cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1882
Views
0
Helpful
10
Replies

Signature updates and CSM error message

liamwalk1971
Level 1
Level 1

Hi,

I have started getting the following error message in CSM when pushing signature updates to our 4200 series and IDSM-II blades:

Could not get device version after pushing down sensor update package to device

The actual signature updates work fine, but just wondering if I can get rid of this error message.  Any ideas?

Many thanks

10 Replies 10

Jonathan Grant
Level 1
Level 1

Mr Walker,

I received that error quite a bit myself working with the IPS modules and here is how I usually approach it.  I have found that sometimes the sensor locks up after the upgrade; in which case, the sensor needs to be rebooted.  Most times however, I can redeploy the signature and then CSM will determine the signature is is already applied and state the update is not required or I also found that I can Discover the Policy Inventory and deploy it and that syncs everything back up.  Hope this helps.

Jonathan

Hi Jonathan - thanks for the reply....

The signature upgrade actually works and I have not had any issues with sensors locking up - I just get the message about not being able to obtain version details.

Dustin Ralich
Cisco Employee
Cisco Employee

That sounds like a timeout message following a signature definition update deployment. I.e. after CSM deploys the signature update package to your managed sensor device(s), it attempts to check-in with the device (following the installation of the update) to retrieve the live version information (to confirm that the update completed successfully). Example:

  1. CSM begins deployment of signature definition update to sensor device.
  2. Sensor receives update package, begins installation.
  3. CSM checks-in with sensor for status update; if sensor is still busy with update installation, this times out.
  4. Eventually the repeated timeouts result in the message encountered.

If you can post the entire deployment log text for review, we may be able to confirm that.

Hi Dustin,

Here is the deployment log for one of the devices:

Device version before update is: 7.0(2)E4S581.0

Going to send the following package(s) to sensor: IPS-CS-MGR-sig-S583-req-E4.zip,

Processing package file: IPS-CS-MGR-sig-S583-req-E4.zip

Package is ready for update

Checking analysis engine status from device XXXXXX

Analysis engine is up running and device is ready to take updates

Pushing package: IPS-sig-S583-req-E4.pkg to device

Device did not respond to pushUpgrade command from CSM. It may have been upgraded. Will query to find out

Device not ready, retry getVersion in 30000 milliseconds. (1/16)

Device not ready, retry getVersion in 30000 milliseconds. (2/16)

Device not ready, retry getVersion in 30000 milliseconds. (3/16)

Device not ready, retry getVersion in 30000 milliseconds. (4/16)

Device not ready, retry getVersion in 30000 milliseconds. (5/16)

Error when trying to update: Could not get device version after pushing down sensor update package to device: XXXXXX. Please access the device using Command Line Interface, and check if it is working properly

Device version before update is: 7.0(2)E4S581.0

Going to send the following package(s) to sensor: IPS-CS-MGR-sig-S583-req-E4.zip,

Processing package file: IPS-CS-MGR-sig-S583-req-E4.zip

Package is ready for update

Checking analysis engine status from device XXXXXX

Analysis engine is up running and device is ready to take updates
Pushing package: IPS-sig-S583-req-E4.pkg to device

Device did not respond to pushUpgrade command from CSM. It may have been upgraded. Will query to find out
Device not ready, retry getVersion in 30000 milliseconds. (1/16)

Device not ready, retry getVersion in 30000 milliseconds. (2/16)

Device not ready, retry getVersion in 30000 milliseconds. (3/16)

Device not ready, retry getVersion in 30000 milliseconds. (4/16)

Device not ready, retry getVersion in 30000 milliseconds. (5/16)

Error when trying to update: Could not get device version after pushing down sensor update package to device: XXXXXX. Please access the device using Command Line Interface, and check if it is working properly

Hi Liam.

What is the full version of CSM in-use? (You can determine this from the CSM client application > Help menu > About Security Manager...)

And, you're sure that after this behavior is encountered, the affected sensors actually do appear to have taken and installed the update, but were not rebooted? I.e. their 'show version' output's Sensor uptime value is still incrementing (and not recently reset) but their Signature Update value shows the newly-deployed version?

There are quite a few now-known defects present in the IPS 7.0(2)E4 software that can cause the sensor to experience failures during signature definition update attempts. Given the sheer number of fixes made post-7.0(2)E4, the first thing to do would be upgrade the affected sensors to 7.0(5a)E4, then re-test to see if the issue still occurs.

I have started getting the following error message in CSM when pushing signature updates to our 4200 series and IDSM-II blades

Could you let us know specifically what models of the 4200-series platform?

Hi Dustin,

I applied S586 yesterday via CSM (version 3.3 SP1).  Of 14 sensors, 7 successful and 7 failed messages.  For the 7 failed messages, the sensor update has taken place and no reboot of device (no reboot for successsful devices either).

Sensors are running 7.0(2)E4 code.

Regards

Liam

Hi Liam. I suspect you are encountering defect CSCsz37841 (CSM can't upgrade signature with "could not get device version" message)  - fixed in CSM 3.3.1. That defect's Release Note is a little misleading (it just mentions the AIM-IPS sensor model platform, but in reality, this could apply to any sensor model; it is just more likely to apply to the lower-end models). I will update the Release Note to clarify that, but it will take some time before my changes are reflected online.

You will need to upgrade CSM to 3.3.1 to correct this (and ideally, after you upgrade to 3.3.1, you should apply 3.3.1 Service Pack 3, as it includes several more related fixes).

Finally, as mentioned, it also wouldn't hurt to upgrade your sensors to 7.0(5a)E4 for the sheer number of included fixes.

Thanks Dustin...

I'm about to upgrade the sensors to 7.0(5a)E4 and if that does not resolve the issue, I'll look to upgrade CSM to 3.3.1.  I had some pain with the last CSM upgrade, so hopefully it won't come to that again!!

Regards

Liam

I thought Cisco only supported the current and previous versions of CSM (that would now be 4.1 and 4.0).

Liam, a heads up on your 4.x upgrades: 4.0 requires you to (re)purchase your Base50 license for CSM and 4.1 requires you to run it on a 64 bit OS. If you are upgrading your CSM like the rest of us it means buying and installing a new version of W2K8 enterprise.

Good luck.

- Bob

I thought Cisco only supported the current and previous versions of CSM (that would now be 4.1 and 4.0).

To my knowledge, no EoS/EoL has been announced for CSM 3.3 yet:

http://www.cisco.com/en/US/products/ps6498/prod_eol_notices_list.html

That being said, (and this does not constitute any official development/engineering statement on behalf of anybody), generally engineering teams (not specific to Cisco) would probably prefer to not have to support several different release trains simultaneously, and instead focus their efforts on one or two (or a few).

4.1 requires you to run it on a 64 bit OS. If you are upgrading your CSM like the rest of us it means buying and installing a new version of W2K8 enterprise.

The System Requirements do differ (significantly) between 3.3, 4.0[1], and 4.1, and yes, as with any major upgrade, reviewing the Release Notes, System Requirements, etc. before upgrading would be advisable and best-practice.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: