Re: No AutoUpdate feature working on ASA-SSM-20

ConfederacionHJ · ‎11-17-2010

Hi!

Autoupdate feature is not working on ASA-SSM-20 module.

We have configure:

https://www.cisco.com//cgi-bin/front.x/ida/locator/locator.pl

And/Or:

https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

And/Or:

https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl

And/Or:

https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

We get this errors on the ASA-SSM-20 module:

evError: eventId=1280563964539644086 vendor=Cisco severity=error
originator:
    hostId: sensor1
    appName: mainApp
    appInstanceId: 356
time: nov 17, 2010 08:15:45 UTC offset=60 timeZone=GMT+01:00
errorMessage: AutoUpdate exception: Receive HTTP response failed [3,212] name=errSystemError

evError: eventId=1280563964539644079 vendor=Cisco severity=error
originator:
    hostId: sensor1
    appName: mainApp
    appInstanceId: 356
time: nov 17, 2010 08:10:02 UTC offset=60 timeZone=GMT+01:00
errorMessage: http error response: 400 name=errSystemError

Any Ideas?

Jennifer Halim · ‎11-17-2010

How is your ASA SSM module connected? The port on the module needs to be connected to your network, and that needs to have Internet connectivity. You would need to check that the ip address/subnet assigned for your module is NATed on the ASA (if the ASA is the default gateway to the Internet), and if you have any access-list that would also need to allow the traffic.

The correct auto update URL is:

https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

(ie: the second and forth URL you posted earlier).

ConfederacionHJ · ‎11-17-2010

Hi!. The module is connected and has network connectivity. They have an external NTP server configured and this is working fine. On the ASA has a rule to allow http/https/ntp conectivity and the ASA reflects connections, also Global Correlation is working OK (update-manifest.ironport.com) ....but ... If connected directly to the IPS via SSH and tried to ping and/or trace to any external IP network (internet) has no response

But if I sniff with Wireshark on internal and external interfaces of the ASA, I see traffic flowing between IPS and 198.133.219.25 server. Here's a snapshot of wireshark

Jennifer Halim · ‎11-17-2010

What is the version of the SSM module, and also what is the current signature pack? I am assuming that your SSM module license has not expired yet.

ConfederacionHJ · ‎11-17-2010

Product ID: ASA-SSM-20

Version: 7.0(4)E4 (650 days)

License Expiration Date: 29/08/2012

Actual Signature Version on ASA-SSM-20: S530 (updated via manual download to a PC and manual upload to ASA-SSM-20 via IME option)

Actual Signature Version Release: S531

Jennifer Halim · ‎11-17-2010

Well, the license has expired (expired: 29/08/2010), that is why auto update does not work anymore. You would need to purchase the subscription license to be able to update the signature pack to the latest.

ConfederacionHJ · ‎11-17-2010

Sorry, I made a mistake typing the date

29/08/2012

Jennifer Halim · ‎11-17-2010

Was the auto update feature working previously?

Can you also confirm that the CCO account that you use works fine by going to www.cisco.com and try to download the signature pack manually.

Can you also check that the time on the IPS itself is correct (I understand that you sync it to an NTP server), but just want to double check if it does sync correctly and the time is correct on the IPS itself, and it's in the correct timezone, and the auto update schedule time is set to the same timezone.

ConfederacionHJ · ‎11-17-2010

1. No, autoupdate feature never worked .... we have tried several times, and we are trying to make it work now again.

2. CCO account if working fine, we are using it to manually download signatures from:

http://www.cisco.com/cisco/pub/software/portal/select.html?&mdfid=282671829&flowid=4417&softwareid=282549755

3. Yes, time on both IPS (we have two of them) is correct and syncronized with NTP server: 150.214.94.5 Timezone is the same on the Sensor Setup->Time configuration tab and the same is set on the Autoupdate Schedule time (GMT+1)

Scott Fringer · ‎11-17-2010

There is currently an open issue with automatic IPS updates on some platforms. Work is being performed internally to correct the issue.

For the current time you will need to manually apply signature updates.

Scott

ConfederacionHJ · ‎11-17-2010

Ok. If you/they need something, like Wireshark Captures, or run some test or something else, please let me known.

Thank you all!!!!!

Rodrigo Gurriti · ‎11-17-2010

Scott Fringer

Is there a problem with the website or the platform ?

Are appliances 42xx affected ?

My 4260 is showing the same symptoms, my auto update was working before. While my 4260 isn't working my MARS is flying on the updates.

I'd posted on this:

https://supportforums.cisco.com/message/3228033#3228033

Scott Fringer · ‎11-17-2010

Rodrigo;

The issue is affecting specific platforms (the 4200 series appliances are affected).

Efforts are still underway to correct the issue. Until that time you can manually update the IPS signatures, or await word that the issue has been addressed.

Scott

Rodrigo Gurriti · ‎11-17-2010

Is there a Bug ID?

Scott Fringer · ‎11-17-2010

Rodrigo;

There is a not a bug ID as the issue is not with the IPS software/hardware itself. The IPS software is functioning as designed.

Scott