There are number of known issues affecting the Cisco WS-X6381-IDS Intrusion Detection System Module 3.0 software for the Catalyst 6000 series switches which have similar symptoms related to alarm generation. All of the known issues have been resolved or mitigated in the Cisco IDS module version 3.0(4)S20.
None of these issues are present in the Cisco IDS line of sensor appliances.
Changes made to the WS-X6381-IDS module software version 3.0 to support Cisco IOS® Software, in addition to the Catalyst software, introduced a series of timing errors leading to failures. Other failures also result from software bugs in the processing of signatures in version 2.5 and version 3.0 of the WS-X6381-IDS modules.
All of these issues have similar symptoms affecting the generation of alarms.
The packetd process stops generating alarms. If a show ip traffic command is executed, there will not be any packet statistics for the monitoring interface.
If packetd is working properly it will show full statistics for the monitoring interface:
idsm# show ip traffic Monitor Interface Statistics: Statistics from: 01/07/2002 14:15:55 Number of seconds: 66187 IP Packets: 202167908 Filtered Packets: 0 ICMP Packets: 889257 TCP Packets: 196621193 UDP Packets: 4629307 Other Packets: 42820114 ...
If packetd is no longer responding, the query will time out:
idsm# show ip traffic Monitor Interface Statistics: Error timeout waiting for response
For CSCdw54836, the Monitor Interface Statistics are reported, but all packet counters are zero:
idsm# show ip traffic Monitor Interface Statistics: Statistics from: 01/07/2002 14:15:55 Number of seconds: 66187 IP Packets: 0 Filtered Packets: 0 ICMP Packets: 0 TCP Packets: 0 UDP Packets: 0 Other Packets: 0 ...
If the missed packet signature (number 993) is enabled, then alarms for between 90 and 100 percent missed packets will be sent to the monitoring console (Cisco Secure Policy Manager or Cisco IDS Director).
The only workaround for systems exhibiting these symptoms is to reboot the WS-X6381-IDS line card from the Supervisor module using the reset command in privileged mode. However, the symptoms may return.
The Catalyst software syntax is reset module_number , and the Cisco IOS Software syntax is hw-module module module_number reset. For more details, refer to the Installation and Configuration Note.
All of the issues have been resolved or mitigated in the 3.0(4)S20 release. For the two issues that have not been resolved in 3.0(4)S20, the mitigations included prevent them from occurring for the majority of users that have been experiencing them.
For details on which issues are resolved and mitigated in 3.0(4)S20 view the DDTS section below. For resolution status for the two issues mitigated in 3.0(4)S20, follow the DDTS links to the up to date information in the Bug Toolkit (registered customers only) .
The 3.0(4)S20 release is now available on Cisco.com. Customers experiencing any problems related to alarm generation in an earlier 3.0 release should upgrade to 3.0(4)S20 or later.
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.