04-07-2009 05:58 AM - edited 03-10-2019 04:35 AM
Hello,
Another auto update problem with Cisco.com...
We're using a ASA-SSM-10 with OS 6.2(1)E3.
We've discovered that the update is no longer working; we doesn't know precisely when it stopped to work.
What we know for sure, is that nothing in the topology is changed, and some time ago it worked.
Attached, the "sh statistics host" output.
These are the URL we tried, and the update results for each of them:
>https://198.133.219.25/cgi-bin/front.x/ida/locator/locator.pl
Auto Update Statistics
lastDirectoryReadAttempt = 12:00:01 UTC Mon Apr 06 2009
= Read directory: https://198.133.219.25/cgi-bin/front.x/ida/locator/locator.pl
= Error: http error response: 400
lastDownloadAttempt = N/A
lastInstallAttempt = N/A
nextAttempt = 13:00:00 UTC Mon Apr 06 2009
>https://198.133.219.25/cgi-bin/ida/locator/locator.pl
Auto Update Statistics
lastDirectoryReadAttempt = 14:00:03 UTC Mon Apr 06 2009
= Read directory: https://198.133.219.25/cgi-bin/ida/locator/locator.pl
= Error: http error response: 400
lastDownloadAttempt = N/A
lastInstallAttempt = N/A
nextAttempt = 15:00:00 UTC Mon Apr 06 2009
>https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
Auto Update Statistics
lastDirectoryReadAttempt = 13:00:35 UTC Mon Apr 06 2009
= Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
= Error: AutoUpdate exception: Receive HTTP response failed [3,212]
lastDownloadAttempt = N/A
lastInstallAttempt = N/A
nextAttempt = 14:00:00 UTC Mon Apr 06 2009
Any idea?
Thanks a lot.
Marco.
Solved! Go to Solution.
04-07-2009 06:13 AM
Set the URL back to the default.
The download URL has not changed.
Try setting the download time to be something like 13 minutes after the hour 00:13.
The majority of sensors are using the default download time exectly on the hour 00:00. Since most sensors are running NTP, this means the majority of the sensors world wide are all trying to get to cisco.com at the same time.
We think that there might be connection problems to cisco.com when this happens. Bu setting it several minutes after the hour it will be less likely to see congestion at cisco.com and less likely to have connection issues.
Also try connecting from your own desktop to cisco.com and using the same username and password your sensor is configured to use. Ensure that this username is still able to download IPS files from cisco.com.
You want to ensure that permissions for your username on cisco.com have not changed.
I am not positive that any of the above will solve your problem, but they are worth a try to eliminate some of the easy things.
04-07-2009 06:13 AM
Set the URL back to the default.
The download URL has not changed.
Try setting the download time to be something like 13 minutes after the hour 00:13.
The majority of sensors are using the default download time exectly on the hour 00:00. Since most sensors are running NTP, this means the majority of the sensors world wide are all trying to get to cisco.com at the same time.
We think that there might be connection problems to cisco.com when this happens. Bu setting it several minutes after the hour it will be less likely to see congestion at cisco.com and less likely to have connection issues.
Also try connecting from your own desktop to cisco.com and using the same username and password your sensor is configured to use. Ensure that this username is still able to download IPS files from cisco.com.
You want to ensure that permissions for your username on cisco.com have not changed.
I am not positive that any of the above will solve your problem, but they are worth a try to eliminate some of the easy things.
04-07-2009 06:24 AM
Hello,
It worked.
Thanks a lot for your precios support.
Marco.
11-17-2010 08:40 AM
What exactly did you do to solve the problem ? I'm having the same issue
09-14-2009 01:38 PM
Hi,
Sorry to hijack this thread, but what are the actual Servers/IP's the IPS system contacts AFTER it calls Cisco? We see the call out to Cisco then it tried three other hosts right after and their IP's change. I assume these are some sort of local Akamai proxies for the update files?
Anyway since the IP's change we cannot allow these through the firewall.
Thanks
09-09-2009 10:44 AM
I have same problem.
could someone please clarify the correct configuration for IPS auto update to cisco.com?
11-18-2010 08:48 PM
Hello all,
This issue has been resolved. Please set your sensors' Auto Update URL to the default and allow the update to run again. Let us know if you continue to experience issues.
Thank you,
Blayne Dreier
Cisco TAC Escalation Team
**Please check out our Podcasts**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast
TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide