administration... > IPS Updates section, click the Refresh button.
4.) Deploy the package as desired (per normal).

Thanks! The workaround works just fine.

The description of CSCue16970 at this moment is not available: it is under review.

There is a new workaround for CSCue16970, based on adding the required certificate to the CSM server.

1.) Manually download Cybertrust's CA certificate from https://www.cybertrust.ne.jp/SureServer/file/root_ca/BCTRoot.txt .

2.) Save this file as 'trusted.998.crt' in text format and ensure that no extra characters or new lines are added to the original content. Keep in mind that certain Web browsers may add HTML codes when saving text files, so be sure to edit them out.

3.) Exit/close any/all instances of CSM client applications (Configuration Manager, Event Viewer, Health and Performance Monitor, Report Manager, etc.)

4.) On the CSM server, stop the 'Cisco Security Manager Daemon Manager' service by issuing the following command: 'net stop CRMDmgtd'.

5.) On the CSM server, copy the 'trusted.998.crt' file to the 'CSCOpx\MDC\Apache\conf\ssl' directory.

6.) On the CSM server, start the 'Cisco Security Manager Daemon Manager' service by issuing the following command: 'net start CRMDmgtd'.

Ross Phillips
Level 1
Level 1

HI there, I had the same problem.

This is due to CSM going to www.cisco.com for its updates where everything else goes to cisco.com

If your server is going direct for updates then add the following into the host file

72.163.4.161     www.cisco.com

If using a proxy and your able then add that entry onto the proxys host file.

Im back online now with no problems.

Hi, I tried updating the hostfile but no luck. However, I did follow the workaround as on the link below, now the certificare error seem to be sorted as I don't see that anymore but I am getting the following error

(Fatal, Description: Handshake Failure) when tracing with wireshack.

https://www.cisco.com/cisco/psn/bssprt/bss?searchType=bstbugidsearch&page=bstBugDetail&BugID=CSCue16970

Sorry my bad. the certificate had some HTML code added. now resolved. the following workaround worked perfect.

https://www.cisco.com/cisco/psn/bssprt/bss?searchType=bstbugidsearch&page=bstBugDetail&BugID=CSCue16970

I installed 4.3 SP2 in this release the IPS Update function should work.

I have in the 'CSCOpx\MDC\Apache\conf\ssl' the cert trusted.998.crt installed.

But still get this error when I try to Check for Updates via CSM:

Auto download log:

Trying to get available files on server ......

Unable to communicate with locator service to retrieve available files.

Review Cisco Networking for a $25 gift card