CSC SSM Administrator Guide. Version 6.3
Troubleshooting Trend Micro InterScan for Cisco CSC SSM
Downloads: This chapterpdf (PDF - 705.0KB) The complete bookPDF (PDF - 8.5MB) | Feedback

Troubleshooting Trend Micro InterScan for Cisco CSC SSM

Table Of Contents

Troubleshooting Trend Micro InterScan
for Cisco CSC SSM

Troubleshooting Installation

What To Do If Installation Fails

Troubleshooting Activation

Troubleshooting Basic Functions

Cannot Log On

Recovering a Lost Password

Summary Status and Log Entries Out of Sync

Delays in HTTP Connections

Access to Some Websites Is Slow or Inaccessible

Performing a Packet Capture

FTP Download Does Not Work

Reimaging or Recovery of CSC Module

Troubleshooting Scanning Functions

Cannot Update the Pattern File

Spam Not Being Detected

Cannot Create a Spam Stamp Identifier

Unacceptable Number of Spam False Positives

Cannot Accept Any Spam False Positives

Unacceptable Amount of Spam

Virus Is Detected but Cannot Be Cleaned

Virus Scanning Not Working

Scanning Not Working Because of Incorrect Service-Policy Configuration

Scanning Not Working Because the CSC SSM Is in a Failed State

Downloading Large Files

Enabling Deferred Scanning

Restart Scanning Service

Troubleshooting Performance

CSC SSM Console Timed Out

Status LED Flashing for Over a Minute

ASDM Cannot Communicate with SSM

Logging in Without Going Through ASDM

CSC SSM Throughput is Significantly Less Than ASA

Troubleshooting User/Group Policy

Diagnostics Tools

Microsoft Active Directory Service Interfaces Editor (ADSI Edit)

Windows Event Viewer

Domain Controller Agent Debugging

Enabling Domain Controller Agent Debugging

Console Mode

CSC SSM Debugging

Domain Controller Agent, Active Directory, and User Identification Troubleshooting

Domain Controller Agent Installation or Service Failure

Domain Controller Agent Connectivity

Domain Controller Server Connectivity

Connectivity

AD/LDAP Searching

User Identification

Collecting Data for Trend Micro Support

Known Issues

Using Knowledge Base

Using the Security Information Center

Before Contacting Cisco TAC


Troubleshooting Trend Micro InterScan
for Cisco CSC SSM


This chapter describes how to troubleshoot various issues, and includes the following sections:

Troubleshooting Installation

What To Do If Installation Fails

Troubleshooting Activation

Troubleshooting Basic Functions

Troubleshooting Scanning Functions

Troubleshooting Performance

Troubleshooting User/Group Policy

Known Issues

Using the Security Information Center

Before Contacting Cisco TAC

Troubleshooting Installation

The following describes how to install using the CLI. If problems occur during the installation, see the "What To Do If Installation Fails" section.

To install the CSC SSM via the CLI, perform the following steps.


Step 1 Enter the following command to begin the installation:

hostname(config)# hw-module module 1 recover configure

Step 2 Output similar to the following appears:

Image URL [tftp://171.69.1.129/dqu/csc6.3.xxxx.x.bin]: 
Port IP Address [0.0.0.0]: 
VLAN ID [0]: 
Gateway IP Address [0.0.0.0]: 
hostname(config)# hw-module module 1 recover boot

The module in slot 1 will be recovered. This may
erase all configuration and all data on that device and
attempt to download a new image for it.
Recover module in slot 1? [confirm] 
Recover issued for module in slot 1
hostname(config)# 
hostname(config)# debug module-boot 
debug module-boot enabled at level 1

Step 3 After about a minute, the CSC SSM goes into the ROMMON mode, and prints messages similar to the following:

hostname(config)# Slot-1 206> Cisco Systems ROMMON Version (1.0(10)0) #0: Sat Mar 26 
00:13:50 PST 2007
Slot-1 207> domainname@yourdomain.com:/pixab/biosbuild/1.0.10.0/boot/rommon
Slot-1 208> Platform ASA-SSM-AIP-10-K9
Slot-1 209> GigabitEthernet0/0
Slot-1 210> Link is UP
Slot-1 211> MAC Address: 000b.fcf8.01b3
Slot-1 212> ROMMON Variable Settings:
Slot-1 213> ADDRESS=30.0.0.3
Slot-1 214> SERVER=171.69.1.129
Slot-1 215> GATEWAY=30.0.0.254
Slot-1 216> PORT=GigabitEthernet0/0
Slot-1 217> VLAN=untagged
Slot-1 218> IMAGE=dqu/csc6.3.xxxx.x.bin
Slot-1 219> CONFIG=
Slot-1 220> LINKTIMEOUT=20
Slot-1 221> PKTTIMEOUT=2
Slot-1 222> RETRY=20
Slot-1 223> tftp dqu/csc6.3.xxxx.x.bin@171.69.1.129 via 30.0.0.254

Step 4 The CSC SSM attempts to connect to the TFTP server to download the image.


Note The TFTP server must support files sizes greater than 60 MB. The .bin files are full binary images that are to be uploaded via a TFTP server. The .pkg files are used to upgrade image files from the CSC Admin Console, which are then uploaded through a web browser. Do not upload .bin files using the CSC Admin Console.


Step 5 After several seconds, output similar to the following appears:

Slot-1 224> 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Slot-1 225> 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Slot-1 226> 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Slot-1 227> 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Slot-1 228> 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
. . . [ output omitted ]. . .
Slot-1 400> 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Slot-1 401> 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Slot-1 402> 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Slot-1 403> 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Slot-1 404> 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Slot-1 405> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Slot-1 406> Received 59501255 bytes

The TFTP download is complete. Note the number of received bytes, which should be the same size as the CSC SSM image.

Step 6 The ROMMON mode then launches the image.

Slot-1 407> Launching TFTP Image...

The image is being unpacked and installed.

Step 7 After several minutes, the CSC SSM reboots.

Step 8 Messages similar to the following appear:

Slot-1 408> Cisco Systems ROMMON Version (1.0(10)0) #0: Sat Mar 26 00:13:50 PST 2007
Slot-1 409> morlee@bowmore:/pixab/biosbuild/1.0.10.0/boot/rommon
Slot-1 410> Platform ASA-SSM-AIP-10-K9
Slot-1 411> Launching BootLoader...

After a minute or two, the CSC SSM boots up.

Step 9 To verify that the CSC SSM has booted correctly, enter the following command:

hostname(config)# show module 1

Step 10 Output similar to the following appears:


Mod Card Type                                    Model              Serial No. 
--- -------------------------------------------- ------------------ -----------
  1 ASA 5520/5530 AIP Security Service Module-10 ASA-SSM-AIP-10-K9  P00000000TT

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version     
--- --------------------------------- ------------ ------------ ---------------
  1 000b.fcf8.01b3 to 000b.fcf8.01b3  1.0          1.0(10)0     CSC SSM 6.3.xxxx.x

Mod SSM Application Name           Status           SSM Application Version
--- ------------------------------ ---------------- --------------------------
  1 CSC SSM                        Down             6.3.xxxx.x

Mod Status             Data Plane Status     Compatibility
--- ------------------ --------------------- -------------
  1 Up                 Up  


Note Look for the two instances of "Up" in the Mod Status table (the last line of the output). The "Down" entry in the Status field of the SSM Application Name table indicates that the card is not yet activated.



What To Do If Installation Fails

Table 8-1 describes what to do if installation fails during the procedure described in the "Troubleshooting Installation" section.

Table 8-1 What to Do If Installation Fails 

If installation fails at:
Your action is:

Step 3

a. Make sure the TFTP server supports downloading of files larger than 60 MB.

b. Check the size of the CSC image as it appears on your TFTP server.

c. Can you perform an MD5 checksum to see whether it matches the checksum published with the image.

d. Verify the image size that transferred according to the verbose output of the adaptive security appliance.

Step 4

a. Make sure you set the gateway IP address to 0.0.0.0 if your TFTP server is in the same IP subnet as the CSC SSM.

b. If there is any router or firewall between the CSC SSM and your TFTP server, make sure these gateways allow TFTP traffic through UDP port 69. Also, verify that routes are set up correctly on these gateways and on the TFTP server.

c. Verify the image path exists on the TFTP server, and that the directory and file are readable to all users.

Step 6

Verify the total number of bytes downloaded. If the number is different than the size of the CSC SSM image, your TFTP server may not support files that are the size of the image. In this case, try another TFTP server.

Step 7 or Step 9

Download the image again and try to install it again. For more information, see Appendix B, "Preparing to Reimage the Cisco CSC SSM." If the installation is not successful a second time, contact Cisco TAC.


Troubleshooting Activation

Before taking any other action, make sure that the clock is set correctly on the adaptive security appliance. For more information, see the following:

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide

ASDM online help

Use the show module, show module 1, and show module 1 details commands to verify that the CSC SSM has been activated successfully. If you cannot resolve the problem using the output from these commands, contact Cisco TAC.

Troubleshooting Basic Functions

This section describes issues you may encounter with basic functions, and includes the following topics:

Cannot Log On

Recovering a Lost Password

Summary Status and Log Entries Out of Sync

Delays in HTTP Connections

Access to Some Websites Is Slow or Inaccessible

FTP Download Does Not Work

Reimaging or Recovery of CSC Module


Note You must configure the syslog server to save the log buffer content to a file, so that it will be available for troubleshooting and debugging purposes.


Cannot Log On

You specified an administrator password when you installed Trend Micro InterScan for Cisco CSC SSM with the Setup Wizard. You must use the password you created during installation to log in, which is not the same password that you use to access ASDM. Passwords are case-sensitive; be sure you have entered the characters correctly.

If you forget your password, it can be recovered. For more information, see Recovering a Lost Password.

Recovering a Lost Password

The two passwords used to manage the CSC SSM are as follows:

The ASDM/Web interface/CLI password

The root account password

The default entry for both passwords is "cisco."

To recover your passwords in case you lose one or more of them, consider the following:

If you have the ASDM/Web interface/CLI password, but have lost the root account passwords, you can continue to manage the CSC SSM via the web interface.

Unless you have configured the password-reset policy to "Allowed," you cannot use the root account in the future. If the password-reset policy is set to "Denied," recovering these two passwords requires reimaging of the CSC SSM and restoration of the configuration according to the subsequent procedure. For more information, see the "Modifying the Password-reset Policy" section on page B-11.


Caution Access the root account only under the supervision of Cisco TAC. Unauthorized modifications made through the root account are not supported and require that the device be reimaged to guarantee correct operation.

If you have lost all passwords, you must reimage the device and restore the configuration, unless you have configured the password-reset policy to "Allowed."

To reimage the CSC SSM and recover the configuration, perform the following steps:


Step 1 Reimage the CSC SSM, which restores the factory default settings. Reimaging transfers a factory default software image to the SSM. To transfer an image, see the "Reimaging and Configuring the CSC SSM Using the CLI" section on page B-1.

After reimaging, all passwords are restored to their default value.

Step 2 Reactivate the device and log in using the default password "cisco," and then create a new ASDM password.

Step 3 Use the new ASDM password to access the CSC SSM interface. Choose Administration > Configuration Backup.

Step 4 To restore the configuration settings, import the most recent configuration backup.

Step 5 After you have imported the configuration backup, browse through all of the configurations to verify their accuracy.


Summary Status and Log Entries Out of Sync

You may occasionally notice that the counters displayed on the Mail (SMTP), Mail (POP3), Web (HTTP), and File Transfer (FTP) tabs of the Summary window do not synchronize with the statistics displayed in the log reports. In the CSC SSM console, choose Logs > Query to access the logs. This mismatch happens because of the following:

The logs are reset by a reboot that occurs either because of a device error or following the installation of a patch.

Logs may be purged because of limited memory storage on the SSM.

Delays in HTTP Connections

A delay of approximately 30 seconds can occur if you have URL filtering enabled on the CSC SSM, but the CSC SSM does not have access to the Internet via HTTP. Trend Micro maintains an online database that stores URLs in different categories. The CSC SSM first checks the local URL filtering database. If no entry is located, then the CSC SSM tries to access the URL database when processing an HTTP request from a client. If you cannot grant Internet access to the CSC SSM (either direct or indirect via a proxy), disable URL filtering.

In addition, disabling Deferred Scanning may cause large file transfers to be slow or time out.

Access to Some Websites Is Slow or Inaccessible

There are some websites, such as banks, online shopping sites, or other special purpose servers that require extra backend processing before responding to a client request. The CSC SSM has a non-configurable, 90-second timeout between the client request and the server response to prevent transactions from tying up resources on the CSC SSM for too long. This means that transactions that take a longer time to process will fail. The workaround is to exclude the site from scanning.

For example, for a site on the outside network with the IP address, 100.100.10.10:

	exempt http traffic to 100.100.10.10
    access-list 101 deny tcp any host 100.100.10.10 eq http
	catch everything else
    access-list 101 permit tcp any eq http
    class-map my_csc_class
          match access-list 101
    policy-map my_csc_policy
         class my_csc_class
             csc fail-close
    service-policy my_csc_policy interface inside

This configuration exempts HTTP traffic to 100.100.10.10 from being scanned by the CSC SSM.

Performing a Packet Capture

If there are sites you can access without going through the CSC SSM, but cannot access when traffic is being scanned, report the URL to Cisco TAC. If possible, do a backplane packet capture and send the information to Cisco TAC also.

For example, if the client has an IP address, 1.1.1.1, and the outside website has an IP address, 2.2.2.2:

access-list cap_acl permit tcp host 1.1.1.1 host 2.2.2.2
capture cap access-list cap_acl interface inside

To perform a packet capture, perform the following steps:


Step 1 Log in to the CLI.

Step 2 Enter the following command:

hostname(config)# capture csc_cap interface asa_dataplane buffer 10485760


Note The number of bytes in the capture buffer is 10485760. The example is 10 MB.


Step 3 Start the traffic testing.

Step 4 Enter the following command to transfer the captured buffer out of the box:

hostname(config)# copy /pcap capture:csc_cap tftp://IP/path

Step 5 Enter the following command to stop the capture:

hostname(config)# no capture csc_cap interface asa_dataplane


Note You can use the last command to reset or clear the buffer between tests, but you must reenter the capture command.



FTP Download Does Not Work

If your FTP login works, but you cannot download via FTP, do the following:

Verify that the inspect ftp setting is enabled on the adaptive security appliance.

Verify that Deferred Scanning is enabled on the FTP Scanning page.

For more information, see the Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide.

Reimaging or Recovery of CSC Module

During reimaging or recovery of a CSC module, it is possible to type the address of the TFTP server or the file name incorrectly. If this occurs, the CSC module will continuously reboot, attempting the reimaging using the invalid configuration information provided. To stop the reimaging process and correct the configuration, enter the hw module 1 recover stop command in the specified configuration mode.

Troubleshooting Scanning Functions

This sections describes issues that you may encounter with scanning for viruses or spam, and includes the following topics:

Cannot Update the Pattern File

Spam Not Being Detected

Cannot Create a Spam Stamp Identifier

Unacceptable Number of Spam False Positives

Cannot Accept Any Spam False Positives

Unacceptable Amount of Spam

Virus Is Detected but Cannot Be Cleaned

Virus Scanning Not Working

Downloading Large Files

Restart Scanning Service

Cannot Update the Pattern File

If the pattern file is out-of-date and you are unable to update it, the most likely cause is that your Maintenance Agreement has expired. Check the Expiration Date field in the Administration > Product License window. If the date shown is in the past, you cannot update the pattern file until you renew your Maintenance Agreement.

If the pattern file is current, the following may be true:

The Trend Micro ActiveUpdate server is temporarily down. Try to update the pattern file again in a few minutes.

Check the network settings and the connectivity of the SSM, including the proxy settings.

Spam Not Being Detected

If the anti-spam feature does not seem to be working, be sure that the following is true:

You have the Plus License installed and it is current.

You must have a valid Plus License and the correct DNS settings for the network-based, anti-spam Email Reputation to function correctly.

You have enabled the feature; the anti-spam option is not enabled by default. For more information, see Enabling SMTP and POP3 Spam Filtering, page 3-9.

You have configured the incoming mail domain. The content-based anti-spam scanning is only applied to mail recipients belonging to Incoming Domains. For more information, see Configuring SMTP Settings, page 3-7.

Cannot Create a Spam Stamp Identifier

A spam stamp identifier is a message that appears in the e-mail message subject. For example, for a message titled "Q3 Report," if the spam stamp identifier is defined as "Spam:," the message subject would appear as "Spam:Q3 Report."

If you are having problems creating a spam identifier, make sure you are using only English uppercase and lowercase characters, the digits 0-9, or the set of special characters shown in Figure 8-1.

Figure 8-1 Special Characters for Spam Stamp Identifier


Note If you try to use characters other than those specified, you cannot use the spam identifier for SMTP and POP3 messages.


Unacceptable Number of Spam False Positives

Your spam filtering threshold may be set at a level that is too aggressive for your organization. Assuming you adjusted the threshold to Medium or High, try a lower setting in the threshold fields on the Mail (SMTP) > Anti-spam > SMTP Incoming Anti-spam window and the Mail (POP3) > Anti-spam > POP3 Anti-spam windows. Also enable the anti-spam "stamp message" feature on the SMTP Incoming Anti-spam window and the POP3 Anti-spam windows. For more information, see the online help for these two windows.

Also, if users in your network are receiving newsletters through e-mail, this type of message tends to trigger a high number of false positives. Add the e-mail address or domain name to the approved senders list to bypass spam filtering on these messages.

Cannot Accept Any Spam False Positives

Some organizations, such as banks and other financial institutions, cannot risk any message being identified as a false positive. In this case, disable the anti-spam feature for SMTP and POP3.

Unacceptable Amount of Spam

If you receive an unacceptable amount of spam, enable the network-based, anti-spam Email Reputation (ER) setting. Choose Mail (SMTP) > Anti-spam > Email Reputation.

If you do not use Email Reputation, you may have set your spam filtering threshold at a level that is too lenient for your organization. Try a higher setting in the threshold fields on the Mail (SMTP) > Anti-spam > Content Scanning/Target window and the Mail (POP3) > Anti-spam/Target.

Virus Is Detected but Cannot Be Cleaned

Not all virus-infected files are cleanable. For example, a password-protected file cannot be scanned or cleaned.

If you think you are infected with a virus that does not respond to cleaning, go to the following URL:

http://subwiz.trendmicro.com/SubWiz/Default.asp

This link takes you to the Trend Micro Submission Wizard, which includes information about what to do, including how to submit your suspected virus to TrendLabs for evaluation.

Virus Scanning Not Working

This section describes why virus scanning may not work, and includes the following topics:

Scanning Not Working Because of Incorrect Service-Policy Configuration

Scanning Not Working Because the CSC SSM Is in a Failed State

Ensure that no one has disabled the virus scanning feature on the SMTP Incoming, SMTP Outgoing, POP3, HTTP, and FTP Scanning windows. Also test the virus scanning feature by following the instructions described in the "Testing the Antivirus Feature" section on page 2-3.

Scanning Not Working Because of Incorrect Service-Policy Configuration

Another possible cause is that a file has not been scanned because of an incorrect service-policy configuration. Use the show service-policy csc command to configure the SSM to process traffic.

The following example shows how to configure the SSM to process traffic:

hostname(config)# show service-policy flow tcp host 192.168.10.10 host 10.69.1.129 eq http
Global policy:
Service-policy: global_policy
Class-map: trend
Match: access-lit trend
	Access rule: permit tcp any any eq www
Action: 
	Output flow: csc fail-close
	Input flow set connection timeout tcp 0:05:00
Class-map: perclient
Match: access-lit perclient
	Access rule: permit IP any any
	Action:
	Input flow: set connection per-client-max 5 per-client-embryonic-max 2

Scanning Not Working Because the CSC SSM Is in a Failed State

If the CSC SSM is in the process of rebooting, or has experienced a software failure, system log message 421007 is generated.

Enter the following command to view the status of the SSM card:

hostname(config)# show module 1

The output appears in several tables, as shown in the following example. The third table, SSM Application Name, displays status, which is "Down."

Mod Card Type                                    Model 	 Serial No. 
--- -------------------------------------------- -----------------------------
1 ASA 5500 Series Security Services Module-10	ASA-SSM-10 JAB092400TX

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
--- --------------------------------- ------------ ---------------------------
 1 0013.c480.ae4c to 0013.c480.ae4c  1.0          1.0(10)0     CSC SSM 6.3.xxxx.x

Mod SSM Application Name           Status           SSM Application Version
--- ------------------------------ ------------------------------------------
 1 CSC SSM                        Down             6.3.xxxx.x

Mod Status             Data Plane Status     Compatibility
--- ------------------ --------------------- -------------
 1 Up                 Up 

The three possible states that could display in the Status field for the third table are as follows:

Down—A permanent error, such as an invalid activation code was used, licensing has expired, or a file has been corrupted

Reload—Scanning is restarting, for example, during a pattern file update.

Up—A normal operating state.

To view the state for each individual process, enter the following command:

hostname(config)# show module 1 details 

Example output similar to the following appears:

Getting details from the Service Module, please wait...
ASA 5500 Series Security Services Module-10
Model:              ASA-SSM-10
Hardware version:   1.0
Serial Number:      JAB092400TX
Firmware version:   1.0(10)0
Software version:   CSC SSM 6.3.xxxx.x
MAC Address Range:  0013.c480.ae4c to 0013.c480.ae4c
App. name:          CSC SSM
App. Status:        Down
App. Status Desc:   CSC SSM scan services are not available
App. version:       6.3.xxxx.x
Data plane Status:  Up
Status:             Up
HTTP Service:       Down

Mail Service:       Down

FTP Service:       	Down

Activated:          No

Mgmt IP addr:       <not available>

Mgmt web port:      8443

Peer IP addr:       <not enabled> 

The status for the CSC SSM appears in the App. Status field. In the example, the status is "Down." The possible states for this field are as follows:

Not Present—The SSM card is not found.

Init—The SSM card is booting.

Up—The SSM card is up and running.

Unresponsive—The SSM card is not responding.

Reload—The SSM application is reloading recently updated patterns or configuration changes. The traffic is interrupted temporarily with either a "fail-open" or "fail-close." The adaptive security appliance will not perform a failover because this is an administrative reloading.

Shutting Down—The SSM card is shutting down.

Down—The SSM card is down and can be safely removed from its slot.

Recover—The SSM card is being reimaged.

If you have verified your configuration and CSC module status, and viruses are still not found, contact Cisco TAC.

Downloading Large Files

Handling of very large files may be a potential issue for the HTTP and FTP protocols. On the Target tabs of the HTTP Scanning and FTP Scanning windows, you configured large file handling fields, which included a deferred scanning option.

If you did not enable deferred scanning, Trend Micro InterScan for Cisco CSC SSM must receive and scan the entire file before passing the file contents to the requesting user. Depending on the file size, this action could result in the following:

The file being downloaded, very slowly at first, but more quickly as the download progresses.

Take longer than the automatic browser timeout period. As a result, the user is unable to receive the file contents at all because the browser times out before the download completes.

If you enabled deferred scanning, part of the content of the large file is delivered without scanning to prevent a timeout from occurring. Subsequent portions of the content are being scanned in the background and are then downloaded if no threat is detected. If a threat is detected, the rest of the file is not downloaded; nevertheless, the unscanned portion of the large file is already stored on the user machine and may introduce a security risk.


Caution If the file to be downloaded is larger than the size specified in the "Do not scan files larger than" field, the file is delivered without scanning and may present a security risk.

Enabling Deferred Scanning


Note If you experience difficulty with Windows updates, you may need to enable deferred scanning and set the size to ten. See the logs for more information.


To enable deferred scanning, perform the following steps:


Step 1 Go to the Web (HTTP) > HTTP scanning tab.

Step 2 In the Large File Handling section, click the check box and set the "Enable deferred scanning for files larger than" value to 10, as shown in Figure 8-2.

Step 3 Click Save.

Figure 8-2 Enabling Deferred Scanning


Restart Scanning Service

In the Message Activity area, the Mail (SMTP and POP3) tabs on the Summary window display a count of messages processed since the service was started. For an example, see Figure 8-3.

Figure 8-3 Messages Processed Counter on the Mail (POP3) Tab of the Summary Window

1

Message activity counter


Several events can cause these counters to reset to zero:

A pattern file or scan engine update

A configuration change

The application of a patch

The statistics in the Detection Summary area of the window do not reset; these statistics continue to update as trigger events occur.

When the counters reset, it is normal behavior. If, however, you have a continuous zero in the Messages processed fields, e-mail traffic is not being scanned and you should investigate.

Troubleshooting Performance

This section describes issues you may encounter with performance, and includes the following topics:

CSC SSM Console Timed Out

Status LED Flashing for Over a Minute

ASDM Cannot Communicate with SSM

Logging in Without Going Through ASDM

CSC SSM Throughput is Significantly Less Than ASA

CSC SSM Console Timed Out

If you leave the CSC SSM console active and no activity is detected for approximately ten minutes, your session times out. Log in again to resume work. Unsaved changes are lost. If you are called away, save your work and log off until you return.

Status LED Flashing for Over a Minute

If the Status LED continues flashing for more than one minute, the scanning service is not available. To resolve this problem, enter the show module 1 details command to collect relevant information, and then reboot the system from ASDM.

ASDM Cannot Communicate with SSM

For information about resetting port access control, see the "Changing the Management Port Console Access Settings" section on page B-17.

Logging in Without Going Through ASDM

ASDM may have a problem with the environment, such as the Java version, or a net work problem. For more information, enable the ASDM Java console by choosing ASDM > Tools. If an IP access list is enabled on CSC, you can reset it. For more information, see the "Changing the Management Port Console Access Settings" section on page B-17.

If for some reason ASDM is unavailable, you can log directly into the CSC SSM via a web browser. To log in, perform the following steps:


Step 1 Enter the following URL in a browser window:

https://{SSM IP addresss}:8443

For example:

https://10.123.123.123:8443/

The Logon window appears.

Step 2 Enter the password you created in the Setup Wizard on the Password Configuration installation window and click Log On.


The default view of the CSC SSM console is the Status tab on the Summary window, as shown in Figure 8-4.

Figure 8-4 Status Tab of the Summary Screen on the CSC SSM Console

CSC SSM Throughput is Significantly Less Than ASA

Restoring files from TCP connections and scanning them is a processor-intensive operation, which involves more overhead than the protocol-conformance checking that is usually done by a security appliance. The workaround is to divert only the connections that need to be scanned to the CSC SSM to mitigate the performance mismatch.

For example, HTTP traffic can be divided into outbound traffic (an inside user is accessing outside websites), inbound traffic (an outside user is accessing inside servers), and intranet traffic (traffic between internal sites or trusted partners). You can configure the CSC SSM to scan only outbound and inbound traffic for viruses, but ignore the intranet traffic.

For more information, see the following:

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide

Cisco ASA 5500 Series Configuration Guide using the CLI

Troubleshooting User/Group Policy

CSC SSM user/group policy feature relies on a remote Domain Controller Agent installed in the domain. In almost all cases, diagnosing user group policy problems requires logging into one of the following:

The Domain Controller server

The server where the Domain Controller Agent is installed

A remote desktop connection to the Windows server that runs the Domain Controller Agent program

Diagnostics Tools

Use the following diagnostic tools to help resolve issues with the Domain Controller Agent or server. See information in this appendix about the following tools:

Microsoft Active Directory Service Interfaces Editor (ADSI Edit)

Windows Event Viewer

Microsoft Active Directory Service Interfaces Editor (ADSI Edit)

Active Directory® Service Interfaces Editor (ADSI Edit) (Adsiedit.msc) is a Microsoft Management Console (MMC) snap-in. You can add the snap-in to any .msc file through the Add/Remove Snap-in menu option in MMC by choosing Start > Run > type mmc and press Enter, or open the Adsiedit.msc file from Windows Explorer. Figure 8-5 shows the ADSI Edit interface.


Note You can find information on how to download and install ADSI Edit at the following URL:

http://technet.microsoft.com/en-us/library/cc773354.aspx#BKMK_InstallingADSIEdit


ADSI Edit is used for testing the Active Directory (AD) connectivity and troubleshooting problems with the Active Directory/Lightweight Directory Access Protocol (AD/LDAP) search function.

Use regsvr32 to register the Adsiedit.dll file before launching Adsiedit.msc.


Note Adsiedit.msc will not run unless the Adsiedit.dll file is registered. This happens automatically if the support tools are installed. However, if the support tool files are copied instead of installed, you must run the regsvr32 command to register Adsiedit.dll before you run the Adsiedit.msc snap-in.


RegSvr32.exe has the following command-line options:

Regsvr32 [/u] [/n] [/i[:cmdline]] dllname

/u - Unregister server 
/i - Call DllInstall passing it an optional [cmdline]; when used with /u calls dll 
uninstall 
/n - do not call DllRegisterServer; this option must be used with /i 
/s - Silent; display no message boxes (added with Windows XP and Windows Vista) 

Example:

regsvr32 /i adsiedit.dll

Note More information about the regsvr32 command is available at the following URL:

http://support.microsoft.com/kb/249873


Figure 8-5 ADSI Edit Tool Interface

Windows Event Viewer

Microsoft Windows Event Viewer is a MMC snap-in that allows you to browse and manage event logs. This tool is helpful for monitoring your system health and user logon detection problems.

To start the Event Viewer in Windows, perform the following step:

Select Start > Control Panel > Administrative Tools > Event Viewer or use the Microsoft Management MMC command eventvwr.msc.


Figure 8-6 Event Viewer Interface

To connect to the remote event log service, perform the following steps:


Step 1 In the Event Viewer window, choose Action > Connect to another computer.

Step 2 Enter the name of the remote Domain Controller server or browse to its location.

Step 3 Click OK.

Step 4 Access the Domain Controller server event log.


Domain Controller Agent Debugging

Turn on the Domain Controller Agent debugging log when you troubleshoot user group policy problems. The debugging log is helpful and is needed for the user/group feature technical support cases.

Enabling Domain Controller Agent Debugging

To enable Domain Controller Agent debugging, perform the following steps:


Step 1 Log on to the server that runs the agent program.

Step 2 Open the Registry Editor, or remotely connect to the registry on that server.

Step 3 Assign a non-zero value to the following registry value:

a. Choose Start > Run.

b. Type regedit.

c. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\IdAgent\.

d. Double-click DebugLevel.

e. Change the value data from 0 to 1-5.

0 = Off

1 = Critical

2 = Error

3 = Warning

4 = Information

5 = Debug (most detailed)


Note Trend Micro recommends only using Level 5 - Debug for troubleshooting purposes to avoid potential logging performance issues.


Step 4 Locate the debugging log file (IdAgentDebug.log) in the Domain Controller Agent installation folder.


Console Mode

In addition to enabling the Domain Controller Agent debugging log, you can run the agent in console mode. When the agent program is running in console mode, it shows the logged-on users and displays debugging messages on the console screen. Console mode can be useful for diagnosing agent connectivity issues. You can see the request and response log immediately. Figure 8-7 shows the console mode interface.

Figure 8-7 Domain Controller Agent Running in Console Mode

To start the console mode, perform the following steps:


Step 1 Stop the running Domain Controller Agent service.

Step 2 In the Trend Micro Domain Controller Agent installation directory, double-click the DebugMode shortcut. The default directory is C:\Program Files\Trend Micro\IdAgent\.

Step 3 Click Ctrl + C to exit the running console.


CSC SSM Debugging

Enabling CSC SSM debugging syslog messages will also help to diagnose user group policy issues. The daemon debugging log includes information about the user identification results and policy matching information.

To enable the CSC SSM debugging log, perform the following steps:


Step 1 Log on to the CSC SSM web management console.

Step 2 Choose Logs > Settings > Log Settings as shown in Figure 8-8.

Step 3 Configure at least one syslog server. See the"Configuring Syslog Servers" section on page 5-4 for more information.

Step 4 Choose the applicable Syslog Facility from the drop-down list.

Step 5 Under Debug Logs, check the HTTP check box.

Step 6 Click Save.


Figure 8-8 Viewing the Debugging Log in the Log Settings Screen

When CSC SSM HTTP debugging is enabled, the HTTP daemon will send debugging messages to the syslog server. If you visit a website from the client, the user/group-based policy matching will be logged. The syslog lines shown in Figure 8-9 illustrate the functioning user identification and policy matching. The displayed policy ID is the matched policy ID. The identified username for the incoming connection is given in parentheses.

Figure 8-9 User Identification and Policy Matching in Debugging Syslog

Domain Controller Agent, Active Directory, and User Identification Troubleshooting

This section includes the following topics:

Domain Controller Agent Installation or Service Failure

Domain Controller Agent Connectivity

Domain Controller Server Connectivity

Domain Controller Agent Installation or Service Failure

The Domain Controller Agent must be installed in the domain. The installation also requires administrator privileges. In most cases, the agent is installed on a Domain Controller server, which avoids assigning different credentials for the agent to access Domain Controller server. However, it is also possible to install the agent on another server that belongs to the domain.

Verify that the following items are true before attempting to troubleshoot any agent installation issue:

Verify that the OS is supported. The agent can be installed on Windows Server® 2000, Windows Server® 2003, Windows Server® 2008. Windows® 2000 Pro, and Window® XP.

Be sure you have local administrator privileges to launch the agent installation program (MSI).

Remove any previous version of the agent from the Add or Remove Programs in Control Panel.

Domain Controller Agent Connectivity

The Domain Controller Agent service is displayed as "Trend Micro IdAgent." The service name is "TMIDAgent." You will see it running from the services.msc command after the agent is installed on the server.

The agent, after it is installed and started, can be contacted by CSC SSM and answer the user identification requests.

To configure the Domain Controller server, perform the following steps:


Step 1 Open the CSC SSM web console.

Step 2 Choose Administration > Device Settings > User ID Settings.

Step 3 Use the User Identification Settings page to perform the following tasks:

Add the agent. (See the"Configuring User ID Settings" section on page 6-3 for details.)

Save the settings.

View the agent status.

The green icon means the agent is ready for requests.


Note The Domain Controller servers must be configured to allow the agent to identify the logged-on users.


If there is a connectivity error, a detailed message displays in the mouse-over tool tip, as shown in Figure 8-10.

Figure 8-10 Connectivity Error Message

Table 8-2 lists the possible errors, potential causes, and possible solutions for Domain Controller Agent issues.

Table 8-2 Domain Controller Agent Issues 

Error
Potential Cause
Possible Solution or Diagnostic Steps

Invalid host or IP address

Inappropriate agent address is specified.

Check the agent hostname or IP address and port number.

Verify that the DNS is working for the CSC SSM when the hostname is used.

Version not supported

CSC SSM requires a newer version of the agent.

Download the agent from the CSC SSM web console and re-install it on the target server. See the "Installing the Domain Controller Agent" section on page 6-6 for details.

Connection failed

Critical file is missing, such as the SSL certification file or the configuration file.

Re-install the Domain Controller Agent to resolve this issue. See the "Installing the Domain Controller Agent" section on page 6-6 for details.

The listening port is occupied. The default agent listening port is 65015.

Choose another port number and change the port value in the "AgentPort" key in the <Agent installation directory>\IdAgent.ini file.

Restart the agent service.

Critical OS exceptions, such as memory allocation failure or system handler allocation failure.

Enable Domain Controller Agent debugging. See the"Enabling Domain Controller Agent Debugging" section.

Check OS environment.

Send the log file to Trend Micro support.

Service status undetermined

The agent is applying new settings; the status is not determined yet.

Refresh the page.

Directory service unavailable

The agent does not have the appropriate privileges to connect to the Active Directory service.

Log on to the agent-installed PC with the agent's credentials, diagnose the problem with ADSIEditor (see the "Microsoft Active Directory Service Interfaces Editor (ADSI Edit)" section,) and verify that the Active Directory service is accessible.

Change the credentials from the User Identification Settings page in CSC SSM web console. See the "Adding Domain Controller Server Credentials" section on page 6-10 for details.

The machine that the agent is installed on is not in the Active Directory domain.

Connect the machine to the Active Directory domain.

The agent is installed on a pre-Vista system, but the Active Directory server is on Windows Server 2008®.

Install the Domain Controller Agent on a Windows Server 2008.

Agent access denied

The agent denied a request based on the access rule settings.

Agents will not respond to any client if the client's identifier or IP address is not in the access list. When the agent first starts, the agent access list is empty. The first registered client occupies the agent and determines who else is allowed to access this agent. One way to register another CSC SSM is to configure a failover device. However, you can always manually configure the access list on the agent side.

To manually configure the access list, perform these steps:

1. Log on to the Domain Controller Agent server machine using an administrator account.

2. Browse to the agent installation folder, C:\Program Files\Trend Micro\IdAgent\

3. Locate and open the agent configuration INI file named IdAgent.ini.

4. In the [ClientList] section, add a new line with a value pair (a key + a value) in the following format:

<Your-Temp-ID>=<host:port>|0

where

<Your-Temp-Id> = any unique key name, such as xxxx. This must be different from any existing string.

<host:port>|0 = the Domain Controller Agent server IP address and port number followed by pipe zero (|0).

Example:

[ClientList]
??????=192.168.1.1:65014|0

The temporary client ID must be unique, or else it will replace an existing one. The default port is 65014.

5. Restart the agent service.

Any other error

Unexpected error

Enable Domain Controller Agent debugging. See the "Enabling Domain Controller Agent Debugging" section.

Send the log file to Trend Micro support.


Domain Controller Server Connectivity

Domain Controller servers must be configured so that user identification can occur on the agent. The Domain Controller server list determines the authentication servers that the Domain Controller Agent will monitor. All the user logon information comes from those servers. If a Domain Controller server is not configured, the Domain Controller Agent will not detect any user information from that server.

To configure a Domain Controller server, perform the following steps:


Step 1 Open the CSC SSM management console.

Step 2 Choose Administration > User ID Settings.

Step 3 See the "Adding A Domain Controller Agent or Server to CSC SSM" section on page 6-7.


Auto Detect Domain Controllers

In most cases, the user checks the "Auto detect Domain Controllers" check box on the User Identification Settings page. This setting allows the agent to detect and evaluate the Domain Controller servers at the same site. Auto-detection eliminates errors. The Domain Controller server IP address, if input manually, could be mistyped or not accessible.

The Domain Controller agent needs the appropriate privileges to connect to the Active Directory and to view the Domain Controller event log. You must provide the correct domain credentials to the agent. If the agent does not have the correct privileges, it cannot search though the Active Directory to find the correct Domain Controller server.

For autodetection issues, check the Domain Controller Agent privileges.

Connectivity

If configured correctly, the Domain Controller server list on the User Identification Settings page should show the Domain Controller server as operational. If there is an error, the details display as do the Domain Controller Agent errors shown in Figure 8-10.

Table 8-3 lists the possible errors and potential causes.

Table 8-3 Diagnosing and Solving Domain Controller Server Connectivity 

Error
Potential Cause
Possible Solution or Diagnostic Steps

Invalid host or IP address

Invalid host or IP address Inappropriate Domain Controller server address is specified.

Check the server hostname or IP address.

Verify that DNS is working on the CSC SSM when the hostname is used instead of the IP address.

Connection failed

The server is down or unavailable.

Make sure the Domain Controller server is running and the event log service is enabled.

Logon failed

The username and password provided in the User Identification Settings page is not correct.

Find the username that the agent is currently using as shown by choosing Administration > User Identification Settings in the Domain Controller server credentials section.

Type the correct username and password.

Access denied

The agent does not have the correct access privileges to view the Domain Controller server event log service.

Find the username that the agent is currently using as shown by choosing Administration > User Identification Settings in the Domain Controller Server Credentials section.

Verify the agent is running with the correct access privileges.

Change the logged-on user if needed.

Use the Event Viewer to determine if access privileges are the problem. See the "Windows Event Viewer" section.

To determine if the problem is access privileges, log on to the Domain Controller Agent server using the Domain Controller Agent credentials, open the Event Viewer (eventvwr.msc) and try to connect to the Domain Controller server to see if it can be accessed.

Not initialized

May be caused by the Access Denied error

See the solution for Access Denied error.

Workstation access denied

The client PC disabled the remote registry service.

The agent relies on a remote registry service on the client workstation to verify the user logon. To deploy user group policies, the domain administrator must enforce the remote registry service on each workstation in the domain. This server is turned on by default on most Windows platforms.

The agent does not have sufficient access privileges.

The agent must have sufficient access privileges to view the remote registry services on other workstations.

The firewall on the client workstation blocks the request.

For Windows XP SP2: The firewall is turned on by default, which will block all the RPC requests. To fix the problem. add a domain policy that enables remote administration. To correct the problem, see the following URL:

http://support.microsoft.com/kb/840634

Any other error

Unexpected error

Enable Domain Controller Agent debugging. See the"Enabling Domain Controller Agent Debugging" section.

Send the log file to Trend Micro support.


AD/LDAP Searching

The Active Directory/Lightweight Directory Access Protocol (AD/LDAP) searching functionality requires correctly configured user identification settings.

To troubleshoot the searching function, perform the following steps:


Step 1 Verify that the "IP address/User/group name via remote agent" method is checked on the Administration > User Identification Settings page. See Figure 8-10.

Step 2 Verify that the Domain Controller Agent(s) and the Domain Controller server(s) are correctly configured and that they display no error messages on the Administration > User Identification Settings page. If an error appears, match the error message with the correct solution in the previous sections. See Table 8-2 and Table 8-3 for a list of solutions.

Step 3 If the Domain Controller Agent(s) and Domain Controller server(s) work, but you still do not obtain search results, enable the Domain Controller Agent debugging log to see if the search request has been correctly handled. See the "Enabling Domain Controller Agent Debugging" section. The ADSI Edit can also be used to verify that the search contains valid results. See the "Microsoft Active Directory Service Interfaces Editor (ADSI Edit)" section.

Step 4 Check the client timeout value. The default timeout value is 10 seconds. To change this value, edit the AcceptTimeoutSecs=10 parameter in the IdLib.ini file located at opt/trend/isvw/config/web/ on CSC SSM. The RecvTimeoutSecs parameter defines how long the CSC SSM waits for the search result.


You must enable debugging on the CSC SSM and, if necessary, send the debugging log to Trend Micro support. For more information, see the "CSC SSM Debugging" section.

User Identification

User identification is critical when using the user /group policy feature. When troubleshooting a user identification issue, the debugging on both CSC SSM side and Domain Controller Agent side should be enabled for more information.

To diagnose user identification problems, perform the following steps:


Step 1 Choose Administration > User Identification Settings.

Step 2 Verify that both the Domain Controller Agent(s) and Domain Controller server(s) are configured correctly. If errors exist, see Table 8-2 and Table 8-3 for troubleshooting information.

Step 3 To detect something other than a connectivity or privilege problem, enable the audit account logon events by performing the following steps:

a. Choose Start > Control Panel > Administrative Tools.

b. Click Domain Controller Security Policy.

c. Expand Local Policies on the left pane, and then select Audit Policy.

d. Verify that Audit account logon events is enabled. See Figure 8-11.

Figure 8-11 Enabled Audit Logon Account

Collecting Data for Trend Micro Support

Make sure that you always collect the Domain Controller Agent debugging log and the CSC SSM HTTP daemon debugging log before calling Trend Micro technical support. For more information, see the following sections:

Enabling Domain Controller Agent Debugging

CSC SSM Debugging

Known Issues

The following known issues exist in the CSC SSM:

The CSC SSM does not scan HTTP proxy traffic nor non-HTTP traffic over port 80.

Workaround: Do one of the following:

Use another port as the proxy service.

Use the adaptive security appliance modular policy framework to prevent the CSC SSM from scanning the website IP addresses.

Deploy a proxy server between the CSC SSM and clients.

The CSC SSM does not work with certain real-time stock streaming services, such as Yahoo Market Tracker.

Workaround: Use the adaptive security appliance modular policy framework to prevent the CSC SSM from scanning the website IP addresses for stock streaming services.

Traffic interruptions may occur during configuration or component updates.

Workaround: Perform configuration updates or scheduled updates during off-hours.

The CSC SSM does not scan e-mail traffic between Microsoft Exchange servers that use the EXCH50 protocol.

Workaround: Use the adaptive security appliance modular policy framework to prevent the CSC SSM from scanning the Microsoft Exchange servers' IP addresses.

With Terminal Servers, Citrix servers, and proxy environments, multiple users might share a single IP address. In these kinds of scenarios, CSC SSM cannot correctly map the IP address/user relationship and LDAP-based scan policies will not be applied.

Workaround: When using a Citrix server or Remote Desktop Protocol (RDP) environment, you must disable LDAP-based policies and switch to IP address-based policies.

Using Knowledge Base

You can search for more information in the Trend Micro online Knowledge Base, available at the following URL:

http://esupport.trendmicro.com

The Knowledge Base search engine allows you to refine your search by entering product name, problem category, and keywords. Thousands of solutions are available in the Knowledge Base, and more are added weekly.

Using the Security Information Center

Comprehensive security information is available from the Trend Micro Security Information Center, a free online resource, at the following URL:

http://threatinfo.trendmicro.com/vinfo/

The Security Information Center provides the following information:

Virus Encyclopedia—A compilation of knowledge about all known threats, including viruses, worms, Trojans, and others

Security Advisories—Malware alerts, risk ratings for the most prominent risks, the most current pattern file and scan engine versions, and other helpful information

Scams and Hoaxes—Information about malware hoaxes, scams such as chain letters or money-based hoaxes, and urban legends

Joke Programs—A repository of information about known joke programs that are detected by the Trend Micro scan engine

Spyware and Grayware—Information about the top ten spyware and grayware programs, and a searchable database of these programs

Phishing Encyclopedia—A list of known phishing scams and a description of the perpetration methods

Virus Map—A description of threats by location worldwide, shown in Figure 8-12. The virus map is available at the following URL:
http://wtc.trendmicro.com/wtc/default.asp

Figure 8-12 Virus Map

Weekly Virus Report—Current news about threats that have appeared in the past week (Subscribe to the Weekly Virus Report to receive a copy automatically each week via e-mail.)

General virus information, including the following:

Virus Primer—An introduction to virus terminology and a description of the virus life cycle

Safe Computing Guide—A description of safety guidelines to reduce the risk of infections

Risk ratings—A description of how malware and spyware or grayware are classified as Very Low, Low, Medium, or High threats to the global IT community

White papers—Links to documents that explain security concepts with titles such as The Real Cost of a Virus Outbreak or The Spyware Battle—Privacy vs. Profits

Test files—A test file for testing Trend Micro InterScan for Cisco CSC SSM and instructions for performing the test

Webmaster tools—Free information and tools for webmasters

TrendLabs—Information about TrendLabs, the ISO 9002-certified virus research and product support center

Before Contacting Cisco TAC

Before you contact the Cisco Technical Assistance Center (TAC), check the documentation and online help to see whether it includes the information you need. If you have checked the documentation and the Knowledge Base and still need help, be prepared to give the following information to Cisco TAC:

Product Activation Code(s)

Version number of the product

Version number of the pattern file and scan engine

Number of users

Exact text of the error message, if you received one

Steps to reproduce the problem