Guest

Cisco Services Modules

Field Notice: *Expired* FN - 13151 - WS-X6381-IDS Module Alarm Failure from Duplicate SPAN Packets


Updated August 09, 2005

May 4, 2001


NOTICE:

THIS FIELD NOTICE HAS BEEN ARCHIVED AND IS NO LONGER MAINTAINED OR UPDATED BY CISCO.

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE, WARRANTY OR SUPPORT. USE OF THE INFORMATION ON THIS FIELD NOTICE OR MATERIALS LINKED FROM THIS FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Products Affected

Product

Comments

WS-X6381-IDS

Catalyst 6000 Series Intrusion Detection System (IDS) Module

 

Problem Description

When a Catalyst 6000 series switch is configured to direct traffic to a WS-X6381-IDS module for monitoring from a bi-directional Switched Port Analyzer (SPAN) VLAN source or multiple SPAN source ports, the resulting duplication of some packets may cause the IDS module software to fail and cease transmitting alarms to its configured monitoring workstation.

This software bug is found only in WS-X6381-IDS module software releases 2.5(0)S0, 2.5(1)S0 and 2.5(1)S1, and is resolved in release 2.5(1)S2a. It is not found in any IDS sensor appliance software release.

Background

This software bug may result from the use of a bi-directional SPAN VLAN source or multiple SPAN source ports to direct traffic to the IDS module. It will not result from the use of an uni-directional SPAN VLAN source, a single SPAN source port, or a VLAN Access Control List (VACL).

  • A SPAN VLAN source is configured by issuing the set span vlancommand in the switch supervisor configuration:

    set span [vlan] idsm_mod/1 [rx | tx | both]
    
    

    Using the both option designates that the SPAN VLAN source is bi-directional and may result in this bug. Using either the rx or tx option designates that the SPAN VLAN source is uni-directional and will not result in this bug.

  • A SPAN source port is configured by issuing the set span command in the switch supervisor configuration:

    set span [src_mod/src_port] idsm_mod/1 [rx | tx | both] [filter vlans...]
    

    Using multiple set span commands for different source ports may result in this bug. Using only one set span command for a single source port will not result in this bug.

  • A VACL is configured by issuing the set security acl ip command in the switch supervisor configuration:

    set security acl ip acl name permit (...) capture
    
    

    Using a VACL will not result in this bug.

Any combination of sources including at least one of the affected means may result in this bug.

Problem Symptoms

When this software bug is encountered, the WS-X6381-IDS module will cease transmitting alarms. On the alarm monitoring workstation (running either Cisco Secure Intrusion Detection Director for UNIX or Cisco Secure Policy Manager) alarms will cease being reported from the affected IDS module. There is no other indication on the monitoring workstation that the IDS module has failed.

To verify that the IDS module has failed, issue the session command to connect to the module and then enter the show ip traffic command from the IDS module command line. If the module has failed it will report a timeout error:

Console> (enable) show module

Mod Slot Ports Module-Type???????????????Model???????????????Sub Status
--- ---- ----- ------------------------- ------------------- ---?--------
1?? 1??? 2???? 1000BaseX?Supervisor????? WS-X6K-SUP1A-2GE????yes ok
15? 1??? 1???? Multilayer?Switch Feature WS-F6K-MSFC?????????no? ok
2?? 2??? 48??? 10/100BaseTX?Ethernet???? WS-X6248-RJ-45??????no? ok
3?? 3??? 8???? 1000BaseX?Ethernet??????? WS-X6408-GBIC???????no? ok
6?? 6??? 2???? Intrusion?Detection System WS-X6381-IDS????????no? ok

Mod Sub-Type????????????????Sub-Model?????????? Sub-Serial??Sub-Hw
--- ----------------------- ------------------- ----------- ------
1?? L3 Switching Engine???? WS-F6K-PFC??????????SAD040201S8 1.0

Console> (enable) session 6

Trying IDS-6...
Connected to IDS-6.
Escape character is '^]'.

login: login-id
password: password

IDS-6# show ip traffic 

Monitor Interface Statistics: 

Error timeout waiting for response

pktd alarms recv: 2056
pktd alarms lost: 0
.
.
.

Workaround/Solution

The workaround for this software bug is to avoid the use of bi-directional SPAN VLAN sources or multiple SPAN source ports to direct traffic to the IDS module. Uni-directional SPAN VLAN sources, a single SPAN source port, or VACL's may be used instead. Read more on how to configure these options in the Configuring the IDSM section of the Catalyst 6000 Intrusion Detection System Module Installation and Configuration Note.

The recommended solution for this problem is to upgrade all WS-X6381-IDS modules to software release 2.5(1)S2a, which is now available on CCO. Customers without support contracts may contact the TAC via the instructions at the end of this notice in order to receive the software update, giving this notice as proof of entitlement.

How To Upgrade Software

Follow the instructions in the Signature/NSDB and Service Pack Updates section of the Catalyst 6000 Intrusion Detection System Module Installation and Configuration Note in order to upgrade your WS-X6381-IDS software image to version 2.5(1)S2a.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.