Guest

CiscoWorks VPN/Security Management Solution

Field Notice: Configuring a Circular Path Between Security Monitoring Hosts with Security Monitor (SecMon) Software Version 2.0 or 2.0.1 Can Cause Catastrophic Network Security Monitoring Failure


January 21, 2005


Products Affected

Security Monitor - Security Monitor Software Versions 2.0 and 2.0.1

Problem Description

With Security Monitor 2.0 or 2.0.1, if a circular path is configured between Security Monitor hosts, a single event can be forwarded along the path and stored in each host's database many times. As a result, much of the system resources can become involved with receiving and sending this single event, and the database will be filled with copies of this single event.

Background

The 2.0 and 2.0.1 version releases of Security Monitor added the ability to forward events from one Security Monitor host to another by creating a Remote Security Monitor device in the device list of the receiving host. The receiving Security Monitor host then establishes a secure TLS connection with the Remote Security Monitor host and receives events from it.

It is possible for a receiving Security Monitor host to also serve events to another Security Monitor. This feature allows users to set up a hierarchy of Security Monitor hosts, but it could lead to a problem if there is a return path for events back to the host that originally served them. In the simplest case this return path is set up when two different Security Monitor Hosts appear as Remote Security Monitor Host devices in each other's device table. More complicated scenarios involving more than two hosts are possible. For an example, refer to the figure in the Workaround/Solution section of this field notice.

When a circular path is created, a single event can be forwarded along the path and stored in each host's database many times. As a result, much of the system resources can become involved with receiving and sending this single event, and the database will be filled with copies of this single event.

Problem Symptoms

If Security Monitor has been upgraded to 2.0 or 2.0.1 and a circular path has accidentally been configured between Security Monitor hosts, the system resources may become overwhelmed with updating the database with duplicate events. The system or database could become unuseable if the configuration is left uncorrected.

Workaround/Solution

Security Monitors should not be setup in a ciruclar configuration. Security Monitors should be arranged hierarchically.

fn61942_i9165u.jpe

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCsa37251 (registered customers only)

Pulling events from SecMon to SecMon should be in a single direction

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.