01-17-2013 11:51 PM - edited 03-10-2019 05:52 AM
Hi,
I am trying to download IPS updates from cisco.com using CSM (version 4.3) but it is not working. It was working fine all along until it stopped two days ago. I checked the server can connect to internet without any problems. I can use the same cisco credentials for manual updates and also works perfect.
confirmed the setti settings on CSM, all still intact. reconfigured the details and still the same issue. I am getting the following error
"unable to communicate with locator service to retrive available files"
Note i just just same crendentials on my LAB IPS and did setup auto update and it worked fine.
any idea what the problem might be?
Regards,
Solved! Go to Solution.
01-25-2013 02:44 AM
There is a new workaround for CSCue16970, based on adding the required certificate to the CSM server.
1.) Manually download Cybertrust's CA certificate from https://www.cybertrust.ne.jp/SureServer/file/root_ca/BCTRoot.txt . 2.) Save this file as 'trusted.998.crt' in text format and ensure that no extra characters or new lines are added to the original content. Keep in mind that certain Web browsers may add HTML codes when saving text files, so be sure to edit them out. 3.) Exit/close any/all instances of CSM client applications (Configuration Manager, Event Viewer, Health and Performance Monitor, Report Manager, etc.) 4.) On the CSM server, stop the 'Cisco Security Manager Daemon Manager' service by issuing the following command: 'net stop CRMDmgtd'. 5.) On the CSM server, copy the 'trusted.998.crt' file to the 'CSCOpx\MDC\Apache\conf\ssl' directory. 6.) On the CSM server, start the 'Cisco Security Manager Daemon Manager' service by issuing the following command: 'net start CRMDmgtd'.
01-21-2013 02:53 AM
Have the same problem
01-22-2013 02:25 AM
This might be CSCue16970 CSM: IPS Updates from Cisco.com Fail Due to Lack of Cybertrust Root Cert
You could check if your Apache Tomcat log file at
CSCOpx\MDC\tomcat\logs\stdout.log contains entries similar to the following:
"AutoDownloadJob:: get available files..... javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Unknown Source)"
If so, you could try the workaround associated with the defect
1.) Manually download the desired IPS signature update package file(s) from: http://software.cisco.com/portal/pub/download/portal/select.html?&mdfid=280033778&softwareid=282773979 2.) Save or copy the file(s) into the CSCOpx\MDC\ips\updates directory. Default installation drive letters and paths are: 32-bit Operating Systems: C:\Program Files\CSCOpx\MDC\ips\updates 64-bit Operating Systems: C:\Program Files (x86)\CSCOpx\MDC\ips\updates 3.) From the CSM Configuration Manager (client application) > Tools menu > Security Manager Administration... > IPS Updates section, click the Refresh button. 4.) Deploy the package as desired (per normal).
01-22-2013 11:43 PM
Thanks! The workaround works just fine.
The description of CSCue16970 at this moment is not available: it is under review.
01-25-2013 02:44 AM
There is a new workaround for CSCue16970, based on adding the required certificate to the CSM server.
1.) Manually download Cybertrust's CA certificate from https://www.cybertrust.ne.jp/SureServer/file/root_ca/BCTRoot.txt . 2.) Save this file as 'trusted.998.crt' in text format and ensure that no extra characters or new lines are added to the original content. Keep in mind that certain Web browsers may add HTML codes when saving text files, so be sure to edit them out. 3.) Exit/close any/all instances of CSM client applications (Configuration Manager, Event Viewer, Health and Performance Monitor, Report Manager, etc.) 4.) On the CSM server, stop the 'Cisco Security Manager Daemon Manager' service by issuing the following command: 'net stop CRMDmgtd'. 5.) On the CSM server, copy the 'trusted.998.crt' file to the 'CSCOpx\MDC\Apache\conf\ssl' directory. 6.) On the CSM server, start the 'Cisco Security Manager Daemon Manager' service by issuing the following command: 'net start CRMDmgtd'.
01-23-2013 11:52 AM
HI there, I had the same problem.
This is due to CSM going to www.cisco.com for its updates where everything else goes to cisco.com
If your server is going direct for updates then add the following into the host file
72.163.4.161 www.cisco.com
If using a proxy and your able then add that entry onto the proxys host file.
Im back online now with no problems.
01-25-2013 02:13 AM
Hi, I tried updating the hostfile but no luck. However, I did follow the workaround as on the link below, now the certificare error seem to be sorted as I don't see that anymore but I am getting the following error
(Fatal, Description: Handshake Failure) when tracing with wireshack.
01-25-2013 02:42 AM
Sorry my bad. the certificate had some HTML code added. now resolved. the following workaround worked perfect.
05-23-2013 01:30 AM
I installed 4.3 SP2 in this release the IPS Update function should work.
I have in the 'CSCOpx\MDC\Apache\conf\ssl' the cert trusted.998.crt installed.
But still get this error when I try to Check for Updates via CSM:
Auto download log:
Trying to get available files on server ......
Unable to communicate with locator service to retrieve available files.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide