cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Troubleshooting Automatic Updates / Signature Updates Critical

145
Views
0
Helpful
0
Comments
     
  

Table of Contents

     
           

  1. Most Common Issues
  2.       

            
  3. How Automatic Updates Work
  4.       

          
  5. Identifying the Problem
  6.       

          
  7. Verifying Automatic Update Connectivity
  8.    
     

  1.      Most Common Issues
  2.    
           
    1. Updates are scheduled on-the-hour (1am) vs off-the-hour (1:23am)
    2.     
    3. Firewall/Proxy Server/Traffic Shaper is blocking the GC traffic
    4.     
    5. IPS software version does not have the latest signature engine
    6.     
    7. cisco.com account does not have access to the signature updates
            
    8.    
        

      
  3.     How Automatic Updates Work
  4.     The sensor performs the following steps       
             
    1. Connect to the Automatic Update server via https (TCP port 443)
                 -          Retreive the ip address of the AutoUpdate  server with the latest update
    2.       
    3. Connect to the AutoUpdate  server and retreive the update via HTTP (TCP port 80)

  5. Identifying the Problem
  6.    
           
    1. Via the GUI
             Go to Configuration => Sensor Management => Auto/Cisco.com Update
             Ensure that "Enable Signature and Engine Updates from Cisco.com" is checked
             Ensure that all fields have the correct information/passwords
    2.     
    3. Via the CLI
              
               Enter the command        
              
               show statistics host | beg Auto Update
              
               A successful update will look like this:
               Auto Update Statistics
      lastDirectoryReadAttempt = 12:55:19 EST Thu Jul 22 2010
      =   Read directory: http://<url>
      =   Success
      lastDownloadAttempt = 12:55:20 EST Thu Jul 22 2010
      =   Download: http://<url>
      =   Success
      lastInstallAttempt = 12:57:42 EST Thu Jul 22 2010
      =   IPS-sig-S502-req-E4: Update completed successfully
      =   Success
      nextAttempt = 12:55:22 EST Fri Jul 23 2010


      An unsuccessful update will list the cause of the failure.  Often it is something like "HTTP request failed", indicating that return traffic to the sensor was blocked by a firewall or proxy server.
              
            
    4.    
        

      
  7. Verifying Automatic Update Connectivity
  8.    First run the packet display command below in the CLI to make sure that you don't see any non-interesting traffic. Then, check the current time on the sensor with the show clock command, and in the GUI, set  Automatic Updates to happen 2 minutes from that time, every 1 hours. In the CLI, make sure that the packet display command is running, and log the output. You should see TCP port 443 traffic to the AU control servers, followed by TCP port 80 traffic to the actual update servers.
        
       packet display <management interface> expression not host <management host>
      
       Where the management host includes all hosts connecting to the sensor via IDM, IME, MARS, or the CLI. The traffic we expect to see is described in How GC Works