Due to a bug in IPS software versions prior to 7.0.6, it is not advised to apply signature updates past S601 without having upgraded to 7.0.6 first. This issue is being tracked as CSCtn23051. If a customer has applied S601 without problems, there is no issue beyond having to upgrade to 7.0.6 to apply updates S602 and later. If you have not applied S601 yet, it is advised to upgrade to 7.0.6 before applying update S602 and later.
Thank you for your patience and understanding in this matter.
Cisco IPS Signature Team
One thing I have noticed in this thread is the only help being provided is from the community. NICKSMI seems to be the only Cisco representative responding to this thread and his comments make it sound like it is our fault for not running the latest update. But no were in the release notes of S601 does it say only supports 7.0.5 and above. After a coupe of days of this you would think that someone within Cisco would be able to supply some answers besides upgrade to 7.0.6. Some of us cannot because the S601 update screwed up the systems that bad. It would be nice just to hear Cisco admit that they screwed up on this one but hear it what you can do to recover. Come on and man up.
I had to open a TAC case because one of our AIP-SSM’s license files was corrupted. The other three AIP-SSMs I was able to fix and one of the suggestions was to use the session command from the firewall which save me a trip out to a remote site to do a reboot manually (like unplug the unit from the FW) so someone posted a note about resetting the IPS 4250 appliances from the console port which would be a good idea to try if you haven’t done so already.
All in all this issue cost me a couple of days of productive work. And I agree that the guys from Cisco on this page pretty much came across as blaming us as end users for not upgrading to the latest code. I mean we were a couple of revs back on 7.02 (e4) still in the same train of code; so I thought those comments were completely inappropriate especially since there was no prior warning or major service bulletin on the security bulletin that is emailed out; like the one I just received on S603 a few minutes ago. In other words, that is how you need to warn customers about major code bugs like this … that guy was acting like a corporate parrot, puppet and tool for blaming the customers. I know he pissed off a lot of customers.
Thank you very much for your comments. It seems that IPS 4240 is the only device that is having a problem, at least in my case. One sleepless night and tomorrow I'll open the case. For me whole week is strange so I'm in kind a 'just think positive' mantra but I can understand the frustration of many of you.
I am currently running IDSM-2 on version 7.0 (5a)E4. Fortunately, I did not run S601, but did run S600 and S602. However, I have noticed that my sensor health dashboard is showing as critical. The event retrieval is no longer working even though it is enabled. As a check, I am supposed to run event monitoring and reports daily. At the moment, I cannot carry out this function anymore. Is this issue connected to this on-going post S600 signature updates (even though I did not install S601). What can I do begin receiving these event logs?
Hi. I had this same thing happen to my systems (AIP-SSM’s) it required upgrading the code to 7.06 E4 and in one case (one AIP-SSM I had to open a TAC case because the licensing file was corrupted by S601).
Hope this helps you plan a course of action.
Network Administrator SSS III
California Department of Education
1430 N St.
Sacramento, CA 95814