Guest

Cisco IPS 4200 Series Sensors

Release Notes for Cisco Intrusion Prevention System 6.2(5)E4

  • Viewing Options

  • PDF (477.7 KB)
  • Feedback
Release Notes for Cisco Intrusion Prevention System 6.2(5)E4

Table Of Contents

Release Notes for Cisco Intrusion Prevention System 6.2(5)E4

Contents

IPS 6.2(5)E4 File List

Supported Platforms

Supported Servers

ROMMON and TFTP

IPS Management and Event Viewers

New and Changed Information

IPv6, Switches, and Lack of VACL Capture

Cisco Security Intelligence Operations

Before Upgrading to Cisco IPS 6.2(5)E4

Perform These Tasks

Backing Up and Restoring the Configuration File Using a Remote Server

Obtaining Software on Cisco.com

IPS Software Versioning

Upgrading to Cisco IPS 6.2(5)E4

Upgrade Notes and Caveats

Upgrading to 6.2(5)E4

Upgrading CSM

After Upgrading to Cisco IPS 6.2(5)E4

Comparing Configurations

Importing a New SSL Certificate

Logging In to the IDM

Licensing the Sensor

Understanding the License

Service Programs for IPS Products

Obtaining and Installing the License Key

Installing or Upgrading the IME and Migrating Data Into the IME

Restrictions and Limitations

Recovering the Password

Password Recovery for the AIP SSC-5

Disabling Password Recovery

Verifying the State of Password Recovery

Troubleshooting Password Recovery

Caveats

Bug Toolkit

Resolved Caveats

Unresolved Caveats

Related Documentation

Obtaining Documentation and Submitting a Service Request


Release Notes for Cisco Intrusion Prevention System 6.2(5)E4


Published: November 19, 2012, OL-28194-01

Contents

IPS 6.2(5)E4 File List

Supported Platforms

Supported Servers

ROMMON and TFTP

IPS Management and Event Viewers

New and Changed Information

IPv6, Switches, and Lack of VACL Capture

Cisco Security Intelligence Operations

Before Upgrading to Cisco IPS 6.2(5)E4

Upgrading to Cisco IPS 6.2(5)E4

After Upgrading to Cisco IPS 6.2(5)E4

Installing or Upgrading the IME and Migrating Data Into the IME

Restrictions and Limitations

Recovering the Password

Caveats

Related Documentation

Obtaining Documentation and Submitting a Service Request

IPS 6.2(5)E4 File List

The following files are part of Cisco IPS 6.2(5)E4:

Readme

IPS-6.2-5-E4-readme.txt

Service Pack Upgrade File

IPS-SSC_5-K9-6.2-5-E4.pkg

System Image File

IPS-SSC_5-K9-sys-1.1-a-6.2-5-E4.img

Recovery Image File

IPS-SSC_5-K9-r-1.1-a-6.2-5-E4.pkg

CSM Package Upgrade File

IPS-CSM-K9-6.2-5-E4.zip

For More Information

For the procedure for obtaining these files on Cisco.com, see Obtaining Software on Cisco.com.

For the procedure for installing service packs, see Upgrading to 6.2(5)E4.

For the procedure for installing system image files, refer to Installing System Images.

For the procedure for installing recovery image files, refer to Recovering the Application Partition on Appliances.

Supported Platforms


Note All IPS platforms allow ten concurrent CLI sessions.


Cisco IPS 6.2(5)E4 is supported on the following platform:

ASA-SSC-AIP-5 Series Cisco ASA Advanced Inspection and Prevention Security Services Cards (AIP SSC-5) for ASA 5505

For More Information

For detailed information on each IPS sensor, refer to Cisco Intrusion Prevention System Appliances and Modules Installation Guide for IPS 6.2.

Supported Servers

The following FTP servers are supported for IPS software updates:

WU-FTPD 2.6.2 (Linux)

Solaris 2.8

Sambar 6.0 (Windows 2000)

Serv-U 5.0 (Windows 2000)

MS IIS 5.0 (Windows 2000)

The following HTTP/HTTPS servers are supported for IPS software updates:

CMS - Apache Server (Tomcat)

CMS - Apache Server (JRun)

ROMMON and TFTP

ROMMON uses TFTP to download an image and launch it. TFTP does not address network issues such as latency or error recovery. It does implement a limited packet integrity check so that packets arriving in sequence with the correct integrity value have an extremely low probability of error. But TFTP does not offer pipelining so the total transfer time is equal to the number of packets to be transferred times the network average RTT. Because of this limitation, we recommend that the TFTP server be located on the same LAN segment as the sensor. Any network with an RTT less than a 100 milliseconds should provide reliable delivery of the image. Be aware that some TFTP servers limit the maximum file size that can be transferred to ~32 MB.

For More Information

For the procedure for downloading IPS software updates from Cisco.com, see Obtaining Software on Cisco.com.

For the procedure for configuring automatic upgrades, for the CLI refer to Configuring Automatic Upgrades, for IDM refer to Configuring Automatic Update, and for IME refer to Configuring Automatic Update.

IPS Management and Event Viewers

Use the following tools for configuring Cisco IPS 6.2(5)E4 sensors:

Cisco IDM 7.1.1

Cisco IME 7.2.1and later

IPS CLI 6.2

ASDM 5.2 and later

CSM 4.2 SP1CP6 and CSM 4.3SP1CP2


Note We recommend that ASDM users upgrade to ASDM 6.3 or later. The Java VM upper memory limit of ASDM 6.3 has been increased. Older versions of ASDM may not have enough available memory for IDM to function properly.


Use the following tools for monitoring Cisco IPS  6.2(5)E4 sensors:

Cisco IME 7.2.1 and later

CSM 4.0


Note You may need to configure viewers that are already configured to monitor sensors to accept a new SSL certificate for the Cisco IPS 6.2(5)E4 sensors.


New and Changed Information

Cisco IPS 6.2(5)E4 contains the following new and changed information:

The AIP SSC-5 is the only platform supported by IPS 6.2(5)E4.

With ASA 8.2(1), the AIP SSC-5 supports IPv6 features.

IPS 6.2(5) contains signature update S664.

The Cisco.com IP address has been changed in the Auto Update configuration.


Caution On January 25, 2013, for sensors running IPS 6.2(5)E4 and later the default value of the Cisco server IP address will be permanently changed from 198.133.219.25 to 72.163.4.161 in the Auto Update URL configuration. If you have automatic update configured on your sensor, you may need to update firewall rules to allow the sensor to connect to this new IP address. For details see https://supportforums.cisco.com/docs/DOC-27693

IPv6, Switches, and Lack of VACL Capture

VACLs on Catalyst switches do not have IPv6 support. The most common method for copying traffic to a sensor configured in Promiscuous mode is to use VACL capture. If you want to have IPv6 support, you can use SPAN ports.

However, you can only configure up to two monitor sessions on a switch unless you use the following configuration:

Monitor session

Multiple trunks to one or more sensors

Restrict per trunk port which VLANs are allowed to perform monitoring of many VLANs to more than two different sensors or virtual sensors within one IPS

The following configuration uses one SPAN session to send all of the traffic on any of the specified VLANs to all of the specified ports. Each port configuration only allows a particular VLAN or VLANs to pass. Thus you can send data from different VLANs to different sensors or virtual sensors all with one SPAN configuration line:

clear trunk 4/1-4 1-4094
set trunk 4/1 on dot1q 930
set trunk 4/2 on dot1q 932
set trunk 4/3 on dot1q 960
set trunk 4/4 on dot1q 962
set span 930, 932, 960, 962 4/1-4 both
 
   

Note The SPAN/Monitor configuration is valuable when you want to assign different IPS policies per VLAN or when you have more bandwidth to monitor than one interface can handle.


For More Information

For more information on configuring SPAN/monitor on switches, refer to the following sections in Catalyst 6500 Series Software Configuration Guide, 8.7:

Configuring SPAN, RSPAN and the Mini Protocol Analyzer

Configuring SPAN on the Switch

Configuring Ethernet VLAN Trunks

Defining the Allowed VLANs on a Trunk

Cisco Security Intelligence Operations

The Cisco Security Intelligence Operations site on Cisco.com provides intelligence reports about current vulnerabilities and security threats. It also has reports on other security topics that help you protect your network and deploy your security systems to reduce organizational risk.

You should be aware of the most recent security threats so that you can most effectively secure and manage your network. Cisco Security Intelligence Operations contains the top ten intelligence reports listed by date, severity, urgency, and whether there is a new signature available to deal with the threat.

Cisco Security Intelligence Operations contains a Security News section that lists security articles of interest. There are related security tools and links.

You can access Cisco Security Intelligence Operations at this URL:

http://tools.cisco.com/security/center/home.x

Cisco Security Intelligence Operations is also a repository of information for individual signatures, including signature ID, type, structure, and description.

You can search for security alerts and signatures at this URL:

http://tools.cisco.com/security/center/search.x

Before Upgrading to Cisco IPS 6.2(5)E4

This section describes the actions you should take before upgrading to Cisco IPS 6.2(5)E4. It contains the following topics:

Perform These Tasks

Backing Up and Restoring the Configuration File Using a Remote Server

Obtaining Software on Cisco.com

IPS Software Versioning

Perform These Tasks

Before you upgrade your sensors to Cisco IPS 6.2(5)E4, make sure you perform the following tasks:

Check to make sure you have a valid Cisco Service for IPS service contract per sensor so that you can apply software upgrades.

Create a backup copy of your configuration.

Save the output of the show version command.

If you need to downgrade a signature update, you will know what version you had, and you can then apply the configuration you saved when you backed up your configuration.

For More Information

For more information on how to obtain a valid Cisco Service for IPS service contract, see Service Programs for IPS Products.

For the procedure for creating a backup copy of your configuration, see Backing Up and Restoring the Configuration File Using a Remote Server.

For the procedure for finding your Cisco IPS software version, for the CLI refer to Displaying Version Information, for IDM refer to IDM Home Window, and for IME refer to Sensor Information Gadget.

For the procedure for downgrading signature updates on your sensor, refer to Upgrading, Downgrading, and Installing System Images.

Backing Up and Restoring the Configuration File Using a Remote Server


Note We recommend copying the current configuration file to a remote server before upgrading.


Use the copy [/erase] source_url destination_url keyword command to copy the configuration file to a remote server. You can then restore the current configuration from the remote server. You are prompted to back up the current configuration first.

The following options apply:

/erase—Erases the destination file before copying.

This keyword only applies to the current-config; the backup-config is always overwritten. If this keyword is specified for destination current-config, the source configuration is applied to the system default configuration. If it is not specified for the destination current-config, the source configuration is merged with the current-config.

source_url—The location of the source file to be copied. It can be a URL or keyword.

destination_url—The location of the destination file to be copied. It can be a URL or a keyword.

current-config—The current running configuration. The configuration becomes persistent as the commands are entered.

backup-config—The storage location for the configuration backup.

The exact format of the source and destination URLs varies according to the file. Here are the valid types:

ftp:—Source URL for an FTP network server. The syntax for this prefix is:

ftp://[[username@]location][/relativeDirectory]/filename

ftp://[[username@]location][//absoluteDirectory]/filename


Note You are prompted for a password.


scp:—Source URL for the SCP network server. The syntax for this prefix is:

scp://[[username@]location][/relativeDirectory]/filename

scp://[[username@]location][//absoluteDirectory]/filename


Note You are prompted for a password. You must add the remote host to the SSH known hosts list.


http:—Source URL for the web server. The syntax for this prefix is:

http://[[username@]location][/directory]/filename


Note The directory specification should be an absolute path to the desired file.


https:—Source URL for the web server. The syntax for this prefix is:

https://[[username@]location][/directory]/filename


Note The directory specification should be an absolute path to the desired file. The remote host must be a TLS trusted host.



Caution Copying a configuration file from another sensor may result in errors if the sensing interfaces and virtual sensors are not configured the same.

Backing Up the Current Configuration to a Remote Server

To back up your current configuration to a remote server, follow these steps:


Step 1 Log in to the CLI using an account with administrator privileges.

Step 2 Back up the current configuration to the remote server.
sensor# copy current-config scp://user@192.0.2.0//configuration/cfg current-config
Password: ********
Warning: Copying over the current configuration may leave the box in an unstable state.
Would you like to copy current-config to backup-config before proceeding? [yes]:
 
   
Step 3 Enter yes to copy the current configuration to a backup configuration.
cfg            100% |************************************************| 36124       00:00 
 
   

Restoring the Current Configuration From a Backup File

To restore your current configuration from a backup file, follow these steps:


Step 1 Log in to the CLI using an account with administrator privileges.

Step 2 Back up the current configuration to the remote server.
sensor# copy scp://user@192.0.2.0//configuration/cfg current-config
Password: ********
Warning: Copying over the current configuration may leave the box in an unstable state.
Would you like to copy current-config to backup-config before proceeding? [yes]:
 
   
Step 3 Enter yes to copy the current configuration to a backup configuration.
cfg            100% |************************************************| 36124       00:00 
 
   
Warning: Replacing existing network-settings may leave the box in an unstable state.
Would you like to replace existing network settings 
(host-ipaddress/netmask/gateway/access-list) on sensor before proceeding? [no]: 
sensor#
 
   

Step 4 Enter no to retain the currently configured hostname, IP address, subnet mask, management interface, and access list. We recommend you retain this information to preserve access to your sensor after the rest of the configuration has been restored.


For More Information

For the procedure for adding trusted hosts, for the CLI refer to Adding TLS Trusted Hosts, for IDM refer to Configuring Trusted Hosts, and for IME refer to Adding Trusted Hosts.

Obtaining Software on Cisco.com

You can find major and minor updates, service packs, signature and signature engine updates, system and recovery files, firmware upgrades, and Readmes on the Download Software site on Cisco.com. Signature updates are posted to Cisco.com approximately every week, more often if needed. Service packs are posted to Cisco.com as needed. Major and minor updates are also posted periodically. Check Cisco.com regularly for the latest IPS software.

You must have an account with cryptographic access before you can download software. You set this account up the first time you download IPS software from the Download Software site. You can sign up for IPS Alert Bulletins to receive information on the latest software releases.


Note You must be logged in to Cisco.com to download software. You must have an active IPS maintenance contract and a Cisco.com password to download software. You must have a sensor license to apply signature updates.



Caution The BIOS on Cisco IPS sensors is specific to Cisco IPS sensors and must only be upgraded under instructions from Cisco with BIOS files obtained from the Cisco website. Installing a non-Cisco or third-party BIOS on Cisco IPS sensors voids the warranty.

Downloading IPS Software

To download software on Cisco.com, follow these steps:


Step 1 Log in to Cisco.com.

Step 2 From the Support drop-down menu, choose Download Software.

Step 3 Under Select a Software Product Category, choose Security Software.

Step 4 Choose Intrusion Prevention System (IPS).

Step 5 Enter your username and password.

Step 6 In the Download Software window, choose IPS Appliances > Cisco Intrusion Prevention System and then click the version you want to download.


Note You must have an IPS subscription service license to download software.


Step 7 Click the type of software file you need. The available files appear in a list in the right side of the window. You can sort by file name, file size, memory, and release date. And you can access the Release Notes and other product documentation.

Step 8 Click the file you want to download. The file details appear.

Step 9 Verify that it is the correct file, and click Download.

Step 10 Click Agree to accept the software download rules. The first time you download a file from Cisco.com, you must fill in the Encryption Software Export Distribution Authorization form before you can download the software.

Fill out the form and click Submit. The Cisco Systems Inc. Encryption Software Usage Handling and Distribution Policy appears.

Read the policy and click I Accept. The Encryption Software Export/Distribution Form appears.

If you previously filled out the Encryption Software Export Distribution Authorization form, and read and accepted the Cisco Systems Inc. Encryption Software Usage Handling and Distribution Policy, these forms are not displayed again. The File Download dialog box appears.

Step 11 Open the file or save it to your computer.

Step 12 Follow the instructions in the Readme to install the update.


For More Information

For more information about IPS maintenance contracts, see Service Programs for IPS Products.

For the procedure for obtaining and installing the license, see Obtaining and Installing the License Key

IPS Software Versioning

When you download IPS software images from Cisco.com, you should understand the versioning scheme so that you know which files are base files, which are cumulative, and which are incremental.

Major Update

A major update contains new functionality or an architectural change in the product. For example, the Cisco IPS 6.0 base version includes everything (except deprecated features) since the previous major release (the minor update features, service pack fixes, and signature updates) plus any new changes. Major update 6.0(1) requires 5.x. With each major update there are corresponding system and recovery packages.


Note The 6.0(1) major update is only used to upgrade 5.x sensors to 6.0(1) If you are reinstalling 6.0(1) on a sensor that already has 6.0(1) installed, use the system image or recovery procedures rather than the major update.


Minor Update

A minor update is incremental to the major version. Minor updates are also base versions for service packs. The first minor update for 6.0 is 6.1(1). Minor updates are released for minor enhancements to the product. Minor updates contain all previous minor features (except deprecated features), service pack fixes, signature updates since the last major version, and the new minor features being released. You can install the minor updates on the previous major or minor version (and often even on earlier versions). The minimum supported version needed to upgrade to the newest minor version is listed in the Readme that accompanies the minor update. With each minor update there are corresponding system and recovery packages.

Service Pack

A service pack is cumulative following a base version release (minor or major). Service packs are used for the release of defect fixes with no new enhancements. Service packs contain all service pack fixes since the last base version (minor or major) and the new defect fixes being released. Service packs require the minor version. The minimum supported version needed to upgrade to the newest service pack is listed in the Readme that accompanies the service pack. Service packs also include the latest engine update. For example, if service pack 6.2(2) is released, and E4 is the latest engine level, the service pack is released as 6.2(2)E4.

Patch Release

A patch release is used to address defects that are identified in the upgrade binaries after a software release. Rather than waiting until the next major or minor update, or service pack to address these defects, a patch can be posted. Patches include all prior patch releases within the associated service pack level. The patches roll into the next official major or minor update, or service pack.

Before you can install a patch release, the most recent major or minor update, or service pack must be installed. For example, patch release 6.0(1p1) requires 6.0(1).


Note Upgrading to a newer patch does not require you to uninstall the old patch. For example, you can upgrade from patch 6.0(1p1) to 6.0(1p2) without first uninstalling 6.0(1p1).


Figure 1 illustrates what each part of the IPS software file represents for major and minor updates, service packs, and patch releases.

Figure 1 IPS Software File Name for Major and Minor Updates, Service Packs, and Patch Releases

Signature Update

A signature update is a package file containing a set of rules designed to recognize malicious network activities. Signature updates are released independently from other software updates. Each time a major or minor update is released, you can install signature updates on the new version and the next oldest version for a period of at least six months. Signature updates are dependent on a required signature engine version. Because of this, a req designator lists the signature engine required to support a particular signature update.

Figure 2 illustrates what each part of the IPS software file represents for signature updates.

Figure 2 IPS Software File Name for Signature Updates

Signature Engine Update

A signature engine update is an executable file containing binary code to support new signature updates. Signature engine files require a specific service pack, which is also identified by the req designator.

Figure 3 illustrates what each part of the IPS software file represents for signature engine updates.

Figure 3 IPS Software File Name for Signature Engine Updates

Recovery and System Image Files

Recovery and system image files contain separate versions for the installer and the underlying application. The installer version contains a major and minor version field. The major version is incremented by one of any major changes to the image installer, for example, switching from .tar to rpm or changing kernels. The minor version can be incremented by any one of the following:

Minor change to the installer, for example, a user prompt added.

Repackages require the installer minor version to be incremented by one if the image file must be repackaged to address a defect or problem with the installer.

Figure 4 illustrates what each part of the IPS software file represents for recovery and system image files.

Figure 4 IPS Software File Name for Recovery and System Image Files

Upgrading to Cisco IPS 6.2(5)E4

This section provides information on upgrading to Cisco IPS 6.2(5)E4, and contains the following topics:

Upgrade Notes and Caveats

Upgrading to 6.2(5)E4

Upgrading CSM

Upgrade Notes and Caveats

The following upgrade notes and caveats apply to upgrading your sensor to IPS 6.2(5)E4:

The default value of the Cisco server IP address has been changed from 198.133.219.25 to 72.163.4.161 in the Auto Update URL configuration. If you have automatic update configured on your sensor, you may need to update firewall rules to allow the sensor to connect to this new IP address.

You must have a valid Cisco Service for IPS Maintenance contract per sensor to receive and use software upgrades from Cisco.com.

Minimum required version:

The AIP SSC-5 must be running version 6.2(1)E3 or later.

The sensor goes in to the configured bypass mode during the update as the inspection software is stopped, replaced, and restarted. The sensor automatically exits bypass mode and resumes traffic inspection upon completion of the new inspection software startup and configuration. The engine update procedure normally installs the update without rebooting the sensor. However, if an error is detected during the update, the installation process attempts to reboot the sensor in order to leave the sensor in an operational state.

After you upgrade any IPS software on your sensor, you must restart the IDM to see the latest software features.

If you configured automatic update for your sensor, copy the 6.2(5)E4 update files to the directory on the server that your sensor polls for updates.

If you install an update on your sensor and the sensor is unusable after it reboots, you must reimage your sensor. You can reimage your sensor in the following ways:

For all sensors, use the recover command.

For the AIP SSC-5, reimage from the adaptive security appliance using the hw-module module 1 recover configure/boot command.


Caution When you install the system image for your sensor, all accounts are removed and the default account and password are reset to cisco.

For More Information

For the procedures for reimaging sensors, refer to Upgrading, Downgrading, and Installing System Images.

For more information on Cisco service contracts, see Service Programs for IPS Products.

For the procedure for configuring automatic upgrade, refer to Configuring Automatic Upgrades.

Upgrading to 6.2(5)E4


Caution You must log in to Cisco.com using an account with cryptographic privileges to download software. The first time you download software on Cisco.com, you receive instructions for setting up an account with cryptographic privileges.


Caution Do not change the filename. You must preserve the original filename for the sensor to accept the update.

To upgrade the sensor, follow these steps:


Step 1 Download the appropriate file to an FTP, SCP, HTTP, or HTTPS server that is accessible from your sensor.

Step 2 Log in to the CLI using an account with administrator privileges.

Step 3 Enter configuration mode.
sensor# configure terminal
 
   

Step 4 Upgrade the sensor.

sensor(config)# upgrade url/IPS-K9-6.2-5-E4.pkg
 
   

The URL points to where the update file is located, for example, to retrieve the update using FTP, enter the following:

sensor(config)# upgrade ftp://username@ip_address//directory/IPS-K9-6.2-5-E4.pkg
 
   
Step 5 Enter the password when prompted.
Enter password: ********
 
   

Step 6 Enter yes to complete the upgrade.


Note Major updates, minor updates, and service packs may force a restart of the IPS processes or even force a reboot of the sensor to complete installation.



Note The operating system is reimaged and all files that have been placed on the sensor through the service account are removed.


Step 7 Verify your new sensor version:

sensor# show version
Application Partition:
 
   
Cisco Intrusion Prevention System, Version 6.2(5)E4
 
   
Host:
    Realm Keys          key1.0
Signature Definition:
    Signature Update    S664.0                   2012-08-27
OS Version:             2.4.30-IDS-smp-bigphys
Platform:               ASA-SSC-AIP-5
Serial Number:          JAF1243BMCE
No license present
Sensor up-time is 1 day.
Using 332718080 out of 489398272 bytes of available memory (67% usage)
application-data is using 43.1M out of 166.8M bytes of available disk space (27% usage)
boot is using 44.8M out of 68.6M bytes of available disk space (69% usage)
 
   
MainApp          E-2012_OCT_15_13_08_6_2_4_14   (Ipsbuild)   2012-10-15T13:12:10-0500   
Running
AnalysisEngine   E-2012_OCT_15_13_08_6_2_4_14   (Ipsbuild)   2012-10-15T13:12:10-0500   
Running
CLI              E-2012_OCT_15_13_08_6_2_4_14   (Ipsbuild)   2012-10-15T13:12:10-0500
 
   
Upgrade History:
 
   
  IPS-SSC_5-K9-6.2-5-E4   14:54:06 UTC Fri Oct 26 2012
 
   
Recovery Partition Version 1.1 - 6.2(5)E4
 
   
Host Certificate Valid from: 04-Jan-2012 to 04-Jan-2014
 
   
sensor#
 
   

For More Information

For the procedure for locating software on Cisco.com and obtaining an account with cryptographic privileges, see Obtaining Software on Cisco.com.

Upgrading CSM

Pay attention to the following prerequisites when applying IPS 6.2(5) through CSM4.3 and CSM4.2:

For CSM 4.3, apply SP1CP2 on top of CSM4.3, for example, CSM4.3SP1CP2

For CSM 4.2, apply SP1CP6 on top of CSM4.2, for example, CSM4.2SP1CP6

To apply 6.2(5)E4 to sensor(s) using CSM4.3SP1CP2 and CSM4.2SP1CP6, follow these steps


Step 1 Download the patch ZIP file, IPS-CSM-K9-6.2-5-E4.zip, and copy it to the following directory:

<CSM-install-dir>/MDC/ips/updates
 
   

Step 2 Launch IPS Update Wizard from Tools > Apply IPS Update.

Step 3 Select Sensor Updates from the drop down menu, select the IPS-CSM-K9-6.2-5-E4.zip file, and then click Next.

Step 4 Select the device(s) to which you want to apply the patch, then click Finish.

Step 5 Create a deployment job and deploy to sensor(s) using Deployment Manager.

Launch Deployment Manager from Tools > Deployment Manager.

Step 6 Click Deploy in the popup menu and follow the instructions.


After Upgrading to Cisco IPS 6.2(5)E4

This section provides information about what to do after you install Cisco IPS 6.2(5)E4. It contains the following topics:

Comparing Configurations

Importing a New SSL Certificate

Logging In to the IDM

Licensing the Sensor

Comparing Configurations

Compare your backed up and saved configuration with the output of the show configuration command after upgrading to 6.2(5)E4 to verify that all the configuration has been properly converted.


Caution If the configuration is not properly converted, use the Bug Navigator tool to check the list of caveats associated with your release, or check Cisco.com for any upgrade issues that have been found. Contact the TAC if no DDTS refers to your situation.

For More Information

For the URL of the bug Navigator tool, and a list of the resolved caveats associated with this release, see Caveats.

Importing a New SSL Certificate

If necessary import the new SSL certificate for the upgraded sensor in to each tool being used to monitor the sensor.

For More Information

For the procedures for configuring TLS/SSL, for the CLI refer to Configuring TLS, for IDM refer to Configuring Trusted Hosts, and for IME refer to Configuring Trusted Hosts.

Logging In to the IDM

The IDM is a web-based, Java Web Start application that enables you to configure and manage your sensor. The web server for the IDM resides on the sensor. You can access it through Internet Explorer or Firefox web browsers.


Note The IDM is already installed on the sensor.


To log in to the IDM, follow these steps:


Step 1 Open a web browser and enter the sensor IP address. A Security Alert dialog box appears.

https://sensor_ip_address

Note The default IP address is 192.168.1.2/24,192.168.1.1, which you change to reflect your network environment when you initialize the sensor. When you change the web server port, you must specify the port in the URL address of your browser when you connect to the IDM in the format https://sensor_ip_address:port (for example, https://10.1.9.201:1040).


Step 2 Click Yes to accept the security certificate. The Cisco IPS Device Manager Version 6.2 window appears.

Step 3 To launch the IDM, click Run IDM. The JAVA loading message box appears, and then the Warning - Security dialog box appears.

Step 4 To verify the security certificate, check the Always trust content from this publisher check box, and click Yes. The JAVA Web Start progress dialog box appears, and then the IDM on ip_address dialog box appears.

Step 5 To create a shortcut for the IDM, click Yes. The Cisco IDM Launcher dialog box appears.


Note You must have JRE 1.5 (JAVA 5) installed to create shortcuts for the IDM. If you have JRE 1.6 (JAVA 6) installed, the shortcut is created automatically.


Step 6 To authenticate the IDM, enter your username and password, and click OK. The IDM begins to load. If you change panes from Home to Configuration or Monitoring before the IDM has complete initialization, a Status dialog box appears with the following message:

Please wait while IDM is loading the current configuration from the sensor.
 
   

The main window of the IDM appears.


Note Both the default username and password are cisco. You were prompted to change the password during sensor initialization.



Note If you created a shortcut, you can launch the IDM by double-clicking the IDM shortcut icon. You can also close the Cisco IPS Device Manager Version 6.2 window. After you launch the IDM, is it not necessary for this window to remain open.



For More Information

For more information about security and the IDM, refer to IDM and Certificates.

For the procedure for initializing the sensor, refer to Initializing the Sensor.

Licensing the Sensor

This section describes how to obtain a license key and how to license the sensor using the CLI, IDM, or IME. It contains the following topics:

Understanding the License

Service Programs for IPS Products

Obtaining and Installing the License Key

Understanding the License

Although the sensor functions without the license key, you must have a license key to obtain signature updates. To obtain a license key, you must have the following:

Cisco Service for IPS service contract—Contact your reseller, Cisco service or product sales to purchase a contract.

Your IPS device serial number—To find the IPS device serial number in IDM or IME, for IDM choose Configuration > Sensor Management > Licensing, and for IME choose Configuration > sensor_name > Sensor Management > Licensing, or in the CLI use the show version command.

Valid Cisco.com username and password

Trial license keys are also available. If you cannot get your sensor licensed because of problems with your contract, you can obtain a 60-day trial license that supports signature updates that require licensing.

You can obtain a license key from the Cisco.com licensing server, which is then delivered to the sensor. Or, you can update the license key from a license key provided in a local file. Go to http://www.cisco.com/go/license and click IPS Signature Subscription Service to apply for a license key.

You can view the status of the license key in these places:

IDM Home window Licensing section on the Health tab

IDM Licensing pane (Configuration > Licensing)

IME Home page in the Device Details section on the Licensing tab

License Notice at CLI login

Whenever you start IDM, IME, or the CLI, you are informed of your license status—whether you have a trial, invalid, or expired license key. With no license key, an invalid license key, or an expired license key, you can continue to use IDM, IME, and the CLI, but you cannot download signature updates.

If you already have a valid license on the sensor, you can click Download on the License pane to download a copy of your license key to the computer that IDM or IME is running on and save it to a local file. You can then replace a lost or corrupted license, or reinstall your license after you have reimaged the sensor.

For More Information

For more information on Cisco service contracts, see Service Programs for IPS Products.

For the procedure for obtaining and installing the license, see Obtaining and Installing the License Key.

Service Programs for IPS Products

You must have a Cisco Services for IPS service contract for any IPS product so that you can download a license key and obtain the latest IPS signature updates. If you have a direct relationship with Cisco Systems, contact your account manager or service account manager to purchase the Cisco Services for IPS service contract. If you do not have a direct relationship with Cisco Systems, you can purchase the service account from a one-tier or two-tier partner.

When you purchase an ASA 5500 series adaptive security appliance product that does not contain IPS, you must purchase a SMARTnet contract.


Note SMARTnet provides operating system updates, access to Cisco.com, access to TAC, and hardware replacement NBD on site.


When you purchase an ASA 5500 series adaptive security appliance product that ships with the AIP SSC-5 installed, or if you purchase it to add to your ASA 5500 series adaptive security appliance product, you must purchase the Cisco Services for IPS service contract.


Note Cisco Services for IPS provides IPS signature updates, operating system updates, access to Cisco.com, access to TAC, and hardware replacement NBD on site.


For example, if you purchase an ASA 5510 and then later want to add IPS and purchase an ASA-SSM-AIP-10-K9, you must now purchase the Cisco Services for IPS service contract. After you have the Cisco Services for IPS service contract, you must also have your product serial number to apply for the license key.


Caution If you ever send your product for RMA, the serial number changes. You must then get a new license key for the new serial number.

For More Information

For the procedure for obtaining and installing the license, see Obtaining and Installing the License Key.

Obtaining and Installing the License Key

You can install the license key through the CLI, IDM, or IME. This section describes how to obtain and install the license key, and contains the following topics:

Using the IDM or IME

Using the CLI

Using the IDM or IME


Note In addition to a valid Cisco.com username and password, you must also have a Cisco Services for IPS service contract before you can apply for a license key.


To obtain and install the license key, follow these steps:


Step 1 Log in to the IDM or IME using an account with administrator privileges.

Step 2 For the IDM choose Configuration > Sensor Management > Licensing. For the IME choose Configuration > sensor_name > Sensor Management > Licensing. The Licensing pane displays the status of the current license. If you have already installed your license, you can click Download to save it if needed.

Step 3 Obtain a license key by doing one of the following:

Click the Cisco.com radio button to obtain the license from Cisco.com. The IDM or IME contacts the license server on Cisco.com and sends the server the serial number to obtain the license key. This is the default method. Go to Step 4.

Click the License File radio button to use a license file. To use this option, you must apply for a license key at this URL: www.cisco.com/go/license. The license key is sent to you in e-mail and you save it to a drive that IDM or IME can access. This option is useful if your computer cannot access Cisco.com. Go to Step 7.

Step 4 Click Update License, and in the Licensing dialog box, click Yes to continue. The Status dialog box informs you that the sensor is trying to connect to Cisco.com. An Information dialog box confirms that the license key has been updated.

Step 5 Click OK.

Step 6 Go to www.cisco.com/go/license.

Step 7 Fill in the required fields. Your license key will be sent to the e-mail address you specified.


Caution You must have the correct IPS device serial number because the license key only functions on the device with that number.

Step 8 Save the license key to a hard-disk drive or a network drive that the client running the IDM or IME can access.

Step 9 Log in to the IDM or IME.

Step 10 For the IDM choose Configuration > Sensor Management > Licensing. For the IME choose Configuration > sensor_name > Sensor Management > Licensing.

Step 11 Under Update License, click the License File radio button.

Step 12 In the Local File Path field, specify the path to the license file or click Browse Local to browse to the file.

Step 13 Browse to the license file and click Open.

Step 14 Click Update License.


For More Information

For information on Cisco service contracts, see Service Programs for IPS Products.

Using the CLI

Use the copy source-url license_file_name license-key command to copy the license key to your sensor.

The following options apply:

source-url—The location of the source file to be copied. It can be a URL or keyword.

destination-url—The location of the destination file to be copied. It can be a URL or a keyword.

license-key—The subscription license file.

license_file_name—The name of the license file you receive.


Note You cannot install an older license key over a newer license key.


The exact format of the source and destination URLs varies according to the file. Here are the valid types:

ftp:—Source URL for an FTP network server. The syntax for this prefix is:

ftp://[[username@]location][/relativeDirectory]/filename

ftp://[[username@]location][//absoluteDirectory]/filename


Note You are prompted for a password.


scp:—Source URL for the SCP network server. The syntax for this prefix is:

scp://[[username@]location][/relativeDirectory]/filename

scp://[[username@]location][//absoluteDirectory]/filename


Note You are prompted for a password. You must add the remote host to the SSH known hosts list.


http:—Source URL for the web server. The syntax for this prefix is:

http://[[username@]location][/directory]/filename


Note The directory specification should be an absolute path to the desired file.


https:—Source URL for the web server. The syntax for this prefix is:

https://[[username@]location][/directory]/filename


Note The directory specification should be an absolute path to the desired file. The remote host must be a TLS trusted host.


Installing the License Key

To install the license key, follow these steps:


Step 1 Apply for the license key at this URL: www.cisco.com/go/license.


Note In addition to a valid Cisco.com username and password, you must also have a Cisco Services for IPS service contract before you can apply for a license key.


Step 2 Fill in the required fields. Your Cisco IPS Signature Subscription Service license key will be sent by e-mail to the e-mail address you specified.


Note You must have the correct IPS device serial number because the license key only functions on the device with that number.


Step 3 Save the license key to a system that has a web server, FTP server, or SCP server.

Step 4 Log in to the CLI using an account with administrator privileges.

Step 5 Copy the license key to the sensor.

sensor# copy scp://user@10.89.147.3://tftpboot/dev.lic license-key
Password: *******
 
   

Step 6 Verify the sensor is licensed.

sensor# show version
Application Partition:
 
   
Cisco Intrusion Prevention System, Version 6.2(5)E4
 
   
Host:
    Realm Keys          key1.0
Signature Definition:
    Signature Update    S664.0                   2012-08-27
OS Version:             2.4.30-IDS-smp-bigphys
Platform:               ASA-SSC-AIP-5
Serial Number:          JAF1243BMCE
No license present
Sensor up-time is 1 day.
Using 332718080 out of 489398272 bytes of available memory (67% usage)
application-data is using 43.1M out of 166.8M bytes of available disk space (27%
usage)
boot is using 44.8M out of 68.6M bytes of available disk space (69% usage)
 
   
MainApp          E-2012_OCT_15_13_08_6_2_4_14   (Ipsbuild)   2012-10-15T13:12:10-0500   
Running
AnalysisEngine   E-2012_OCT_15_13_08_6_2_4_14   (Ipsbuild)   2012-10-15T13:12:10-0500   
Running
CLI              E-2012_OCT_15_13_08_6_2_4_14   (Ipsbuild)   2012-10-15T13:12:10-0500
 
   
Upgrade History:
 
   
  IPS-SSC_5-K9-6.2-5-E4   14:54:06 UTC Fri Oct 26 2012
 
   
Recovery Partition Version 1.1 - 6.2(5)E4
 
   
Host Certificate Valid from: 04-Jan-2012 to 04-Jan-2014
 
   
sensor#
 
   

Step 7 Copy your license key from a sensor to a server to keep a backup copy of the license.

sensor# copy license-key scp://user@10.89.147.3://tftpboot/dev.lic 
Password: *******
sensor#
 
   

For More Information

For the procedure for adding remote hosts to the SSH known hosts list, for the CLI refer to Adding Hosts to the SSH Known Hosts List, for the IDM refer to Defining Known Host Keys, and for the IME refer to Defining Known Host Keys.

For the procedure for adding trusted hosts, for the CLI refer to Adding TLS Trusted Hosts, for the IDM refer to Configuring Trusted Hosts, and for the IME refer to Adding Trusted Hosts.

Installing or Upgrading the IME and Migrating Data Into the IME

This section describes how to install and upgrade the IME, and how to migrate data from IEV or a previous version of the IME.


Note You can use IME 6.2 or 7.0 to monitor 6.2(5)E4 sensors.


Cisco IEV, Cisco IOS IPS, and CSM

If you have a version of Cisco IPS Event Viewer installed, the Install wizard prompts you to remove it before installing the IME.

IME event monitoring is also supported in IOS-IPS versions that support the Cisco IPS 5.x/6.x signature format. We recommend IOS-IPS 12.4(15)T4 if you intend to use the IME to monitor an IOS IPS device. Some of the new IME functionality including health monitoring is not supported.


Caution Do not install the IME on top of existing installations of CSM. You must uninstall CSM before installing the IME. Do not install CSM on top of existing installations of the IME.

Installation Notes and Caveats

Observe the following when installing or upgrading the IME:

You can install the IME over all versions of the IME but not over IEV. All alert database and user settings are preserved.

The IME detects previous versions of IEV and prompts you to manually remove the older version before installing the IME or to install the IME on another system. The installation program then stops.

Make sure you close any open instances of the IME before upgrading to a new version of the IME.

Disable any anti-virus or host-based intrusion detection software before beginning the installation, and close any open applications. The installer spawns a command shell application that may trigger your host-based detection software, which causes the installation to fail.

You must be administrator to install the IME.

The IME coexists with other instances of the MySQL database. If you have a MySQL database installed on your system, you do NOT have to uninstall it before installing the IME.

Installing or Upgrading the IME

To install the IME, follow these steps:


Step 1 From the Download Software site on Cisco.com, download the IME executable file to your computer, or start the IDM in a browser window, and under Cisco IPS Manager Express, click download to install the IME executable file. IME-.exe is an example of what the IME executable file might look like.

Step 2 Double-click the executable file. The Cisco IPS Manager Express - InstallShield Wizard appears. You receive a warning if you have a previous version of Cisco IPS Event Viewer installed. Acknowledge the warning, and exit installation. Remove the older version of IEV, and then continue IME installation.

Step 3 Click Next to start IME installation.

Step 4 Accept the license agreement and click Next.

Step 5 Click Next to choose the destination folder, click Install to install IME, and then click Finish to exit the wizard. The Cisco IME and Cisco IME Demo icons are now on your desktop.


Note The first time you start the IME, you are prompted to set up a password.



Migrating IEV Data

To migrate IEV 5.x events to the IME, you must exit the installation and manually export the old events by using the IEV 5.x export function to move the data to local files. After installing the IME, you can import these files to the new IME system.


Note The IME does not support import and migration functions for IEV 4.x.


To export event data from IEV 5.x to a local file:


Step 1 From IEV 5.x, choose File > Database Administration > Export Database Tables.

Step 2 Enter the file name and select the table(s).

Step 3 Click OK. The events in the selected table(s) are exported to the specified local file.


Importing IEV Event Data In to the IME

To import event data in to the IME, follow these steps:


Step 1 From the IME, choose File > Import.

Step 2 Select the file exported from IEV 5.x and click Open. The contents of the selected file are imported in to the IME.


For More Information

For more information about Cisco IME, refer to Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 6.2 or Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.0.

Restrictions and Limitations

The following restrictions and limitations apply to Cisco IPS 6.2(5)E4 software and the products that run 6.2(5)E4:

For IPS 5.0 and later, you can no longer remove the cisco account. You can disable it using the no password cisco command, but you cannot remove it. To use the no password cisco command, there must be another administrator account on the sensor. Removing the cisco account through the service account is not supported. If you remove the cisco account through the service account, the sensor most likely will not boot up, so to recover the sensor you must reinstall the sensor system image.

The AIP SSC-5 does not support virtualization, unretiring default retired signatures, creating custom signatures, adding signatures, cloning signatures, or anomaly detection.

The AIP SSC-5 can take up to 20 minutes to come online when it reboots after the installation of a new system image. You must let the process complete before you can make configuration changes to the AIP SSC-5. If you try to modify and save configuration changes before the process is complete, you receive an error message.

Anomaly detection does not support IPv6 traffic; only IPv4 traffic is directed to the anomaly detection processor.

ICMP signature engines do not support ICMPv6, they are IPv4-specific, for example, the Traffic ICMP signature engine. ICMPv6 is covered by the Atomic IP Advanced signature engine.

Rate limiting and blocking are not supported for IPv6 traffic. If a signature is configured with a block or rate limit event action and is triggered by IPv6 traffic, an alert is generated but the action is not carried out.

IPv6 does not support the following event actions: Request Block Host, Request Block Connection, or Request Rate Limit.

CSM and MARS do not support IPv6.

With ASA 8.2(1), the AIP SSC-5 supports IPv6 features.

Cisco access routers only support one IDS/IPS per router.

On IPS sensors with multiple processors (for example, the IPS 4260 and IPS 4270-20), packets may be captured out of order in the IP logs and by the packet command. Because the packets are not processed using a single processor, the packets can become out of sync when received from multiple processors.

When deploying an IPS sensor monitoring two sides of a network device that does TCP sequence number randomization, we recommend using a virtual senor for each side of the device.

After you upgrade any IPS software on your sensor, you must restart the IDM to see the latest software features.

The IDM does not support any non-English characters, such as the German umlaut or any other special language characters. If you enter such characters as a part of an object name through IDM, they are turned into something unrecognizable and you will not be able to delete or edit the resulting object through IDM or the CLI.

This is true for any string that is used by CLI as an identifier, for example, names of time periods, inspect maps, server and URL lists, and interfaces.

When the SensorApp is reconfigured, there is a short period when the SensorApp cannot respond to any queries. Wait a few minutes after reconfiguration is complete before querying the SensorApp for additional information.

The IDM and IME launch MySDN from the last browser window you opened, which is the default setting for Windows. To change this default behavior, in Internet Explorer, choose Tools > Internet Options, and then click the Advanced tab. Scroll down and uncheck the Reuse windows for launching shortcuts check box.

Recovering the Password

For most IPS platforms, you can now recover the password on the sensor rather than using the service account or reimaging the sensor. This section describes how to recover the password. It contains the following topics:

Password Recovery for the AIP SSC-5

Disabling Password Recovery

Verifying the State of Password Recovery

Troubleshooting Password Recovery

Password Recovery for the AIP SSC-5

You can reset the password to the default (cisco) for the AIP SSC-5 using the CLI or the ASDM. Resetting the password causes it to reboot. IPS services are not available during a reboot.


Note To reset the password, you must have ASA 8.2(1) or later.


Use the hw-module module slot_number password-reset command to reset the password to the default cisco. If the module in the specified slot has an IPS version that does not support password recovery, the following error message is displayed:

ERROR: the module in slot <n> does not support password recovery.

Resetting the Password Using the CLI

To reset the password on the AIP SSC-5, follow these steps:


Step 1 Reset the password for module 1.

asa# hw-module module 1 password-reset
Reset the password on module in slot 1? [confirm]
 
   

Step 2 Press Enter to confirm.

Password-Reset issued for slot 1.
 
   

Step 3 Verify the status of the module. Once the status reads Up, you can session to the AIP SSC-5.

asa# show module 1
Mod Card Type                                    Model              Serial No. 
--- -------------------------------------------- ------------------ -----------
  1 ASA 5500 Series Security Services Card-5     ASA-SSC-AIP-5      JAF1243BMDR
 
   
Mod MAC Address Range                 Hw Version   Fw Version   Sw Version     
--- --------------------------------- ------------ ------------ ---------------
  1 0021.1bfe.5108 to 0021.1bfe.5108  1.0          1.0(15)7     6.2(4)E4
 
   
Mod SSC Application Name           Status           SSC Application Version
--- ------------------------------ ---------------- --------------------------
  1 IPS                            Up               6.2(4)E4
 
   
Mod Status             Data Plane Status     Compatibility
--- ------------------ --------------------- -------------
  1 Up                 Up 
 
   
 
   

Step 4 Session to the AIP SSC-5.

asa# session 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.
 
   

Step 5 Enter the default username (cisco) and password (cisco) at the login prompt.

login: cisco 
Password: cisco
 
   
You are required to change your password immediately (password aged) 
Changing password for cisco. 
(current) password: cisco
 
   

Step 6 Enter your new password twice.

New password: new password
Retype new password: new password
 
   
***NOTICE*** 
This product contains cryptographic features and is subject to United States and local 
country laws governing import, export, transfer and use. Delivery of Cisco cryptographic 
products does not imply third-party authority to import, export, distribute or use 
encryption. Importers, exporters, distributors and users are responsible for compliance 
with U.S. and local country laws. By using this product you agree to comply with 
applicable laws and regulations. If you are unable to comply with U.S. and local laws, 
return this product immediately. 
 
   
A summary of U.S. laws governing Cisco cryptographic products may be found at: 
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html 
 
   
If you require further assistance please contact us by sending email to export@cisco.com. 
 
   
***LICENSE NOTICE*** 
There is no license key installed on this IPS platform. The system will continue to 
operate with the currently installed signature set. A valid license must be obtained in 
order to apply signature updates. Please go to http://www.cisco.com/go/license to obtain a 
new license or install a license. 
aip_ssc-5#
 
   

Using the ASDM

To reset the password in the ASDM, follow these steps:


Step 1 From the ASDM menu bar, choose Tools > IPS Password Reset.


Note This option does not appear in the menu if there is no IPS present.


Step 2 In the IPS Password Reset confirmation dialog box, click OK to reset the password to the default (cisco). A dialog box displays the success or failure of the password reset. If the reset fails, make sure you have the correct ASA and IPS software versions.

Step 3 Click Close to close the dialog box. The sensor reboots.


Disabling Password Recovery


Caution If you try to recover the password on a sensor on which password recovery is disabled, the process proceeds with no errors or warnings; however, the password is not reset. If you cannot log in to the sensor because you have forgotten the password, and password recovery is set to disabled, you must reimage your sensor.

Password recovery is enabled by default. You can disable password recovery through the CLI or IDM.

Disabling Password Recovery Using the CLI

To disable password recovery in the CLI, follow these steps:


Step 1 Log in to the CLI using an account with administrator privileges.

Step 2 Enter global configuration mode.

sensor# configure terminal
 
   

Step 3 Enter host mode.

sensor(config)# service host
 
   

Step 4 Disable password recovery.

sensor(config-hos)# password-recovery disallowed
 
   

Disabling Password Recovery Using IDM

To disable password recovery in IDM, follow these steps:


Step 1 Log in to the CLI using an account with administrator privileges.

Step 2 Choose Configuration > Sensor Setup > Network. The Network pane appears.

Step 3 To disable password recovery, uncheck the Allow Password Recovery check box.


For More Information

If you are not certain about whether password recovery is enabled or disabled, see Verifying the State of Password Recovery.

For more information on reimaging sensors, refer to Upgrading, Downgrading, and Installing System Images.

Verifying the State of Password Recovery

Use the show settings | include password command to verify whether password recovery is enabled. To verify whether password recovery is enabled, follow these steps:


Step 1 Log in to the CLI.

Step 2 Enter service host submode.

sensor# configure terminal
sensor (config)# service host
sensor (config-hos)# 
 
   

Step 3 Verify the state of password recovery by using the include keyword to show settings in a filtered output.

sensor(config-hos)# show settings | include password
   password-recovery: allowed <defaulted>
sensor(config-hos)#
 
   

Troubleshooting Password Recovery

To troubleshoot password recovery, pay attention to the following:

You cannot determine whether password recovery has been disabled in the sensor configuration from the ROMMON prompt, GRUB menu, switch CLI, or router CLI. If password recovery is attempted, it always appears to succeed. If it has been disabled, the password is not reset to cisco. The only option is to reimage the sensor.

You can disable password recovery in the host configuration.

To check the state of password recovery, use the show settings | include password command.

For More Information

For more information on reimaging sensors, refer to Upgrading, Downgrading, and Installing System Images.

For the procedure for disabling password recovery, see Disabling Password Recovery.

For the procedure for verifying the state of password recovery, see Verifying the State of Password Recovery.

Caveats

This section describes the Bug Toolkit, lists the resolved caveats, and contains the following topics:

Bug Toolkit

Resolved Caveats

Unresolved Caveats

Bug Toolkit

For the most complete and up-to-date list of caveats, use the Bug Toolkit to refer to the caveat release note. You can use the Bug Toolkit to search for known bugs based on software version, feature set, and keywords. The resulting matrix shows when each bug was integrated, or fixed if applicable. It also lets you save the results of a search in Bug Groups, and also create persistent Alert Agents that can feed those groups with new defect alerts.


Note You must be logged in to Cisco.com to access the Bug Toolkit.


If you are a registered Cisco.com user, you can view the Bug Toolkit at this URL:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

To become a registered cisco.com user, go to this URL:

http://tools.cisco.com/RPF/register/register.do

Resolved Caveats

The following known issues have been resolved in the Cisco IPS 6.2(5)E4:

CSCte50759— sensorApp aborts during signature update

CSCtl03702— sensorApp aborts in SignatureProcessor processWithLocks

CSCtw45701— SSC-AIP-5 sometime has invalid MAC(00:00:00:00:00:00) after booting up

CSCtx35168— upgrade to S615 can trigger out of memory killer on SSC-5

CSCty05171— sensorApp failure in StreamDispatchProcessor after signature update

CSCuc34812— sensorApp abort following upgrade to S669/S670

CSCts58648— Old SMB engine should not be allowed to run

CSCtt18382 —ENH: IDS Web Server Should Not Break Comm With RFC 5746 Clients

CSCty11200 —health monitor update thread fails during configuration change

CSCtz05641— www.cisco.com IP address change in Auto update URL configuration

CSCtf19088 —Processing Load Percentage CLI output is inaccurate

Unresolved Caveats

The following relevant issue is not resolved in IPS 6.2(5)E4:

CSCuc71696—Auto Update Server IP Not Changed on Upgrade if Configured via IDM/IME

Related Documentation

For more information on Cisco IPS, refer to the following documentation found at this URL:

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/tsd_products_support_series_home.html

Documentation Roadmap for Cisco Intrusion Prevention System 6.2

Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 6.2

Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 6.2

Cisco Intrusion Prevention System Command Reference for IPS 6.2

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 6.2

Cisco Intrusion Prevention System Appliances and Modules Installation Guide for IPS 6.2

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.