cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Snort IP on ISR, ISRv and CSR - Troubleshooting

1978
Views
5
Helpful
1
Comments

Configuration

https://community.cisco.com/t5/security-documents/snort-ips-on-isr-isrv-and-csr-step-by-step-configuration/ta-p/3369186

Troubleshooting

Unable to get signature update from cisco.com 

1. Make sure the router can get name resolution. Configure the router with a proper DNS name server.

ISR4451#utd threat-inspection signature update server cisco username xxxxx password yyyyy
% This operation may cause the UTD service to restart which will briefly interrupt services.
Proceed with signature update? [confirm]
ISR4451#show utd engine standard threat-inspection signature update status
Current signature package version: 29.0.c
Current signature package name: default
Previous signature package version: None
---------------------------------------
Last update status: Failed
---------------------------------------
Last successful update time: None
Last successful update method: None
Last successful update server: None
Last successful update speed: None
---------------------------------------
Last failed update time: Wed Feb 14 09:01:16 2018 PST
Last failed update method: Manual
Last failed update server: cisco
Last failed update reason: ('Connection aborted.', gaierror(-2, 'Name or service not known'))
---------------------------------------
Last attempted update time: Wed Feb 14 09:01:16 2018 PST
Last attempted update method: Manual
Last attempted update server: cisco
---------------------------------------
Total num of updates successful: 0
Num of attempts successful: 0
Num of attempts failed: 1
Total num of attempts: 1
---------------------------------------
Next update scheduled at: None
---------------------------------------
Current status: Idle

The error highlighted in red above usually means DNS is failing to resolve cloudsso2.cisco.com sourced from the VirtualPortGroup0 interface. Once a proper DNS name server and the router is able to resolve cloudsso2.cisco.com to 173.37.144.211 source from virtual portgroup 0 interface, make sure to issue the following command to make sure the router can establish an https connection with the IP address

 

ISR4451#telnet 173.37.144.211 443 /source-interface virt0   
Trying 173.37.144.211, 443 ... Open

Once this step is done signature update should happen without any problem as shown below:

ISR4451#show utd engine standard threat-inspection signature update status
Current signature package version: 2983.44.s
Current signature package name: UTD-STD-SIGNATURE-2983-44-S.pkg
Previous signature package version: 29.0.c
---------------------------------------
Last update status: Successful
---------------------------------------
Last successful update time: Wed Feb 14 09:38:32 2018 PST
Last successful update method: Manual
Last successful update server: cisco
Last successful update speed: 3212512 bytes in 19 secs
---------------------------------------
Last failed update time: Wed Feb 14 09:01:16 2018 PST
Last failed update method: Manual
Last failed update server: cisco
Last failed update reason: ('Connection aborted.', gaierror(-2, 'Name or service not known'))
---------------------------------------
Last attempted update time: Wed Feb 14 09:38:32 2018 PST
Last attempted update method: Manual
Last attempted update server: cisco
---------------------------------------
Total num of updates successful: 1
Num of attempts successful: 1
Num of attempts failed: 1
Total num of attempts: 2
---------------------------------------
Next update scheduled at: None
---------------------------------------
Current status: Idle

Unable to view the virtual service

Check memory available

ISR4451#show virtual-service 		
^ % Invalid input detected at '^' marker.

Check memory available

ISR4451#virtual-service install name myips package flash:iosxe-utd.16.07.01.1.0.1_
SV2983_XE_16_7.ova ISR4451#show log 
Feb 9 18:54:45.096 PST: %VMAN-2-VIRT_INST_DISK: R0/0: vman: Virtual Service[UTD]:
:Disk reservation::Failed to reserve disk storage for virtual service::Disk storage
request (3210 MB) exceeds remaining disk space (3090 MB) on storage media

UTD_HEALTH_CHANGE: Service node changed state Down => Red (1)

Feb 22 12:00:49.283: %IOSXE-1-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000000761565218623 %UTD-1-UTD_HEALTH_CHANGE: 
Service node changed state Down => Red (1)
Feb 22 12:01:10.871: %IOSXE_UTD-4-MT_CONTAINER_MESSAGE_TIMEOUT: UTD message sent to the container has timed out
Feb 22 12:01:42.871: %IOSXE_UTD-4-MT_CONTAINER_MESSAGE_TIMEOUT: UTD message sent to the container has timed out

Snort black holes traffic

Incorrect IP address configured on the guest (container) side

Packets go to the container but nothing comes back:

Encaps shows huge count but decaps shows nothing coming back out to the data plane.

CSR#show platform hardware qfp active feature utd stats
.
.
Diversion Statistics:
Redirect	137023
Encaps		137023
Decaps		     6
Reinject	             6

Check the configuration for misconfiguration.

Problem is because the container side IP address is a broadcast IP address.

interface VirtualPortGroup0
 ip address 172.30.50.121 255.255.255.252
 ip nat inside
 zone-member security zone-Inside
!
interface VirtualPortGroup1
 ip address 192.0.2.2 255.255.255.252
!
utd engine standard
 logging syslog
threat-inspection
 threat detection
 policy connectivity
 logging level debug
utd
 engine standard
 all-interfaces
!
virtual-service utd
 vnic gateway VirtualPortGroup0
  guest ip address 172.30.50.122
 vnic gateway VirtualPortGroup1
  guest ip address 192.0.2.3 =======> misconfigured with bcast address 
 activate

IP address is being used some where else in the network

The IP address used on VPG1 on the router side and the guest side was already being used else where in the network and it was routed to null.  All the packets that were diverted to the UTD engine didn't make it to the UTD engine at all.  There by black holing traffic. A ping sourced from VPG1 destined to vnic gateway VirtualPortGroup1 IP address failed.

 

Refer to this defect:

CSCvi11665

When does engine status show as yellow?

There is hysteresis in the checking algorithm. When the memory usage is going up, it won't become yellow until crossing 95%. When the usage is going down, the health won't come back to green until crossing 90%. 
  

Comments
Beginner

I'm having issue related to SNORT Service Node showing Down. I have double checked the configuration on Router and didn't find any mistake. 

 

Service Node Statistics:
SN Health: Down
Stats were all zero

Diversion Statistics
Redirect failed, SN unhealthy 194538

 

Can you please suggest what might gone wrong here

I have opened a Cisco Case as well - Case # 684655355

Content for Community-Ad