Cisco Systems, Inc. Cisco Intrusion Prevention System IPS 7.1(7)E4 SERVICE PACK Copyright (C) 2013 Cisco Systems, Inc. All rights reserved. Printed in the USA. Cisco, Cisco Systems, and the Cisco Systems logo are registered trademarks of Cisco Systems, Inc. in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their registered owners. ======================================================================== Table Of Contents ======================================================================== SERVICE PACK NOTE 7.1(7)E4 SERVICE PACK UPDATE INSTRUCTIONS AND DETAILS - MINIMUM REQUIREMENTS - FILE LIST - SUPPORTED PLATFORMS - INSTALLATION USING THE CLI - INSTALLATION CAVEATS - RESOLVED ISSUES IN 7.1(7)E4 - RELEVANT ISSUES NOT RESOLVED - NEW FEATURES - RESTRICTIONS - CSM CAVEATS -- CSM 4.2 SP1 and CSM 4.3 - CSM UPDATE INSTRUCTIONS -- CSM 4.3 SP1 ======================================================================== SERVICE PACK NOTE WARNING: CISCO.COM IP ADDRESS CHANGE IN AUTO UPDATE CONFIGURATION The 7.1(7)E4 service pack changes the default value of Cisco server IP address from 198.133.219.25 to 72.163.4.161 in the Auto Update URL configuration. Firewall rules may need to be updated to allow sensor connectivity to this new IP Address if Cisco.com Auto Updates have been configured on your sensor. This service pack is being used as a release vehicle to repair critical IPS sensor issues that have been seen by customers after 7.1(6) release timeframe. This service pack contains the S691 signature level, but preserves any more recent signature levels installed on your sensor. This service pack deprecates the use of licenses for "Version 6.0.x or earlier. Customers are requested have to obtain new licenses for "Version 6.1 or later" from http://www.cisco.com/go/license and apply the same on running sensors before upgrade to 7.1(7)E4 service pack. Please refer to INSTALLATION CAVEATS section below ======================================================================== 7.1(7)E4 SERVICE PACK UPDATE INSTRUCTIONS AND DETAILS NOTE: You must have a valid maintenance contract per sensor to receive and use software upgrades including signature updates from Cisco.com. MINIMUM REQUIREMENTS To install the IPS-SSP_10-K9-7.1-7-E4.pkg, IPS-SSP_20-K9-7.1-7-E4.pkg, IPS-SSP_40-K9-7.1-7-E4.pkg, or IPS-SSP_60-K9-7.1-7-E4 service pack version upgrade file on SSP platforms, you must be running IPS version 7.1(1)E4 or later on your sensor. To install the IPS-4270_20-K9-7.1-7.pkg, IPS-4240-K9-7.1-7-E4.pkg, IPS-4255-K9-7.1-7-E4.pkg, IPS-4260-K9-7.1-7-E4.pkg service pack version upgrade file on 42xx platforms, you must be running IPS version 6.0(6) or later on your sensor. To install the IPS-SSP_5512-K9-7.1-7-E4.pkg, IPS-SSP_5515-K9-7.1-7-E4.pkg, IPS-SSP_5525-K9-7.1-7-E4.pkg, IPS-SSP_5545-K9-7.1-7-E4.pkg, IPS-SSP_5555-K9-7.1-7-E4.pkg, IPS-4345-K9-7.1-7-E4.pkg, IPS-4360-K9-7.1-7-E4.pkg service pack version upgrade file on 5500-x platforms, you must be running IPS version 7.1(3)E4 or later on your sensor. To install the IPS-SSM_10-K9-7.1-7-E4.pkg, IPS-SSM_20-K9-7.1-7-E4.pkg, or IPS-SSM_40-K9-7.1-7-E4.pkg service pack version upgrade file on SSM platforms, you must be running IPS version 6.0(6) or later on your sensor. To install the IPS-4510-K9-7.1-5.14-E4.pkg or IPS-4520-K9-7.1-5.14-E4.pkg, service pack version upgrade file on 45XX platforms, you must be running IPS version 7.1(4)E4 or later on your sensor. To see what version the sensor is currently running, log in to the CLI and execute the 'show version' command. For detailed instructions on installing the service pack upgrade file, refer to "Upgrading, Downgrading, and Installing System Images," in Cisco Intrusion Prevention System CLI Configuration Guide for IPS 7.1 available at this URL: http://www.cisco.com/en/US/docs/security/ips/7.1/ configuration/guide/cli/cliguide71.html FILE LIST The following files are included as part of this release: Readme - IPS-7-1-7-E4_ReadeMe.txt Service Pack Upgrade Files - IPS-4240-K9-7.1-7-E4.pkg - IPS-4255-K9-7.1-7-E4.pkg - IPS-4260-K9-7.1-7-E4.pkg - IPS-4270_20-K9-7.1-7-E4.pkg - IPS-4345-K9-7.1-7-E4.pkg - IPS-4360-K9-7.1-7-E4.pkg - IPS-4510-K9-7.1-7-E4.pkg - IPS-4520-K9-7.1-7-E4.pkg - IPS-SSM_10-K9-7.1-7-E4.pkg - IPS-SSM_20-K9-7.1-7-E4.pkg - IPS-SSM_40-K9-7.1-7-E4.pkg - IPS-SSP_5512-K9-7.1-7-E4.pkg - IPS-SSP_5515-K9-7.1-7-E4.pkg - IPS-SSP_5525-K9-7.1-7-E4.pkg - IPS-SSP_5545-K9-7.1-7-E4.pkg - IPS-SSP_5555-K9-7.1-7-E4.pkg - IPS-SSP_10-K9-7.1-7-E4.pkg - IPS-SSP_20-K9-7.1-7-E4.pkg - IPS-SSP_40-K9-7.1-7-E4.pkg - IPS-SSP_60-K9-7.1-7-E4.pkg System Image Files - IPS-4240-K9-sys-1.1-a-7.1-7-E4.img - IPS-4255-K9-sys-1.1-a-7.1-7-E4.img - IPS-4260-K9-sys-1.1-a-7.1-7-E4.img - IPS-4270_20-K9-sys-1.1-a-7.1-7-E4.img - IPS-4345-K9-sys-1.1-a-7.1-7-E4.img - IPS-4360-K9-sys-1.1-a-7.1-7-E4.img - IPS-4510-K9-sys-1.1-a-7.1-7-E4.img - IPS-4520-K9-sys-1.1-a-7.1-7-E4.img - IPS-SSM_10-K9-sys-1.1-a-7.1-7-E4.img - IPS-SSM_20-K9-sys-1.1-a-7.1-7-E4.img - IPS-SSM_40-K9-sys-1.1-a-7.1-7-E4.img - IPS-SSP_5512-K9-sys-1.1-a-7.1-7-E4.aip - IPS-SSP_5515-K9-sys-1.1-a-7.1-7-E4.aip - IPS-SSP_5525-K9-sys-1.1-a-7.1-7-E4.aip - IPS-SSP_5545-K9-sys-1.1-a-7.1-7-E4.aip - IPS-SSP_5555-K9-sys-1.1-a-7.1-7-E4.aip - IPS-SSP_10-K9-sys-1.1-a-7.1-7-E4.img - IPS-SSP_20-K9-sys-1.1-a-7.1-7-E4.img - IPS-SSP_40-K9-sys-1.1-a-7.1-7-E4.img - IPS-SSP_60-K9-sys-1.1-a-7.1-7-E4.img Recovery Image Files - IPS-4240-K9-r-1.1-a-7.1-7-E4.pkg - IPS-4255-K9-r-1.1-a-7.1-7-E4.pkg - IPS-4260-K9-r-1.1-a-7.1-7-E4.pkg - IPS-4270_20-K9-r-1.1-a-7.1-7-E4.pkg - IPS-4345-K9-r-1.1-a-7.1-7-E4.pkg - IPS-4360-K9-r-1.1-a-7.1-7-E4.pkg - IPS-4510-K9-r-1.1-a-7.1-7-E4.pkg - IPS-4520-K9-r-1.1-a-7.1-7-E4.pkg - IPS-SSM_10-K9-r-1.1-a-7.1-7-E4.pkg - IPS-SSM_20-K9-r-1.1-a-7.1-7-E4.pkg - IPS-SSM_40-K9-r-1.1-a-7.1-7-E4.pkg - IPS-SSP_5512-K9-r-1.1-a-7.1-7-E4.pkg - IPS-SSP_5515-K9-r-1.1-a-7.1-7-E4.pkg - IPS-SSP_5525-K9-r-1.1-a-7.1-7-E4.pkg - IPS-SSP_5545-K9-r-1.1-a-7.1-7-E4.pkg - IPS-SSP_5555-K9-r-1.1-a-7.1-7-E4.pkg - IPS-SSP_10-K9-r-1.1-a-7.1-7-E4.pkg - IPS-SSP_20-K9-r-1.1-a-7.1-7-E4.pkg - IPS-SSP_40-K9-r-1.1-a-7.1-7-E4.pkg - IPS-SSP_60-K9-r-1.1-a-7.1-7-E4.pkg CSM Upgrade Package - IPS-CSM-K9-7.1-7-E4.zip SUPPORTED PLATFORMS Cisco IPS 7.1(7)E4 is supported on the following platforms: - IPS 4240 - IPS 4255 - IPS 4260 - IPS 4270-20 - IPS 4345 - IPS 4345-DC - IPS 4360 - IPS 4510 - IPS 4520 - ASA 5500 AIP SSM-10 - ASA 5500 AIP SSM-20 - ASA 5500 AIP SSM-40 - ASA 5512-X IPS SSP - ASA 5515-X IPS SSP - ASA 5525-X IPS SSP - ASA 5545-X IPS SSP - ASA 5555-X IPS SSP - ASA 5585-X IPS SSP-10 - ASA 5585-X IPS SSP-20 - ASA 5585-X IPS SSP-40 - ASA 5585-X IPS SSP-60 INSTALLATION USING THE CLI NOTE: You must be logged on to Cisco.com using an account with cryptographic privileges to access the download site, and you must have a SMARTnet maintenance contract number to request software upgrades from Cisco.com. NOTE: This service pack requires an automatic reboot of the sensor to apply the changes. Inline network traffic will be disrupted during the reboot. WARNING: CISCO.COM IP ADDRESS CHANGE IN AUTO UPDATE CONFIGURATION The 7.1(7)E4 service pack changes the default value of Cisco server IP address from 198.133.219.25 to 72.163.4.161 in the Auto Update URL configuration. Firewall rules may need to be updated to allow sensor connectivity to this new IP Address if Cisco.com Auto Updates have been configured on your sensor. To install the 7.1(7)E4 service pack using the CLI, follow these steps: (The steps are an illustration for SSP_10, other platforms can be installed by downloading the correct package and following below steps for that package) 1. Download the file IPS-SSP_10-K9-7.1-7-E4.pkg to a local server. Note: The SSP IPS devices require their own platform-specific package as listed above. 2. Log in to the CLI using an account with administrator privileges. 3. Type the following command to enter configuration mode: configure terminal 4. Type the following command to upgrade the sensor: sensor(config)# upgrade [URL]/IPS-SSP_10-K9-7.1-7-E4.pkg where the [URL] is a uniform resource locator pointing to where the package is located. For example, to retrieve the update via SCP, type the following: sensor(config)# upgrade scp://@/// IPS-SSP_10-K9-7.1-7-E4.pkg The available transport methods are SCP, FTP, HTTP, or HTTPS. 5. Enter the appropriate password when prompted. 6. To complete the upgrade, type yes when prompted. 7. The sensor reboots to finish applying the changes. To determine whether the 7.1(7)E4 service pack has successfully been installed on a sensor, log in to the CLI and type 'show version' at the command prompt. The sensor will report the version as 7.1(7)E4, and the Upgrade History should include IPS-SSP_10-K9-7.1-7-E4.pkg. INSTALLATION CAVEATS The 7.1(7)E4 service pack cannot be uninstalled. You must re-image the sensor using a system image file, which causes all configuration settings to be lost. The install behavior of this service pack is that all executables, libraries, and so forth are replaced but user configuration is preserved. The reason for this upgrade behavior change is that this service pack contains changes to libraries and drivers. An upgrade to 7.1(7)E4 Service Pack is not allowed if its sensor license was generated for 6.0.x versions and earlier. The upgrade fails and the follwoing message is displayed - "Error: execUpgradeSoftware : This license is a IPS version 6.0 or earlier license which is not compatible with platforms running 7.1.X IPS Versions. Please install a IPS version 6.1 or later license type. Refer to 7.1.X IPS version README or IPS documents for the details of generating a new license." To obtain a new license for IPS, follow these steps: 1. Log in to Cisco.com. 2. Go to http://www.cisco.com/go/license. 3. Under Licenses Not Requiring a PAK, click Demo and Evaluation licenses. 4. Under Security Products/Cisco Services for IPS service license (Version 6.1 and later), click All IPS Hardware Platforms. 5. Fill in the required fields. Your license key will be sent to the email address you specified. 6. You must have the correct IPS device serial number and product identifier(PID) because the license key only functions on the device with that number. RESOLVED ISSUES IN 7.1(7)E4 The following known issues have been resolved in 7.1(7)E4 release. Release notes can be viewed in Bug Navigator at the following url: http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl Identifier Headline ---------- ------------------------------------------------------------- CSCuc86174 IPS: FreeBuffers Leak on SSM Processing Flagged Packets CSCub41016 IPS: TCP Normalizer Streams Stuck in 'Closing' State CSCud41702 IPS: After IPS config change, a false failover occurs with the ASA CSCuc74630 sensorApp process hangs due to job failure in Regex Hardware CSCud12824 kernel panic/errors and reboots ( promiscous mode, bypass mode on ) CSCuc98879 FlexLM license can cause mainApp and sensorApp failures CSCud29486 Timer Task locks causing IPS auto-update process to stop updating. CSCud36621 IPS: FreeBuffers Leak Can Result in Packet Drops CSCuc29807 Out of space 7.1.x upgrade failures RELEVANT ISSUES NOT RESOLVED NOTE: For 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X IPS customers that inspect fragmented traffic, they may be affected by the known issue, CSCue51272. This issue results in the ASA show module showing the IPS "Data Plane Status" to be "Down". This issue was originally identified by the known issue, CSCuc74630, because the symptoms are similar. The CSCuc74630 issue is resolved in 7.1(7), however, CSCue51272 is not. The current plan is to resolve CSCue51272 in a follow on patch, 7.1(7p1), and eventually in 7.1(8). Identifier Headline ---------- ------------------------------------------------------------- CSCue51272 sensorApp unresponsive due to sharedMemoryDriver issue CSCty24588 missed packet percentage parameter is missing from Po0 interface in 55xx CSCtz32230 CLI cores on defaulting network-participation followed by "ex" on exit CSCty92038 GC not assigning score for alerts/denying packets from malicious IPs CSCtz47509 LSI soft error observed during coverage testing CSCua32785 Sig. Downgrade from S649 to S648, retains Signature configs CSCua34716 Network participation Connection Interval value is not fixed as configed CSCtz03162 "downgrade" command gives incorrect version in warning and status event CSCtz03202 show stats GC does not clear connection history and updates time CSCtz03391 unable to login to radius user account with empty user role CSCua40354 "show statistics global" does not show warning when UNLICENSED CSCub67122 Interface link state remains down in by pass mode ON on changing state CSCub57756 Signature 1204 and 1208 firing with invalid info for Fragmented Traffic CSCto10843 User account is getting locked earlier than specified attemptLimit CSCtx37482 IdsEventStore/W "subscription lost data" warnings should be throttled CSCue28892 IPS 5500-X responds to polling SNMP interface PortChannel0/0 with 0 data CSCub87577 IDS: /var/log/wtmp File Can Exhaust All Available /var Free Space CSCty41356 IpDualNode non-zero refcount message is generated once a day CSCte95674 IDS: 'show statistics virtual-sensor' output MemoryMaxHighUsed incorrect CSCtz94888 Sensor regex errors are summarized too often CSCuc51463 HTTP-advanced-decoding causes sensorApp to fail for deflate encoding CSCuc99007 IDS: Summarize/throttle sensorApp/E errUnacceptableValue aic-web-ports CSCtz15712 collectStatistics failed errors need to be summarized CSCud27892 4260 and SSM40 performance issues with long flows CSCud32612 IPS drops IPv6 packets with flowlabel set due to sig 1250/0 CSCud82085 sensorApp fails due to excessive and continuous IP Logging. CSCtz38411 Single-flow on SSP can peg CPU and drop or slow traffic CSCua73931 SSP promiscuous interface receive errors with low load CSCuc79006 IPS: Multi String engine delays SMB2 packets CSCue39065 IPS Signature 31939/1 false positives CSCue07353 Error while delete/disable sig under high load due to poor custom sig CSCue23658 sensorApp memory exhaustion at high load over extended period of time CSCue27784 CT fails while running max concurrent connection test for long duration CSCue35157 sensorApp core while tuning string-tcp-xl sig--UTF8 option set to "yes" CSCue42792 Stale nodes in the database even after timer expiries CSCue39065 IPS Signature 31939/1 false positives NEW FEATURES No new features are added as part of 7.1(7)E4 service pack release. RESTRICTIONS Applying any Signature template will erase all of the existing Customer tunings associated with the targeted Signature Definition File. The IPS 4240, IPS 4255, IPS 4260, ASA 5500 AIP SSM, ASA 5512-X IPS SSP, and ASA 5515-X IPS SSP do not support signature threat profiles (signature templates). Enabling HTTP advanced decoding can have a significantly negative performance and memory impact on the sensor ---------------------------------------------------------------------------------------------- CSM CAVEATS -- CSM 4.2 SP1 and CSM 4.3 -------------------------------------- CSM 4.2 SP1 ----------- 1. CSM 4.2 SP1 cannot manage the following devices running the 7.1(7)E4 software. - IPS 4240 - IPS 4255 - IPS 4260 - IPS 4345 - IPS 4345-DC - IPS 4360 - IPS 4510 - IPS 4520 - ASA 5500 AIP SSM-10 - ASA 5500 AIP SSM-20 - ASA 5500 AIP SSM-40 - ASA 5512-X IPS SSP - ASA 5515-X IPS SSP - ASA 5525-X IPS SSP - ASA 5545-X IPS SSP - ASA 5555-X IPS SSP The support for the above platforms, will be available in "CSM 4.3 SP1" CAUTION: Do not attempt upgrade of the above to 7.1(7)E4 using CSM 4.2 SP1. 2. CSM 4.2 SP1 will be able to manage the following IPS platforms running 7.1(7)E4 IPS image. - IPS 4270-20 - ASA 5585-X IPS SSP-10 - ASA 5585-X IPS SSP-20 - ASA 5585-X IPS SSP-40 - ASA 5585-X IPS SSP-60 CSM 4.3 --------- 1. CSM 4.3 cannot currently manage the following devices running the 7.1(7)E4 software. - IPS 4240 - IPS 4255 - IPS 4260 - ASA 5500 AIP SSM-10 - ASA 5500 AIP SSM-20 - ASA 5500 AIP SSM-40 The support for the above platforms, is available in "CSM 4.3 SP1" CAUTION: Do not attempt upgrade of the above to 7.1(7)E4 using CSM 4.3. 2. CSM 4.3 will be able to manage the following IPS platforms running 7.1(7)E4 IPS image. - IPS 4270-20 - IPS 4345 - IPS 4345-DC - IPS 4360 - IPS 4510 - IPS 4520 - ASA 5585-X IPS SSP-10 - ASA 5585-X IPS SSP-20 - ASA 5585-X IPS SSP-40 - ASA 5585-X IPS SSP-60 - ASA 5512-X IPS SSP - ASA 5515-X IPS SSP - ASA 5525-X IPS SSP - ASA 5545-X IPS SSP - ASA 5555-X IPS SSP To upgrade the platforms mentioned in point(2) to 7.1(7)E4, the following CSM Package should be downloaded - IPS-CSM-K9-7.1-7-E4.zip CSM UPDATE INSTRUCTIONS -- CSM 4.3 SP1 -------------------------------------- CSM 4.3 SP1 will add support for managing and upgrading of the following IPS platforms: - IPS 4240 - IPS 4255 - IPS 4260 - ASA 5500 AIP SSM-10 - ASA 5500 AIP SSM-20 - ASA 5500 AIP SSM-40 CSM 4.3 SP1 will add 7.1(7)E4 Upgrade support for the following IPS platforms: - IPS 4270-20 - IPS 4345 - IPS 4345-DC - IPS 4360 - IPS 4510 - IPS 4520 - ASA 5585-X IPS SSP-10 - ASA 5585-X IPS SSP-20 - ASA 5585-X IPS SSP-40 - ASA 5585-X IPS SSP-60 - ASA 5512-X IPS SSP - ASA 5515-X IPS SSP - ASA 5525-X IPS SSP - ASA 5545-X IPS SSP - ASA 5555-X IPS SSP It is recommended that customers upgrade to CSM 4.3 SP1 (Service Pack 1) to manage IPS 7.1(7)E4. To apply the 7.1(7)E4 service pack to sensor(s) using CSM 4.3 SP1 or later, follow these steps: 1. Download the service pack ZIP file, IPS-CSM-K9-7.1-7-E4.zip, to the /MDC/ips/updates directory. 2. Launch IPS Update Wizard from Tools-->Apply IPS Update. 3. Select Sensor Updates from the drop down menu, and then select the IPS-CSM-K9-7.1-7-E4.zip file. 3. Click Next. 4. Select the device(s) to apply the service pack, then click Finish. 5. Create a deployment job and deploy to sensor(s) using Deployment Manager. Deployment Manager can be launched from Tools-->Deployment Manager. 6. Click Deploy in the popup and follow the instructions. =========================================================================