This document describes how to check what are changes in the signature behavior that have been made when a new signature pack has been updated on the IPS in additon to the new signatures that are introduced.
Most of the times, customers report issues with the traffic flows being impacted/specific application observing packet drops after signature update has been performed on the IPS. So the key for troubleshooting such issues would be to understand what are changes that are made to the active signature set after the signature update process completed.
Step 1 :
The first thing that we need to check is the upgrade history for the signature. This would tell us the previous signature pack that was running on IPS and the current version of signature pack.
This can be found out from the output of the command "show version" or from the upgrade history section of the "show tech". Snippet from the same is mentioned below:
* IPS-sig-S733-req-E4 19:59:50 UTC Fri Aug 09 2013
IPS-sig-S734-req-E4.pkg 19:59:49 UTC Tue Aug 13 2013
Now from the above we can make out that the previous signature pack that was running on the IPS was s733 and has been upgraded to s734 which is current signature pack.
Step 2 :
The second step is to understand the changes that have been made which can be checked through the IME/IDM. Screenshots of how to check the same has been shown below:
ScreenShot1 : Displays the active signature tab on the IME/IDM:
ScreenShot2 : Displays how to select a specific signature release:
Further using the filter option once we have obtained all the signatures from a particular release we can filter them based on engine, fidelity, severity etc.
By this we would be able to narrow down on the changes in signature release which can be potential cause for the issue based on which we can align our troubleshooting.
Hello Guys, I have been facing issues in setting up a VPN tunnel between a device behind network 20.X.X.X and our ASA on out1 interface 208.X.X.11. the VPN traffic hits the outside3 interface on the ASA however when I run a packet capture i don't see...
Hello, I have setup a Cisco Active Directory agent on my network on the corporate network which talks a domain controller on the same corporate network. That seems to be working ok and i can see the agent is running and the polling status is av...
This is regarding one of the largest ISE customer. They have installed ISE(with MDM SCCM) for 80K employees across the world . They had faced lot of issues on ISE 2.4 image and with lot of BU efforts, have been drilled down to couple of bu...
We are currently switching from the old IPsec client to AnyConnect. Unfortunately we can't get AnyConnect to connect to our ASA. The ASA is behind a Peplink loadbalancer and we think the Peplink is blocking/not forwarding correctly the SSL traffic. AnyCon...