cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
843
Views
0
Helpful
10
Replies

IDS update to 3.1 ; stop to generating new certificates and no more ...

p.emery
Level 1
Level 1

hi

i have update a 4210 with sp 3.1 S22 and the sensors is blockd at the step when he generate new certificates ...i satrted yesterday evening and this morning it was still not finished.

i have rebboted the box and I try to acces it with HTTPS but he didn't work ...

i have restarted again the update and it stop again at the same point thanks for your helps.

philippe

10 Replies 10

marcabal
Cisco Employee
Cisco Employee

Troubleshooting tips:

1) Run "cidServer version" as user root

# cidServer version

cidwebserver v33 (Release) 02/04/26-01:32

cidwebserver (27394) is running.

2) Run sysconfig-sensor option 11 to ensure IDM is enabled

IDS Device Manager

Current Mode: Enabled

1 - Disable

x - Exit

Selection:

3) Attempt to telnet to the sensor from the same machine that the web browser is running from

Telnet and web connections are both restricted by option 5 of sysconfig-sensor above.

4) Be sure the user is using a supported web browser:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13876_01.htm#xtocid5

5) Be sure that the web browser is configured to accept cookies:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13876_01.htm#40768

6) Be sure the user is typing "https://sensoripaddress" the "s" on the end of the http is very important.

7) In a worst case you can log in as root and execute:

snoop -d port 443

And see if the connection is being established.

It could be that a firewall or router may be blocking either 443 or port 80 traffic to the sensor, in which case the user would need to change their firewall or router config.

8) Run the /usr/nr/idsRoot/cidDump script, as root, on the Sensor with the problem and send us the resulting log - '/usr/nr/idsRoot/htdocs/private/cidDump.html'.

Look at cidDump.html and verify that:

- the host that is attempting to connect to the Sensor is listed in hosts.allow

- nrvers shows all the daemons responding

- the webserver is listed in the process list

9) You could also try the following:

a) Login as root

b) cidServer stop

c) cd /usr/nr/idsRoot/etc

d) cp cidwebserver.conf cidwebserver.conf.bak

e) vi cidwebserver.conf

f) within vi change the "ports=443" to 80

g) cidServer start

h) Now try to connect to the sensor using https://ipaddress

10) Execute cat /usr/nr/sp-update/output.log

You should see the following lines if the installation completed successfully:

ids-postpatch: IDSk9-sp-3.1-1-S22.bin has been successfully installed.

Warning! Your system will begin shutdown in 30 seconds!!!

Press to quit if you do not wish to reboot!

..............................

Shutting down now!

hi Macabal

thanks for your reply

point 1 i see cidwebserver (242) i believe this is my process

2) ok

3)ok

7) i saw the connection https

8) i have done it and the file is big ...but only the process about the web server is not clear but depending of i suppose it works..

9) i did it but with vi i try to insert a caracter to chage 443 to 80 but this will be done soon but after i should access with http: ...i suppose

i will try to modify it and i lets you know

thanks in advance

phil

On one sensor we have been able to diagnose with this specific problem, the installation of 3.1 never completed. Other caes have had configuration issues.

So If you are experiencing this problem of the web server not responding then please try the tips listed below. (The tips have helped solve several cases already, but not all cases so far)

For those of you who have already tried the tips, if the web server still does not respond then we need diagnostic output from your sensor:

As root, please run /usr/nr/idsRoot/bin/cidDump and send me the log - /usr/nr/idsRoot/htdocs/private/cidDump.html

As well as the contents of the /usr/nr/sp-update/output.log file.

Troubleshooting tips:

1) Run "cidServer version" as user root

# cidServer version

cidwebserver v33 (Release) 02/04/26-01:32

cidwebserver (27394) is running.

2) Run sysconfig-sensor option 11 to ensure IDM is enabled

IDS Device Manager

Current Mode: Enabled

1 - Disable

x - Exit

Selection:

3) Attempt to telnet to the sensor from the same machine that the web browser is running from

Telnet and web connections are both restricted by option 5 of sysconfig-sensor above.

4) Be sure the user is using a supported web browser:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13876_01.htm#xtocid5

5) Be sure that the web browser is configured to accept cookies:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13876_01.htm#40768

6) Be sure the user is typing "https://sensoripaddress" the "s" on the end of the http is very important.

7) In a worst case you can log in as root and execute:

snoop -d port 443

And see if the connection is being established.

It could be that a firewall or router may be blocking either 443 or port 80 traffic to the sensor, in which case the user would need to change their firewall or router config.

8) You could also try the following:

a) Login as root

b) cidServer stop

c) cd /usr/nr/idsRoot/etc

d) cp cidwebserver.conf cidwebserver.conf.bak

e) vi cidwebserver.conf

f) within vi change the "ports=443" to 80

g) cidServer start

h) Now try to connect to the sensor using https://ipaddress

9) Execute cat /usr/nr/sp-update/output.log

You should see the following lines if the installation completed successfully:

ids-postpatch: IDSk9-sp-3.1-1-S22.bin has been successfully installed.

Warning! Your system will begin shutdown in 30 seconds!!!

Press to quit if you do not wish to reboot!

..............................

Shutting down now!

hi macabal

here is some info and i will mail you the report directly and what next should i uninstall the s22 and install the new 3.1 s23 ?

thanks for your helps

philippe

------------------

# cidServer version

cidwebserver v33 (Release) 02/04/26-01:32

cidwebserver (241) is running.

# sysconfig-sensor

Cisco IDS Sensor Initial Configuration Utility

Select options 1 through 6 to initially configure the Sensor.

1 - IP Address

2 - IP Netmask

3 - IP Host Name

4 - Default Route

5 - Access Control List

6 - Communications Infrastructure

7 - Date/Time and Time Zone

8 - Passwords

9 - Secure Communications

10 - Display

11 - IDS Device Manager

x - Exit

Selection: 11

IDS Device Manager

Current Mode: Enabled

1 - Disable

x - Exit

Selection: x

Cisco IDS Sensor Initial Configuration Utility

Select options 1 through 6 to initially configure the Sensor.

1 - IP Address

2 - IP Netmask

3 - IP Host Name

4 - Default Route

5 - Access Control List

6 - Communications Infrastructure

7 - Date/Time and Time Zone

8 - Passwords

9 - Secure Communications

10 - Display

11 - IDS Device Manager

x - Exit

Selection: x

sysconfig-sensor has completed successfully.

*********************************************************************

For the most effective security, please download and apply the latest

signature updates from the Software Center at http://www.cisco.com

*********************************************************************

#

# ^[[A^[[A^H

^[[A^[[A^H: not found

# sysconfig-sensor

Cisco IDS Sensor Initial Configuration Utility

Select options 1 through 6 to initially configure the Sensor.

1 - IP Address

2 - IP Netmask

3 - IP Host Name

4 - Default Route

5 - Access Control List

6 - Communications Infrastructure

7 - Date/Time and Time Zone

8 - Passwords

9 - Secure Communications

10 - Display

11 - IDS Device Manager

x - Exit

Selection: 5

Access Control List

You can modify the list of IP addresses and networks that are allowed to log

into the Sensor. A TCP wrapper application enforces this list. If a host with

an IP address that is not in this list attempts to log into the Sensor, the

TCP connection will automatically be closed.

WARNING: If you have changed the IP address of the Sensor, list the host

addresses from which you log in remotely.

This list must contain only host IP addresses and not host names. The Sensor

by default does not use ANY type of name service (for example, DNS, NIS, NIS+).

List the network addresses with just the network portion of the address. For

example: 192.9.200.

Current list:

10.

Enter an address to add to the list. If the address entered is already in

the list, it will be deleted from it.

IP address::

Cisco IDS Sensor Initial Configuration Utility

Select options 1 through 6 to initially configure the Sensor.

1 - IP Address

2 - IP Netmask

3 - IP Host Name

4 - Default Route

5 - Access Control List

6 - Communications Infrastructure

7 - Date/Time and Time Zone

8 - Passwords

9 - Secure Communications

10 - Display

11 - IDS Device Manager

x - Exit

Selection: x

sysconfig-sensor has completed successfully.

*********************************************************************

For the most effective security, please download and apply the latest

signature updates from the Software Center at http://www.cisco.com

*********************************************************************

#

# snoop -d iprb0 10.172.32.231 10.172.32.108 port 80

Using device /dev/iprb (promiscuous mode)

10.172.32.108 -> bobst HTTP C port=1237

bobst -> 10.172.32.108 HTTP R port=1237

10.172.32.108 -> bobst HTTP C port=1237

bobst -> 10.172.32.108 HTTP R port=1237

10.172.32.108 -> bobst HTTP C port=1237

bobst -> 10.172.32.108 HTTP R port=1237

10.172.32.108 -> bobst HTTP C port=1243

bobst -> 10.172.32.108 HTTP R port=1243

10.172.32.108 -> bobst HTTP C port=1243

bobst -> 10.172.32.108 HTTP R port=1243

10.172.32.108 -> bobst HTTP C port=1243

bobst -> 10.172.32.108 HTTP R port=1243

^C# cidServer stop

Stopping cidwebserver... 241 terminated.

# cd /usr/nr/idsRoot/etc

# cp cidwebserver.conf cidwebserver.conf.bka1

# vi cidwebserver.conf

Cisco IDS 3.1 configuration file

docRootPath=htdocs

servlets=idm

ports=80

connectionsPerPort=20

timeoutForRequestInSeconds=60

timeoutForRequestWithKeepAliveInSeconds=120

numberOfRequestsToProcessWhileKeepAliveActive=250

maxContentLength=16384

tlsEnabled=1

provideStats=0

allowIdm=1

idmServletName=idm

[FileExtensions]

html = text/html

htm = text/html

gif = image/gif

jpeg = image/jpeg

jpg = image/jpeg

jpe = image/jpeg

:q!

# cidServer start

Settings match current configuration...no need to update.

Checking for certificates...certificates found.

Starting cidwebserver... Error: cidwebserver (241) is already running.

# cat /usr/nr/sp-update/output.log

cat: cannot open /usr/nr/sp-update/output.log

# run /usr/nr/idsRoot/bin/cidDump

run: not found

# ./usr/nr/idsRoot/bin/cidDump

./usr/nr/idsRoot/bin/cidDump: not found

# cd /usr/nr/idsRoot

# ls

bin etc htdocs log tmp var

# cd bin

# ls

cidDump cidServer cidwebserver fingerprint selfcert

# ./cidDump

Generating report ..............................................................

.................Done

# ls

cidDump cidServer cidwebserver fingerprint selfcert

# cd ..

# ls

bin etc htdocs log tmp var

# cd htdocs

# ls

cgi-bin private protected public

# cd private

# ls

auth cidDump.html

# ls -al

total 678

drwxr-x--- 3 netrangr netrangr 512 May 16 19:21 .

drwxr-x--- 6 netrangr netrangr 512 May 15 19:37 ..

drwxr-x--- 2 netrangr netrangr 512 May 15 19:38 auth

-rw-r--r-- 1 root other 332476 May 21 14:08 cidDump.html

# date

Tue May 21 14:09:30 GMT 2002

# exit

After looking at your files, I noticed that you have TLS enabled (from cidwebserver.conf) but you are trying to use a non TLS/SSL connection to the webserver (from the snoop output). The snoop output should show HTTPS not HTTP. In order to make this connection to port 80 as defined in your config file you need to issue "https:/bobst:80" . If you don't wish to use TLS you need to change the tlsEnabled=1 line in the cidwebserver.conf file to tlsEnabled=0 , stop and start the server, and then you can do a standard http:/bobst connection.

One other thing to look at is wether the sensor is listening on the port. Run "netstat -a". You should see that the sensor is listening on port 80.

hi

ok if i did a netstat -a

port 80 is not listen i have only ftp,telnet and ssh nothing else bus if i did cidwebserver is seems to works ...anyway i think i will open a call to the tac

.

anyway i have uninstall the s22 and reboot and after reinstalling the s23 and still the same problem

best regards

phil

kleem
Cisco Employee
Cisco Employee

There were some instllation problems with the original 3.1(1)S22 release that prevented the WEB server from functioning correctly. You have taken the correct step of uninstalling 3.1(1)S22 and then installing 3.1.2(S23). Verify that the install proceeded with no errors. (Check the /usr/nr/var/nrInstall.log and the /var/sadm/install_data/IDS_Patch_Update_v2.8.3_log.) Also note that the server is run in TLS/SSL mode by default , using the standard SSL port of 443, not 80. Try connecting with 'https://x.x.x.x:443'.

hi

if i check the file output.log :

The following patches were not able to be installed:

110284-05

110952-02

110899-04

110459-02

109092-05

110402-03

109327-07

110946-05

110917-02

110616-04

109148-15

109278-02

111660-06

110904-04

109668-04

112238-02

111294-03

111307-03

111328-04

111099-01

108986-03

110935-07

108529-14

108726-07

108990-02

108828-21

108994-07

108998-03

109239-02

109319-27

109008-07

but at the end :

ids-postpatch: IDSk9-sp-3.1-2-S23.bin has been successfully installed.

if this means it is not ok....tell me how to restore in s21 or s22 to try to restart the update procedure or should i complete reinstalling the sensor with the recovery disk and reinstalling everythings from the beginning ?

thanksfor your helps

philippe

The patches should have already been installed when you loaded 3.1(1)S22. They are not removed with the service pack uninstall, so they should still be present on your system. If this is the only error you saw in the output.log file, your install should be complete.

Are you still seeing problems when you boot your sensor?

yes unfortunatly the problem stays after a reboot

it seems to be located on the webserver i don't know why it is not listening on port 443 or 80 ? ...

i have open a call on tac and i am waiting more info or i will reinstall the complete software

best regards

philippe