12-10-2012 12:04 AM - edited 03-10-2019 01:42 PM
Hello,
I have an issue from one of our branch office site that after spyware/grayware is updated the avira antivirus update on client PC is failed. When I have passed the traffic through the firewall instead of SSM module then it is successfully updated. I have capture the packet for both scenario. I think it is problem from the update. I have added the capture result as an attachment.
I will really appreciate if anybody (from cisco) find the bug about this issue and fix it.
thanks in advance
Pial
12-10-2012 10:02 PM
Any particular signature that fires which blocks this traffic ?
Check "sh statistics virtual-sensor | inc Sign" output.
Thanks,
Sawan Gupta
12-11-2012 02:49 AM
Hello Sawan,
thanks for that good hint. But we have running CSC SSM module and I didn't find any option to login in service analysis mode and configure virtual sensor for checking the signature status. I had configured the specific rule in ASA for that specific traffic and that log capture I sent already. Is there any other work around to check it? There is an option in SSM to gather logs. Do you think it would help in this scenario? If it is then I would ask the local system engineers to give any IP from their local FTP or TFTP server to send log report.
regards
Pial
12-11-2012 08:25 PM
You could simple SSH to the SSM appliance on its management IP, and issue the above command to get the information. You don't need the service account to do that.
Regards,
Sawan Gupta
12-12-2012 01:55 AM
Hello Sawan,
thanks for your quick reply. By default the CSC module don't have by default ssh enable. So I enable it and now I can login. But unfortunately that command isn't working.
-bash-3.00# sh statistics virtual-sensor | i Sign
sh: statistics: No such file or directory
-bash: i: command not found
-bash-3.00#
-bash-3.00# sh statistics virtual-sensor
sh: statistics: No such file or directory
I have found it cisco document a list of module which support virtualization in sensor.
The following sensors support virtualization:
•IDS 4235
•IDS 4250
•IPS 4240
•IPS 4255
•IPS 4260
•IPS 4270-20
•AIP SSM
This is the link where I have found that information: http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliAnEng.html
So my question did I miss something? Whenever I search in google I see only the example about how to configure the AIP-SSM module for But there is no information about CSC-SSM module about it.
your help is really appreciated.
Pial
12-12-2012 02:00 AM
Hi,
You logged into the service account thats why the command failed. You need to login to via admin account.
http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliAdmin.html#wp1037225
Regards,
Sawan Gupta
12-12-2012 09:02 AM
Hello Sawan,
I have tried with cisco account which I believe is an admin account. But whenever I login it prompt to change root password. So what I understand it is a service account. But with account name cisco it didn't work. I have added the screen shot.
sorry if I didn't get the point for the admin account. Onething to mention that we have base license. So I am not sure whether it plays any role in this scenario.
thanks again for your help.
12-12-2012 07:46 PM
You were doing right. User "cisco"'s password has expired. You just need to set a new one and then issue the command.
Regards,
Sawan Gupta
12-13-2012 02:31 AM
Hello Sawan,
thanks for your patience and time for me. Yesterday I forgot to mention you the rest part of the login issue. I have created the new password. But after retype the new password the login screen is disappeared. I tried with the login name cisco and the new password which I had set last time. But the login failed and again only I can login with cisco default password which is 'cisco'. So to verify I tried again with the new login with root account and then that new password works. When I login with cisco account it appears with a message the password has expired then it asks "changing password for the root". So what I understand it is asking to change the password for the root account. I have tried with the ASDM login password for CSC. But it fails too.
So again my question whether I have missed anything ...
Pial
12-13-2012 08:55 PM
You need to involve Cisco TAC, since you are unable to login to the device. They will need to collect show-tech-support logs to diagnose the problem.
Regards,
Sawan Gupta
12-19-2012 01:01 AM
Hello Sawan,
after your answer I have tried with another CSC module in different location and I have seen the same issue. The message every time appears to change the password for root if I directly login with cisco account through ssh and if I login from asa (session 1) then instead of sensor mode it comes with ssm setup menu.
thanks again for your assist.
Pial
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide