We now have two installations that utilize a unified wireless (WLC or WiSM - AIR-LAP1131AG, AIR-LAP1231G, AIR-LAP1242AG access points) that have been exhibiting the following IDS false alarms:
We have TAC cases going back to October 2006 to address them and have upgraded to the latest/greatest version 188.8.131.52 in hopes of getting this solved.
Version 184.108.40.206 was supposed to have fixed these problems, and it did reduce some of the other false alarms (not listed). However, the two mentioned above persist.
Is anyone else out there experiencing this?
Yes. The controllers mistakenly treat APs as rogues and their rogue suppression as attacks. It's bug CSCse87066 (this was hidden from customer view until relatively recently.)
Note that the status says verified (and not resolved) despite also giving fixed-in releases. Just as you, we're still seeing the bug in 220.127.116.11 as well.
Boy I am glad someone is seeing this in the latest code. TAC stated that I upgrade but my SE requested not to. I am also seeing this alarm all the time and it's a pain. Please post when there is a permanent fix. Did v18.104.22.168 offer anything else worth upgrading to at this time?
The upgrade helped with some other assorted multicast and reporting bugs, so we did go ahead with it, and it didn't break anything new that we noticed. It didn't fix the bug it was supposed to either, but we didn't know that at the time. Overall we're still in a boat where we'll pretty much upgrade when a new version comes out, as it can't possibly be worse than the old versions.
Our account team had told us from the get go (and reiterated later last year) that the 4.x releases are bleeding edge feature releases and not recommended for production; the 3.x train was stable, but as we have a bunch of 1121-series APs we were forced to run 4.x.
Thank you for confirming this behavior.
In answer to your question, upgrading to 22.214.171.124 did get rid of the "Generic Netstumbler" IDS alarm that turned out to be another false positive.
As it turns out, there have been comments from Cisco that now indicate that .206 has stability issues (nice to know that now). However, we have not experienced any of these issues at the two installations where this version is operating.
I also wanted to point out that we went ahead and opened TAC cases for each error at each customer site.
Currently, most of them have reached a status of "Release Pending". (Now as to *WHICH* release....)
If you have not opened a TAC case for these issues, taking the time to do so will help Cisco be aware of the extent to which this problem exists in the field and, hopefully, will help them prioritize the fix to this problem.
I forgot to mention that TAC has tied two known bugs to the TAC cases that have been opened for the false "AP Impersonation" alarms: