What do you mean by "trusted TLS certificates" on the AutoUpdate section of the IPS

NED PH · ‎11-25-2014

Hi everybody,

I have been having issue on updating the signature of our IPS Device. I can download the signature from the URL below at 72.163.7.60 which tells us that our credentials is working. However, when I tried to update via the "Auto Update" I'm getting an error that "the host is not trusted....."

Please can you help? Thanks.

section Auto Update Statistics
lastDirectoryReadAttempt 05:58:06 GMT-05:00 Tue Nov 25 2014
Read directory: https://deleted@72.163.7.60//swc/esd/11/273556262/guest/
Success
lastDownloadAttempt 05:58:07 GMT-05:00 Tue Nov 25 2014
Download: https://deleted@72.163.7.60//swc/esd/11/273556262/guest/IPS-sig-S837-req-E4.pkg
Error: autoUpdate successfully selected a package (https://deleted@72.163.7.60//swc/esd/11/273556262/guest/IPS-sig-S837-req-E4.pkg) from the cisco.com locator service, however, package download failed: The host is not trusted. Add the host to the system's trusted TLS certificates.
lastInstallAttempt N/A
nextAttempt 05:58:00 GMT-05:00 Wed Nov 26 2014

Marvin Rhoads · ‎11-26-2014

You need to tell the IPS, either from cli or via IPS Device Manager (IDM), to trust the cisco.com hosts where your signatures are downloaded from. Once you've set that up, future updates should occur without having to revisit that step.

CLI method.

IDM method

NED PH · ‎11-27-2014

Thanks Marvin, I already did that and even created a new TLS key. However, I'm still getting the same error. I wonder if its some kind of a bug on version 7.1(7)E4. I already reloaded the module (IP-SSM-20) but still the same.

sensor-1# show tls trusted-hosts
72.163.4.161
72.163.7.60

Marvin Rhoads · ‎11-27-2014

You might try re-importing the certificate for that host. Even though the host address is correctly in your configuration, if Cisco updates their certificate (or if you have a transparent proxy between you and them that does the same) it can cause that error.

NED PH · ‎11-27-2014

I see, but I'm not pretty sure how to re-import the certificate from that public IP. Though I tried deleting the TLS for that IP and re-create it. I know we have webroot for the workstations but I dont think it acts like a transparent proxy for the IPS but I might be wrong.

Marvin Rhoads · ‎11-27-2014

If you delete and re-add the host, the associated certificate should be renewed. In the IDM link above you will see how to view the trusted host certificate. I would check that against what you see if you simply browse to the download host using https. contrast those two values to one another to see if you are getting the certificate from an intermediate proxy server. You could also check from a public PC (say connecting via a hotspot or from home) to get another point of comparison.

NED PH · ‎11-28-2014

Hi Marvin, I would like to thank you for the support. This is now resolved when I upgraded the IPS to version 7.1(9)E4, it looks like this is a bug on 7.1(7)E4.

https://www.cisco.com/cisco/psn/bssprt/bss?searchType=bstbugidsearch&page=bstBugDetail&BugID=CSCui05041

-Fred

Marvin Rhoads · ‎11-28-2014

Interesting. That BugID indicates a proxy problem and does not say your version is affected.

In any case, I'm glad it's resolved for you. Best regards.

mhanson2004 · ‎12-01-2014

Fred,

I had the same exact problem with our IPS. I did all the steps you did and it did not fix the problem. I opened a support case and the fix was to update the IPS software.

I updated to 7.1(9)E4 and this fixed the problem.

I think Cisco needs to alert it's customer base of this issue.

Mike