cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8827
Views
20
Helpful
25
Replies

No AutoUpdate feature working on ASA-SSM-20

ConfederacionHJ
Level 1
Level 1

Hi!

Autoupdate feature is not working on ASA-SSM-20 module.

We have configure:

https://www.cisco.com//cgi-bin/front.x/ida/locator/locator.pl

And/Or:

https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

And/Or:

https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl

And/Or:

https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

We get this errors on the ASA-SSM-20 module:

evError: eventId=1280563964539644086  vendor=Cisco  severity=error 
  originator:  
    hostId: sensor1 
    appName: mainApp 
    appInstanceId: 356 
  time: nov 17, 2010 08:15:45 UTC  offset=60  timeZone=GMT+01:00 
  errorMessage: AutoUpdate exception: Receive HTTP response failed [3,212]  name=errSystemError

evError: eventId=1280563964539644079  vendor=Cisco  severity=error 
  originator:  
    hostId: sensor1 
    appName: mainApp 
    appInstanceId: 356 
  time: nov 17, 2010 08:10:02 UTC  offset=60  timeZone=GMT+01:00 
  errorMessage: http error response: 400  name=errSystemError

Any Ideas?

25 Replies 25

Jennifer Halim
Cisco Employee
Cisco Employee

How is your ASA SSM module connected? The port on the module needs to be connected to your network, and that needs to have Internet connectivity. You would need to check that the ip address/subnet assigned for your module is NATed on the ASA (if the ASA is the default gateway to the Internet), and if you have any access-list that would also need to allow the traffic.

The correct auto update URL is:

https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl


(ie: the second and forth URL you posted earlier).

Hi!. The module is connected and has network connectivity. They have an external NTP server configured and this is working fine. On the ASA has a rule to allow http/https/ntp conectivity and the ASA reflects connections, also Global Correlation is working OK (update-manifest.ironport.com) ....but ... If connected directly to the IPS via SSH and tried to ping and/or trace to any external IP network (internet) has no response

But if I sniff with Wireshark on internal and external interfaces of the ASA, I see traffic flowing between IPS and 198.133.219.25 server. Here's a snapshot of wireshark

What is the version of the SSM module, and also what is the current signature pack? I am assuming that your SSM module license has not expired yet.

Product ID: ASA-SSM-20

Version: 7.0(4)E4 (650 days)

License Expiration Date: 29/08/2012

Actual Signature Version on ASA-SSM-20: S530 (updated via manual download to a PC and manual upload to ASA-SSM-20 via IME option)

Actual Signature Version Release: S531

Jennifer Halim
Cisco Employee
Cisco Employee

Well, the license has expired (expired: 29/08/2010), that is why auto update does not work anymore. You would need to purchase the subscription license to be able to update the signature pack to the latest.

Sorry, I made a mistake typing the date

29/08/2012

Was the auto update feature working previously?


Can you also confirm that the CCO account that you use works fine by going to www.cisco.com and try to download the signature pack manually.

Can you also check that the time on the IPS itself is correct (I understand that you sync it to an NTP server), but just want to double check if it does sync correctly and the time is correct on the IPS itself, and it's in the correct timezone, and the auto update schedule time is set to the same timezone.

1. No, autoupdate feature never worked .... we have tried several times, and we are trying to make it work now again.

2. CCO account if working fine, we are using it to manually download signatures from:

http://www.cisco.com/cisco/pub/software/portal/select.html?&mdfid=282671829&flowid=4417&softwareid=282549755

3. Yes, time on both IPS (we have two of them) is correct and syncronized with NTP server: 150.214.94.5  Timezone is the same on the Sensor Setup->Time configuration tab and the same is set on the Autoupdate Schedule time (GMT+1)


There is currently an open issue with automatic IPS updates on some platforms.  Work is being performed internally to correct the issue.

For the current time you will need to manually apply signature updates.

Scott

Ok. If you/they need something, like Wireshark Captures, or run some test or something else, please let me known.

Thank you all!!!!!

Scott Fringer

Is there a problem with the website or the platform ?

Are appliances 42xx affected ?

My 4260 is showing the same symptoms, my auto update was working before. While my 4260 isn't working my MARS is flying on the updates.

I'd posted on this:

https://supportforums.cisco.com/message/3228033#3228033

Scott Fringer
Cisco Employee
Cisco Employee

Rodrigo;

  The issue is affecting specific platforms (the 4200 series appliances are affected).

  Efforts are still underway to correct the issue.  Until that time you can manually update the IPS signatures, or await word that the issue has been addressed.

Scott

Is there a Bug ID?

Rodrigo;

  There is a not a bug ID as the issue is not with the IPS software/hardware itself.  The IPS software is functioning as designed.

Scott

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: