Guest

Cisco Services Modules

Field Notice: *Expired* FN - 19109 - WS-X6381-IDS Module Alarm Failures


Revised May 28, 2008
July 8, 2002


NOTICE:

THIS FIELD NOTICE HAS BEEN EXPIRED AND IS NO LONGER MAINTAINED OR UPDATED BY CISCO.

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE, WARRANTY OR SUPPORT. USE OF THE INFORMATION ON THIS FIELD NOTICE OR MATERIALS LINKED FROM THIS FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Products Affected

Product

Comments

WS-X6381-IDS

Catalyst 6000 Intrusion Detection System Module

  

Problem Description

There are number of known issues affecting the Cisco WS-X6381-IDS Intrusion Detection System Module 3.0 software for the Catalyst 6000 series switches which have similar symptoms related to alarm generation. All of the known issues have been resolved or mitigated in the Cisco IDS module version 3.0(4)S20.

None of these issues are present in the Cisco IDS line of sensor appliances.

Background

Changes made to the WS-X6381-IDS module software version 3.0 to support Cisco IOS® Software, in addition to the Catalyst software, introduced a series of timing errors leading to failures. Other failures also result from software bugs in the processing of signatures in version 2.5 and version 3.0 of the WS-X6381-IDS modules.

Problem Symptoms

All of these issues have similar symptoms affecting the generation of alarms.

The packetd process stops generating alarms. If a show ip traffic command is executed, there will not be any packet statistics for the monitoring interface.

If packetd is working properly it will show full statistics for the monitoring interface:

idsm# show ip traffic
    Monitor Interface Statistics: 

    Statistics from: 01/07/2002 14:15:55 
    Number of seconds: 66187 

    IP Packets: 202167908 
    Filtered Packets: 0 
    ICMP Packets: 889257 
    TCP Packets: 196621193
    UDP Packets: 4629307 
    Other Packets: 42820114
    ...

If packetd is no longer responding, the query will time out:

idsm# show ip traffic 
    Monitor Interface Statistics: 

    Error timeout waiting for response

For CSCdw54836, the Monitor Interface Statistics are reported, but all packet counters are zero:

idsm# show ip traffic 
    Monitor Interface Statistics: 

    Statistics from: 01/07/2002 14:15:55 
    Number of seconds: 66187 

    IP Packets: 0 
    Filtered Packets: 0 
    ICMP Packets: 0 
    TCP Packets: 0 
    UDP Packets: 0 
    Other Packets: 0 
    ...

If the missed packet signature (number 993) is enabled, then alarms for between 90 and 100 percent missed packets will be sent to the monitoring console (Cisco Secure Policy Manager or Cisco IDS Director).

Workaround/Solution

Workaround

The only workaround for systems exhibiting these symptoms is to reboot the WS-X6381-IDS line card from the Supervisor module using the reset command in privileged mode. However, the symptoms may return.

The Catalyst software syntax is reset module_number , and the Cisco IOS Software syntax is hw-module module module_number reset. For more details, refer to the Installation and Configuration Note.

Solution

All of the issues have been resolved or mitigated in the 3.0(4)S20 release. For the two issues that have not been resolved in 3.0(4)S20, the mitigations included prevent them from occurring for the majority of users that have been experiencing them.

For details on which issues are resolved and mitigated in 3.0(4)S20 view the DDTS section below. For resolution status for the two issues mitigated in 3.0(4)S20, follow the DDTS links to the up to date information in the Bug Toolkit (registered customers only) .

The 3.0(4)S20 release is now available on Cisco.com. Customers experiencing any problems related to alarm generation in an earlier 3.0 release should upgrade to 3.0(4)S20 or later.

DDTS

DDTS

Description

CSCdv77620 (registered customers only)

IDSM with 3.0.1 no longer generates alarms (resolved as of 3.0(3)S10)

CSCdw39154 (registered customers only)

IDSM - packetd stops generating alarms and responding to show ip tra (resolved as of 3.0(3)S10)

CSCdw48416 (registered customers only)

IDSM - packetd stops alarming - memory heap error (mitigated as of 3.0(3)S13)

CSCdw48039 (registered customers only)

IDSM - packetd stops alarming - onyx performance drops real low (mitigated as of 3.0(3)S13)

CSCdw49651 (registered customers only)

IDSM with 3.0.3 no longer generates alarms (resolved as of 3.0(4)S20)

CSCdw71329 (registered customers only)

IDSM 3.0(3)S10 - stops alarming - onyx card reboots (resolved as of 3.0(4)S20)

CSCdw54836 (registered customers only)

Packets and events are no longer captured after a sigupdate install (resolved as of 3.0(4)S20)

  

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.