cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2665
Views
0
Helpful
6
Replies

Signature auto update from Cisco.com - again

marco
Level 1
Level 1

Hello,

Another auto update problem with Cisco.com...

We're using a ASA-SSM-10 with OS 6.2(1)E3.

We've discovered that the update is no longer working; we doesn't know precisely when it stopped to work.

What we know for sure, is that nothing in the topology is changed, and some time ago it worked.

Attached, the "sh statistics host" output.

These are the URL we tried, and the update results for each of them:

>https://198.133.219.25/cgi-bin/front.x/ida/locator/locator.pl

Auto Update Statistics

lastDirectoryReadAttempt = 12:00:01 UTC Mon Apr 06 2009

= Read directory: https://198.133.219.25/cgi-bin/front.x/ida/locator/locator.pl

= Error: http error response: 400

lastDownloadAttempt = N/A

lastInstallAttempt = N/A

nextAttempt = 13:00:00 UTC Mon Apr 06 2009

>https://198.133.219.25/cgi-bin/ida/locator/locator.pl

Auto Update Statistics

lastDirectoryReadAttempt = 14:00:03 UTC Mon Apr 06 2009

= Read directory: https://198.133.219.25/cgi-bin/ida/locator/locator.pl

= Error: http error response: 400

lastDownloadAttempt = N/A

lastInstallAttempt = N/A

nextAttempt = 15:00:00 UTC Mon Apr 06 2009

>https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

Auto Update Statistics

lastDirectoryReadAttempt = 13:00:35 UTC Mon Apr 06 2009

= Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

= Error: AutoUpdate exception: Receive HTTP response failed [3,212]

lastDownloadAttempt = N/A

lastInstallAttempt = N/A

nextAttempt = 14:00:00 UTC Mon Apr 06 2009

Any idea?

Thanks a lot.

Marco.

1 Accepted Solution

Accepted Solutions

marcabal
Cisco Employee
Cisco Employee

Set the URL back to the default.

The download URL has not changed.

Try setting the download time to be something like 13 minutes after the hour 00:13.

The majority of sensors are using the default download time exectly on the hour 00:00. Since most sensors are running NTP, this means the majority of the sensors world wide are all trying to get to cisco.com at the same time.

We think that there might be connection problems to cisco.com when this happens. Bu setting it several minutes after the hour it will be less likely to see congestion at cisco.com and less likely to have connection issues.

Also try connecting from your own desktop to cisco.com and using the same username and password your sensor is configured to use. Ensure that this username is still able to download IPS files from cisco.com.

You want to ensure that permissions for your username on cisco.com have not changed.

I am not positive that any of the above will solve your problem, but they are worth a try to eliminate some of the easy things.

View solution in original post

6 Replies 6

marcabal
Cisco Employee
Cisco Employee

Set the URL back to the default.

The download URL has not changed.

Try setting the download time to be something like 13 minutes after the hour 00:13.

The majority of sensors are using the default download time exectly on the hour 00:00. Since most sensors are running NTP, this means the majority of the sensors world wide are all trying to get to cisco.com at the same time.

We think that there might be connection problems to cisco.com when this happens. Bu setting it several minutes after the hour it will be less likely to see congestion at cisco.com and less likely to have connection issues.

Also try connecting from your own desktop to cisco.com and using the same username and password your sensor is configured to use. Ensure that this username is still able to download IPS files from cisco.com.

You want to ensure that permissions for your username on cisco.com have not changed.

I am not positive that any of the above will solve your problem, but they are worth a try to eliminate some of the easy things.

Hello,

It worked.

Thanks a lot for your precios support.

Marco.

What exactly did you do to solve the problem ?  I'm having the same issue

Hi,

Sorry to hijack this thread, but what are the actual Servers/IP's the IPS system contacts AFTER it calls Cisco? We see the call out to Cisco then it tried three other hosts right after and their IP's change. I assume these are some sort of local Akamai proxies for the update files?

Anyway since the IP's change we cannot allow these through the firewall.

Thanks

LOUIS BOUCHARD
Level 1
Level 1

I have same problem.

could someone please clarify the correct configuration for IPS auto update to cisco.com?

Hello all,

This issue has been resolved. Please set your sensors' Auto Update URL to the default and allow the update to run again. Let us know if you continue to experience issues.

Thank you,

Blayne Dreier

Cisco TAC Escalation Team

**Please check out our Podcasts**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series

Review Cisco Networking for a $25 gift card