- Preface
- Introducing the CLI Configuration Guide
- Logging In to the Sensor
- Initializing the Sensor
- Setting Up the Sensor
- Configuring Interfaces
- Configuring Virtual Sensors
- Defining Signatures
- Configuring Event Action Rules
- Configuring Anomaly Detection
- Configuring Global Correlation
- Configuring External Product Interfaces
- Configuring IP Logging
- Displaying and Capturing Live Traffic on an Interface
- Configuring Attack Response Controller for Blocking and Rate Limiting
- Configuring SNMP
- Working With Configuration Files
- Administrative Tasks for the Sensor
- Configuring the ASA 5500-X IPS SSP
- Configuring the ASA 5585-X IPS SSP
- Obtaining Software
- Upgrading, Downgrading, and Installing System Images
- System Architecture
- Signature Engines
- Troubleshooting
- CLI Error Messages
- Glossary
- Index
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- Updated:
- February 26, 2014
Chapter: Troubleshooting
- Cisco Bug Search Tool
- Preventive Maintenance
- Disaster Recovery
- Password Recovery
- Time Sources and the Sensor
- Advantages and Restrictions of Virtualization
- Supported MIBs
- Troubleshooting Global Correlation
- When to Disable Anomaly Detection
- Analysis Engine Not Responding
- Troubleshooting RADIUS Authentication
- Troubleshooting External Product Interfaces
- Troubleshooting the Appliance
- Troubleshooting Loose Connections
- The Analysis Engine is Busy
- Communication Problems
- The SensorApp and Alerting
- Blocking
- Troubleshooting Blocking
- Verifying the ARC is Running
- Verifying ARC Connections are Active
- Device Access Issues
- Verifying the Interfaces and Directions on the Network Device
- Enabling SSH Connections to the Network Device
- Blocking Not Occurring for a Signature
- Verifying the Master Blocking Sensor Configuration
- Logging
- TCP Reset Not Occurring for a Signature
- Software Upgrades
Troubleshooting
This appendix contains troubleshooting tips and procedures for sensors and software. It contains the following sections:
- Disaster Recovery
- Password Recovery
- Time Sources and the Sensor
- Advantages and Restrictions of Virtualization
- Supported MIBs
- Troubleshooting Global Correlation
- When to Disable Anomaly Detection
- Analysis Engine Not Responding
- Troubleshooting RADIUS Authentication
- Troubleshooting External Product Interfaces
- Troubleshooting the Appliance
- Troubleshooting the IDM
- Troubleshooting the IME
- Troubleshooting the ASA 5500-X IPS SSP
- Troubleshooting the ASA 5585-X IPS SSP
Cisco Bug Search Tool
The Cisco Bug Search Tool (BST), the online successor to Bug Toolkit, is designed to improve our customers’ effectiveness in network risk management and device troubleshooting.
BST allows partners and customers to search for software bugs based on product, release, and keyword, and aggregates key data such as bug details, product, and version. The service has provision to filter bugs based on credentials to provide external and internal bug views for the search input.
Check out Bug Search Tools & Resources on Cisco.com. For more details on the tool overview and FAQs, check out the help page, located at this URL:
http://www.cisco.com/web/applicat/cbsshelp/help.html
.
Preventive Maintenance
This section describes how to perform preventive maintenance for your sensor, and contains the following topics:
• Understanding Preventive Maintenance
• Backing Up and Restoring the Configuration File Using a Remote Server
Understanding Preventive Maintenance
The following actions will help you maintain your sensor:
• Back up a good configuration. If your current configuration becomes unusable, you can replace it with the backup version.
- Save your backup configuration to a remote system.
- Always back up your configuration before you do a manual upgrade. If you have auto upgrades configured, make sure you do periodic backups.
- Create a service account. A service account is needed for special debug situations directed by TAC.
Caution You should carefully consider whether you want to create a service account. The service account provides shell access to the system, which makes the system vulnerable. Analyze your situation to decide if you want a service account existing on the system.
• For the procedure for backing up a configuration file, see Creating and Using a Backup Configuration File.
- For the procedure for using a remote server to copy and restore the a configuration file, see Backing Up and Restoring the Configuration File Using a Remote Server.
- For more information about the service account, see Creating the Service Account.
Creating and Using a Backup Configuration File
To protect your configuration, you can back up the current configuration and then display it to confirm that is the configuration you want to save. If you need to restore this configuration, you can merge the backup configuration file with the current configuration or overwrite the current configuration file with the backup configuration file.
To back up your current configuration, follow these steps:
Log in to the CLI using an account with administrator privileges.
Step 2 Save the current configuration. The current configuration is saved in a backup file.
Step 3 Display the backup configuration file. The backup configuration file is displayed.
Step 4 You can either merge the backup configuration with the current configuration, or you can overwrite the current configuration:
Backing Up and Restoring the Configuration File Using a Remote Server
Note We recommend copying the current configuration file to a remote server before upgrading.
Use the copy [ /erase ] source_url destination_url keyword command to copy the configuration file to a remote server. You can then restore the current configuration from the remote server. You are prompted to back up the current configuration first.
The following parameters apply:
• /erase —Erases the destination file before copying.
This keyword only applies to the current-config; the backup-config is always overwritten. If this keyword is specified for destination current-config, the source configuration is applied to the system default configuration. If it is not specified for the destination current-config, the source configuration is merged with the current-config.
- source_url —The location of the source file to be copied. It can be a URL or keyword.
- destination_url —The location of the destination file to be copied. It can be a URL or a keyword.
• current-config —The current running configuration. The configuration becomes persistent as the commands are entered.
The exact format of the source and destination URLs varies according to the file. Here are the valid types:
– ftp:—Source or destination URL for an FTP network server. The syntax for this prefix is:
ftp://[[username@]location][/relativeDirectory]/filename
ftp://[[username@]location][//absoluteDirectory]/filename
Note You are prompted for a password.
– scp:—Source or destination URL for the SCP network server. The syntax for this prefix is:
scp://[[username@]location][/relativeDirectory]/filename
scp://[[username@]location][//absoluteDirectory]/filename
Note You are prompted for a password. You must add the remote host to the SSH known hosts list.
– http:—Source URL for the web server. The syntax for this prefix is:
http://[[username@]location][/directory]/filename
Note The directory specification should be an absolute path to the desired file.
– https:—Source URL for the web server. The syntax for this prefix is:
https://[[username@]location][/directory]/filename
Note The directory specification should be an absolute path to the desired file. The remote host must be a TLS trusted host.
Caution Copying a configuration file from another sensor may result in errors if the sensing interfaces and virtual sensors are not configured the same.
Backing Up the Current Configuration to a Remote Server
To back up your current configuration to a remote server, follow these steps:
Log in to the CLI using an account with administrator privileges.
Enter yes to copy the current configuration to a backup configuration.
Restoring the Current Configuration From a Backup File
To restore your current configuration from a backup file, follow these steps:
Log in to the CLI using an account with administrator privileges.
Enter yes to copy the current configuration to a backup configuration.
Would you like to replace existing network settings (host-ipaddress/netmask/gateway/access-list) on sensor before proceeding? [no]:
Step 4 Enter
no
to retain the currently configured hostname, IP address, subnet mask, management interface, and access list. We recommend you retain this information to preserve access to your sensor after the rest of the configuration has been restored.
For a list of supported HTTP/HTTPS servers, see Supported FTP and HTTP/HTTPS Servers.
Creating the Service Account
You can create a service account for TAC to use during troubleshooting. Although more than one user can have access to the sensor, only one user can have service privileges on a sensor. The service account is for support purposes only.
The root user password is synchronized to the service account password when the service account is created. To gain root access you must log in with the service account and switch to user root with the su - root command.
Caution Do not make modifications to the sensor through the service account except under the direction of TAC. If you use the service account to configure the sensor, your configuration is not supported by TAC. Adding services to the operating system through the service account affects proper performance and functioning of the other IPS services. TAC does not support a sensor on which additional services have been added.
Caution You should carefully consider whether you want to create a service account. The service account provides shell access to the system, which makes the system vulnerable. However, you can use the service account to create a password if the administrator password is lost. Analyze your situation to decide if you want a service account existing on the system.
Note For IPS 5.0 and later, you can no longer remove the cisco account. You can disable it using the no password cisco command, but you cannot remove it. To use the no password cisco command, there must be another administrator account on the sensor. Removing the cisco account through the service account is not supported. If you remove the cisco account through the service account, the sensor most likely will not boot up, so to recover the sensor you must reinstall the sensor system image.
To create the service account, follow these steps:
Log in to the CLI using an account with administrator privileges.
Step 2 Enter configuration mode.
Step 3 Specify the parameters for the service account. The username follows the pattern ^[A-Za-z0-9()+:,_/-]+$, which means the username must start with a letter or number, and can include any letter A to Z (capital or small), any number 0 to 9, - and _, and can contain 1 to 64 characters.
Step 4 Specify a password when prompted. A valid password is 8 to 32 characters long. All characters except space are allowed. If a service account already exists for this sensor, the following error is displayed and no service account is created.
Step 5 Exit configuration mode.
When you use the service account to log in to the CLI, you receive this warning.
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. This account is intended to be used for support and troubleshooting purposes only. Unauthorized modifications are not supported and will require this device to be reimaged to guarantee proper operation.
Disaster Recovery
Follow these recommendations so that you are ready in case of a disaster:
• If you are using the CLI, IDM, or IME for configuration, copy the current configuration from the sensor to an FTP or SCP server any time a change has been made.
- You should note the specific software version for that configuration. You can apply the copied configuration only to a sensor of the same version.
- You also need the list of user IDs that have been used on that sensor. The list of user IDs and passwords are not saved in the configuration.
When a disaster happens and you need to recover the sensor, try the following:
2.
Log in to the sensor with the default user ID and password—
cisco
.
Note You are prompted to change the cisco password.
4. Upgrade the sensor to the IPS software version it had when the configuration was last saved and copied.
Warning Trying to copy the saved configuration without getting the sensor back to the same IPS software version it had before the disaster can cause configuration errors.
5. Copy the last saved configuration to the sensor.
6. Update clients to use the new key and certificate of the sensor. Reimaging changes the sensor SSH keys and HTTPS certificate, so you must add the hosts back to the SSN known hosts list.
• For the procedure for backing up a configuration file, see Creating and Using a Backup Configuration File.
- For the procedure for obtaining a list of the current users on the sensor, see Showing User Status.
- For the procedures for reimage a sensor, see Chapter21, “Upgrading, Downgrading, and Installing System Images”
- For the procedure for using the setup command to initialize the sensor, see Chapter3, “Initializing the Sensor”
- For more information on obtaining IPS software and how to install it, see Obtaining Cisco IPS Software.
- For the procedure for using a remote server to copy and restore the a configuration file, see Backing Up and Restoring the Configuration File Using a Remote Server.
• For the procedure for adding hosts to the SSH known hosts list, see Adding Hosts to the SSH Known Hosts List.
- For the procedure for adding users, see Adding and Removing Users.
Password Recovery
For most IPS platforms, you can now recover the password on the sensor rather than using the service account or reimaging the sensor. This section describes how to recover the password for the various IPS platforms. It contains the following topics:
• Understanding Password Recovery
- Recovering the Password for the Appliance
- Recovering the Password for the ASA 5500-X IPS SSP
- Recovering the Password for the ASA 5585-X IPS SSP
- Disabling Password Recovery
• Verifying the State of Password Recovery
Understanding Password Recovery
Note Administrators may need to disable the password recovery feature for security reasons.
Password recovery implementations vary according to IPS platform requirements. Password recovery is implemented only for the cisco administrative account and is enabled by default. The IPS administrator can then recover user passwords for other accounts using the CLI. The cisco user password reverts to cisco and must be changed after the next login.
Table C-1 lists the password recovery methods according to platform.
Recovering the Password for the Appliance
This section describes the two ways to recover the password for appliances. It contains the following topics:
Using the GRUB Menu
Note You must have a terminal server or direct serial connection to the appliance to use the GRUB menu to recover the password.
For the IPS 4345, IPS 4360, IPS 4510, IPS 4520, IPS 4520-XL appliances, the password recovery is found in the GRUB menu, which appears during bootup. When the GRUB menu appears, press any key to pause the boot process.
To recover the password on appliances, follow these steps:
Reboot the appliance to see the GRUB menu.
Step 2 Press any key to pause the boot process.
Step 3 Choose
2: Cisco IPS Clear Password (cisco)
. The password is reset to
cisco
. Log in to the CLI with username
cisco
and password
cisco
. You can then change the password.
Using ROMMON
For the IPS 4345, IPS 4360, IPS 4510, IPS 4520, IPS 4520-XL, you can use the ROMMON to recover the password. To access the ROMMON CLI, reboot the sensor from a terminal server or direct connection and interrupt the boot process.
Note After recovering the password, you must reset the confreg to 0, otherwise, when you try to upgrade the sensor, the upgrade fails because when the sensor reboots, it goes to password recovery (confreg 0x7) rather than to the upgrade option.
To recover the password using the ROMMON CLI, follow these steps:
Reboot the appliance.
Step 2 To interrupt the boot process, press
ESC
or
Control-R
(terminal server) or send a
BREAK
command (direct connection). The boot code either pauses for 10 seconds or displays something similar to one of the following:
Step 3 Enter the following commands to reset the password:
Step 4 Enter the following command to reset the confreg value to 0:
Recovering the Password for the ASA 5500-X IPS SSP
You can reset the password to the default ( cisco ) for the ASA 5500-X IPS SSP using the CLI or the ASDM. Resetting the password causes it to reboot. IPS services are not available during a reboot.
Note To reset the password, you must have ASA 8.6.1 or later.
Use the sw-module module ips password-reset command to reset the password to the default cisco . If the module in the specified slot has an IPS version that does not support password recovery, the following error message is displayed:
To reset the password on the ASA 5500-X IPS SSP, follow these steps:
Step 1 Log into the adaptive security appliance and enter the following command:
Step 2 Press
Enter
to confirm.
Step 3 Verify the status of the module. Once the status reads
Up
, you can session to the ASA 5500-X IPS SSP.
Step 4 Session to the ASA 5500-X IPS SSP.
Step 5 Enter the default username (
cisco)
and password (
cisco)
at the login prompt.
Step 6 Enter your new password twice.
This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
There is no license key installed on this IPS platform. The system will continue to operate with the currently installed signature set. A valid license must be obtained in order to apply signature updates. Please go to http://www.cisco.com/go/license to obtain a new license or install a license.
To reset the password in the ASDM, follow these steps:
Step 1 From the ASDM menu bar, choose
Tools > IPS Password Reset
.
Note This option does not appear in the menu if there is no IPS present.
Step 2 In the IPS Password Reset confirmation dialog box, click
OK
to reset the password to the default (
cisco
). A dialog box displays the success or failure of the password reset. If the reset fails, make sure you have the correct ASA and IPS software versions.
Step 3 Click
Close
to close the dialog box. The sensor reboots.
Recovering the Password for the ASA 5585-X IPS SSP
Note To reset the password, you must have ASA 8.2.(4.4) or later or ASA 8.4.2 or later. The ASA 5585-X IPS SSP is not supported in ASA 8.3(x).
You can reset the password to the default ( cisco ) for the ASA 5585-X IPS SSP using the CLI or the ASDM. Resetting the password causes it to reboot. IPS services are not available during a reboot.
Use the hw-module module slot_number password-reset command to reset the password to the default cisco . If the module in the specified slot has an IPS version that does not support password recovery, the following error message is displayed:
To reset the password on the ASA 5585-X IPS SSP, follow these steps:
Step 1 Log into the adaptive security appliance and enter the following command:
Step 2 Press
Enter
to confirm.
Step 3 Verify the status of the module. Once the status reads
Up
, you can session to the ASA 5585-X IPS SSP.
Step 4 Session to the ASA 5585-X IPS SSP.
Step 5 Enter the default username (
cisco)
and password (
cisco)
at the login prompt.
Step 6 Enter your new password twice.
This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
There is no license key installed on this IPS platform. The system will continue to operate with the currently installed signature set. A valid license must be obtained in order to apply signature updates. Please go to http://www.cisco.com/go/license to obtain a new license or install a license.
To reset the password in the ASDM, follow these steps:
Step 1 From the ASDM menu bar, choose
Tools > IPS Password Reset
.
Note This option does not appear in the menu if there is no IPS present.
Step 2 In the IPS Password Reset confirmation dialog box, click
OK
to reset the password to the default (
cisco
). A dialog box displays the success or failure of the password reset. If the reset fails, make sure you have the correct ASA and IPS software versions.
Step 3 Click
Close
to close the dialog box. The sensor reboots.
Disabling Password Recovery
Caution If you try to recover the password on a sensor on which password recovery is disabled, the process proceeds with no errors or warnings; however, the password is not reset. If you cannot log in to the sensor because you have forgotten the password, and password recovery is set to disabled, you must reimage your sensor.
Password recovery is enabled by default. You can disable password recovery through the CLI, IDM, or IME.
Disabling Password Recovery Using the CLI
To disable password recovery in the CLI, follow these steps:
Log in to the CLI using an account with administrator privileges.
Step 2 Enter global configuration mode.
Step 4 Disable password recovery.
Disabling Password Recovery Using the IDM or IME
To disable password recovery in the IDM or IME, follow these steps:
Log in to the IDM or IME using an account with administrator privileges.
Step 2 Choose
Configuration >
sensor_name
> Sensor Setup > Network
.
Step 3 To disable password recovery, uncheck the
Allow Password Recovery
check box.
Verifying the State of Password Recovery
Use the show settings | include password command to verify whether password recovery is enabled.
To verify whether password recovery is enabled, follow these steps:
Log in to the CLI.
Step 2 Enter service host submode.
Step 3 Verify the state of password recovery by using the
include
keyword to show settings in a filtered output.
Troubleshooting Password Recovery
When you troubleshoot password recovery, pay attention to the following:
- You cannot determine whether password recovery has been disabled in the sensor configuration from the ROMMON prompt, GRUB menu, switch CLI, or router CLI. If you attempt password recovery, it always appears to succeed. If it has been disabled, the password is not reset to cisco . The only option is to reimage the sensor.
- You can disable password recovery in the host configuration. For the platforms that use external mechanisms, such as ROMMON, although you can run commands to clear the password, if password recovery is disabled in the IPS, the IPS detects that password recovery is not allowed and rejects the external request.
- To check the state of password recovery, use the show settings | include password command.
Time Sources and the Sensor
This section describes how to maintain accurate time on the sensor, and contains the following topics:
• Verifying the Sensor is Synchronized with the NTP Server
Time Sources and the Sensor
Note We recommend that you use an NTP server to regulate time on your sensor. You can use authenticated or unauthenticated NTP. For authenticated NTP, you must obtain the NTP server IP address, NTP server key ID, and the key value from the NTP server. You can set up NTP during initialization or you can configure NTP through the CLI, IDM, IME, or ASDM.
The sensor requires a reliable time source. All events (alerts) must have the correct UTC and local time stamp, otherwise, you cannot correctly analyze the logs after an attack. When you initialize the sensor, you set up the time zones and summertime settings. This section provides a summary of the various ways to set the time on sensors.
- Use the clock set command to set the time. This is the default.
- Configure the appliance to get its time from an NTP time synchronization source.
Note The currently supported Cisco IPS appliances are the IPS 4345, IPS 4360, IPS 4510, IPS 4520, and IPS 4520-XL.
• The ASA 5500-X IPS SSP and ASA 5585-X IPS SSP automatically synchronize their clocks with the clock in the adaptive security appliance in which they are installed. This is the default.
- Configure them to get their time from an NTP time synchronization source, such as a Cisco router other than the parent router.
For the procedure for configuring NTP, see Configuring NTP .
Synchronizing IPS Clocks with Parent Device Clocks
The ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP) synchronize their clocks to the parent chassis clock (adaptive security appliance) each time the IPS boots up and any time the parent chassis clock is set. The IPS clock and parent chassis clock tend to drift apart over time. The difference can be as much as several seconds per day. To avoid this problem, make sure that both the IPS clock and the parent clock are synchronized to an external NTP server. If only the IPS clock or only the parent chassis clock is synchronized to an NTP server, the time drift occurs.
Verifying the Sensor is Synchronized with the NTP Server
In IPS, you cannot apply an incorrect NTP configuration, such as an invalid NTP key value or ID, to the sensor. If you try to apply an incorrect configuration, you receive an error message. To verify the NTP configuration, use the show statistics host command to gather sensor statistics. The NTP statistics section provides NTP statistics including feedback on sensor synchronization with the NTP server.
To verify the NTP configuration, follow these steps:
Log in to the sensor.
Step 2 Generate the host statistics.
Step 3 Generate the hosts statistics again after a few minutes.
Step 4 If the status continues to read
Not Synchronized
, check with the NTP server administrator to make sure the NTP server is configured correctly.
Correcting Time on the Sensor
If you set the time incorrectly, your stored events will have the incorrect time because they are stamped with the time the event was created. The Event Store time stamp is always based on UTC time. If during the original sensor setup, you set the time incorrectly by specifying 8:00 p.m. rather than 8:00 a.m., when you do correct the error, the corrected time will be set backwards. New events might have times older than old events.
For example, if during the initial setup, you configure the sensor as central time with daylight saving time enabled and the local time is 8:04 p.m., the time is displayed as 20:04:37 CDT and has an offset from UTC of -5 hours (01:04:37 UTC, the next day). A week later at 9:00 a.m., you discover the error: the clock shows 21:00:23 CDT. You then change the time to 9:00 a.m. and now the clock shows 09:01:33 CDT. Because the offset from UTC has not changed, it requires that the UTC time now be 14:01:33 UTC, which creates the time stamp problem.
To ensure the integrity of the time stamp on the event records, you must clear the event archive of the older events by using the clear events command.
Note You cannot remove individual events.
For the procedure for clearing events, see Clearing Events.
Advantages and Restrictions of Virtualization
To avoid configuration problems on your sensor, make sure you understand the advantages and restrictions of virtualization on your sensor.
Virtualization has the following advantages:
- You can apply different configurations to different sets of traffic.
- You can monitor two networks with overlapping IP spaces with one sensor.
- You can monitor both inside and outside of a firewall or NAT device.
Virtualization has the following restrictions:
- You must assign both sides of asymmetric traffic to the same virtual sensor.
- Using VACL capture or SPAN (promiscuous monitoring) is inconsistent with regard to VLAN tagging, which causes problems with VLAN groups.
– When using Cisco IOS software, a VACL capture port or a SPAN target does not always receive tagged packets even if it is configured for trunking.
– When using the MSFC, fast path switching of learned routes changes the behavior of VACL captures and SPAN.
Virtualization has the following traffic capture requirements:
Supported MIBs
To avoid problems with configuring SNMP, be aware of the MIBs that are supported on the sensor.
The following private MIBs are supported on the sensor:
The CISCO-CIDS-MIB has been updated to include SNMP health data.
You can obtain these private Cisco MIBs under the heading SNMP v2 MIBs at this URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
Note MIB II is available on the sensor, but we do not support it. We know that some elements are not correct (for example, the packet counts from the IF MIB on the sensing interfaces). While you can use elements from MIB II, we do not guarantee that they all provide correct information. We fully support the other listed MIBs and their output is correct.
Note CISCO-PROCESS-MIB is available on the sensor, but we do not support it. We know that some elements are not available. While you can use elements from CISCO-PROCESS-MIB, we do not guarantee that they all provide correct information. We fully support the other listed MIBs and their output is correct.
Troubleshooting Global Correlation
Make sure you observe the following when configuring global correlation:
• Because global correlation updates occur through the sensor management interface, firewalls must allow port 443/80 traffic.
- You must have an HTTP proxy server or a DNS server configured to allow global correlation features to function.
- If you have an HTTP proxy server configured, the proxy must allow port 443/80 traffic from IPS systems.
- You must have a valid IPS license to allow global correlation features to function.
- Global correlation features only contain external IP addresses, so if you position a sensor in an internal lab, you may never receive global correlation information.
- Make sure your sensor supports the global correlation features.
- Make sure your IPS version supports the global correlation features.
For detailed information about global correlation, see Chapter10, “Configuring Global Correlation”
When to Disable Anomaly Detection
If you have anomaly detection enabled and you have your sensor configured to see only one direction of traffic, you should disable anomaly detection. Otherwise, you will receive many alerts, because anomaly detection sees asymmetric traffic as having incomplete connections, that is, like worm scanners, and fires alerts.
To disable anomaly detection, follow these steps:
Log in to the CLI using an account with administrator privileges.
Step 2 Enter analysis engine submode.
Step 3 Enter the virtual sensor name that contains the anomaly detection policy you want to disable.
Step 4 Disable anomaly detection operational mode.
Step 5 Exit analysis engine submode.
Step 6 Press
Enter
to apply your changes or enter
no
to discard them.
To learn more about Worms, see Understanding Worms.
Analysis Engine Not Responding
Error Message Output from show statistics analysis-engineError: getAnalysisEngineStatistics : ct-sensorApp.424 not responding, please check system processes - The connect to the specified Io::ClientPipe failed. Error Message Output from show statistics anomaly-detection
Error: getAnomalyDetectionStatistics : ct-sensorApp.424 not responding, please check system processes - The connect to the specified Io::ClientPipe failed. Error Message Output from show statistics denied-attackers
Error: getDeniedAttackersStatistics : ct-sensorApp.424 not responding, please check system processes - The connect to the specified Io::ClientPipe failed.
Possible Cause These error messages appear when you run the show tech support command and the Analysis Engine is not running.
Recommended Action Verify the Analysis Engine is running and monitor it to see if the issue is resolved.
To verify the Analysis Engine is running and to monitor the issue, follow these steps:
Log in to the sensor.
Step 2 Verify that the Analysis Engine is not running, Check to see if the Analysis Engine reads
Not Running
.
Step 3 Enter
show tech-support
and save the output.
Step 5 Enter
show version
after the sensor has stabilized to see if the issue is resolved.
Step 6 If the Analysis Engine still reads
Not Running
, contact TAC with the original
show tech support
command output.
Troubleshooting RADIUS Authentication
Symptom Attempt limit configured on the IPS sensor may not be enforced for a RADIUS user.
Conditions Applicable for RADIUS users only. The RADIUS user must have logged in to the sensor at least once after RADIUS authentication is enabled or after the sensor is reset or rebooted.
Workaround Log in to the sensor with the correct credentials and from that time on the attempt limit is enforced for that RADIUS user.
For detailed information about RADIUS authentication, see Configuring Authentication and User Parameters.
Troubleshooting External Product Interfaces
This section lists issues that can occur with external product interfaces and provides troubleshooting tips. For more information on external product interfaces, see Chapter11, “Configuring External Product Interfaces” This section contains the following topics:
• External Product Interfaces Issues
External Product Interfaces Issues
When the external product interface receives host posture and quarantine events, the following issues can arise:
– If the number of records exceeds 10,000, subsequent records are dropped.
– If the 10,000 limit is reached and then it drops to below 9900, new records are no longer dropped.
- Hosts can change an IP address or appear to use another host IP address, for example, because of DHCP lease expiration or movement in a wireless network. In the case of an IP address conflict, the sensor presumes the most recent host posture event to be the most accurate.
- A network can include overlapping IP address ranges in different VLANs, but host postures do not include VLAN ID information. You can configure the sensor to ignore specified address ranges.
- A host can be unreachable from the CSA MC because it is behind a firewall. You can exclude unreachable hosts.
- The CSA MC event server allows up to ten open subscriptions by default. You can change this value. You must have an administrative account and password to open subscriptions.
- CSA data is not virtualized; it is treated globally by the sensor.
- Host posture OS and IP addresses are integrated into passive OS fingerprinting storage. You can view them as imported OS profiles.
- You cannot see the quarantined hosts.
- The sensor must recognize each CSA MC host X.509 certificate. You must add them as a trusted host.
- You can configure a maximum of two external product devices.
• For more information on working with OS maps and identifications, see Adding, Editing, Deleting, and Moving Configured OS Maps and Displaying and Clearing OS Identifications.
- For the procedure for adding trusted hosts, see Adding TLS Trusted Hosts.
External Product Interfaces Troubleshooting Tips
To troubleshoot external product interfaces, check the following:
- Make sure the interface is active by checking the output from the show statistics external-product-interface command in the CLI, or choose Monitoring > Sensor Monitoring > Support Information > Statistics in the IDM and check the Interface state line in the response, or choose Configuration > sensor_name > Sensor Monitoring > Support Information > Statistics in the IME, and check the Interface state line in the response.
- Make sure you have added the CSA MC IP address to the trusted hosts. If you forgot to add it, add it, wait a few minutes and then check again.
- Confirm subscription login information by opening and closing a subscription on the CSA MC using the browser.
- Check the Event Store for the CSA MC subscription errors.
• For the procedure for adding trusted hosts, see Adding TLS Trusted Hosts .
- For the procedure for displaying events, see Displaying Events.
Troubleshooting the Appliance
This section contains information to troubleshoot the appliance. It contains the following topics:
• Troubleshooting Loose Connections
• TCP Reset Not Occurring for a Signature
Tip Before troubleshooting the appliance, check the Caveats section of the Readme for the software version you have installed on your sensor to see if you are dealing with a known issue.
Troubleshooting Loose Connections
Perform the following actions to troubleshoot loose connections on sensors:
• Make sure all power cords are securely connected.
- Make sure all cables are properly aligned and securely connected for all external and internal components.
- Remove and check all data and power cables for damage. Make sure no cables have bent pins or damaged connectors.
- Make sure each device is properly seated.
- If a device has latches, make sure they are completely closed and locked.
• Check any interlock or interconnect indicators that indicate a component is not connected properly.
The Analysis Engine is Busy
After you reimage a sensor, the Analysis Engine is busy rebuilding Regex tables and does not respond to new configurations. You can check whether the Analysis Engine is busy by using the show statistics virtual-sensor command. You receive the following error message if the Analysis Engine is busy:
Error: getVirtualSensorStatistics : Analysis Engine is busy rebuilding regex tables. This may take a while.
When the Analysis Engine is busy rebuilding Regex tables, you receive an error message if you try to update a configuration, for example, enabling or retiring a signature:
Error: editConfigDeltaSignatureDefinition : Analysis Engine is busy rebuilding regex tables. This may take a while.
If you try to get the virtual sensor statistics immediately after you boot a sensor, you receive an error message. Although the sensor has rebuilt the cache files, the virtual sensor is not finished initializing.
When you receive the errors that the Analysis Engine is busy, wait a while before trying to make configuration changes. Use the show statistics virtual-sensor command to find out when the Analysis Engine is available again.
Communication Problems
This section helps you troubleshoot communication problems with the 4200 series sensor. It contains the following topics:
Cannot Access the Sensor CLI Through Telnet or SSH
If you cannot access the sensor CLI through Telnet (if you already have it enabled) or SSH, follow these steps:
Log in to the sensor CLI through a console, terminal, or module session.
Step 2 Make sure that the sensor management interface is enabled. The management interface is the interface in the list with the status line
Media Type = TX
. If the Link Status is
Down
, go to Step 3. If the Link Status is
Up
, go to Step 5.
Step 3 Make sure the sensor IP address is unique. If the management interface detects that another device on the network has the same IP address, it does not come up.
Step 4 Make sure the management port is connected to an active network connection. If the management port is not connected to an active network connection, the management interface does not come up.
Step 5 Make sure the IP address of the workstation that is trying to connect to the sensor is permitted in the sensor access list. If the workstation network address is permitted in the sensor access list, go to Step 6.
Step 6 Add a permit entry for the workstation network address, save the configuration, and try to connect again.
Step 7 Make sure the network configuration allows the workstation to connect to the sensor. If the sensor is protected behind a firewall and the workstation is in front of the firewall, make sure the firewall is configured to allow the workstation to access the sensor. Or if the workstation is behind a firewall that is performing network address translation on the workstation IP address, and the sensor is in front of the firewall, make sure that the sensor access list contains a permit entry for the workstation translated address.
• For the procedure for enabling and disabling Telnet on the sensor, see Enabling and Disabling Telnet.
- For the various ways to open a CLI session directly on the sensor, see Chapter2, “Logging In to the Sensor”
• For the procedure for changing the IP address, see Changing the IP Address, Netmask, and Gateway.
- For the procedure for changing the access list, see Correcting a Misconfigured Access List.
Correcting a Misconfigured Access List
To correct a misconfigured access list, follow these steps:
Log in to the CLI.
Step 2 View your configuration to see the access list.
Step 3 Verify that the client IP address is listed in the allowed networks. If it is not, add it.
Duplicate IP Address Shuts Interface Down
If you have two newly imaged sensors with the same IP address that come up on the same network at the same time, the interface shuts down. Linux prevents the command and control interface from activating if it detects an address conflict with another host.
To verify that the sensor in question does not have an IP address conflict with another host on the network, follow these steps:
Log in to the CLI.
Step 2 Determine whether the interface is up. If the output says the command and control interface link status is down, there is a hardware issue or an IP address conflict.
Step 3 Make sure the sensor cabling is correct.
Step 4 Make sure the IP address is correct.
• To make sure the sensor cabling is correct, refer to the chapter for your sensor in Cisco Intrusion Prevention System Appliances and Modules Installation Guide for IPS 7.2 .
- For the procedure for making sure the IP address is correct, see Changing Network Settings.
The SensorApp and Alerting
This section helps you troubleshoot issues with the SensorApp and alerting. It contains the following topics:
The SensorApp is Not Running
The sensing process, SensorApp, should always be running. If it is not, you do not receive any alerts. The SensorApp is part of the Analysis Engine, so you must make sure the Analysis Engine is running.
To make sure the Analysis Engine is running, follow these steps:
Log in to the CLI.
Step 2 Determine the status of the Analysis Engine service and whether you have the latest software updates.
Step 3 If the Analysis Engine is not running, look for any errors connected to it.
Note The date and time of the last restart is listed. In this example, the last restart was on 2-19-2004 at 7:34.
Step 4 If you do not have the latest software updates, download them from Cisco.com. Read the Readme that accompanies the software upgrade for any known DDTS for the SensorApp or the Analysis Engine.
Step 5 If the Analysis Engine is still not running, enter
show tech-support
and save the output.
Step 7 Enter
show version
after the sensor has stabilized to see if the issue is resolved.
Step 8 If the Analysis Engine still reads
Not Running
, contact TAC with the original
show tech support
command output.
• For more information on IPS system architecture, see ChapterA, “System Architecture”
- For the procedure for obtaining the latest Cisco IPS software, see Obtaining Cisco IPS Software.
Physical Connectivity, SPAN, or VACL Port Issue
If the sensor is not connected properly, you do not receive any alerts.
To make sure the sensor is connected properly, follow these steps:
Log in to the CLI.
Step 2 Make sure the interfaces are up and that the packet count is increasing.
Step 3 If the Link Status is down, make sure the sensing port is connected properly:
- Make sure the sensing port is connected properly on the appliance.
- Make sure the sensing port is connected to the correct SPAN or VACL capture port on IDSM2.
Step 4 Verify the interface configuration:
- Make sure you have the interfaces configured properly.
- Verify the SPAN and VACL capture port configuration on the Cisco switch.
Refer to your switch documentation for the procedure.
Step 5 Verify again that the interfaces are up and that the packet count is increasing.
• For the procedure for properly installing the sensing interface on your sensor, refer to the chapter on your appliance in Cisco Intrusion Prevention System Appliances and Modules Installation Guide for IPS 7.2 .
- For the procedures for configuring interfaces on your sensor, see Chapter5, “Configuring Interfaces”
Unable to See Alerts
If you are not seeing alerts, try the following:
• Make sure the signature is enabled
- Make sure the signature is not retired
- Make sure that you have Produce Alert configured as an action
Note If you choose Produce Alert, but come back later and add another event action and do not add Produce Alert to the new configuration, alerts are not sent to the Event Store. Every time you configure a signature, the new configuration overwrites the old one, so make sure you have configured all the event actions you want for each signature.
• Make sure that alerts are being generated
To make sure you can see alerts, follow these steps:
Log in to the CLI.
Step 2 Make sure the signature is enabled.
Step 3 Make sure you have Produce Alert configured.
Step 4 Make sure the sensor is seeing packets.
Sensor Not Seeing Packets
If the sensor is not seeing any packets on the network, you could have the interfaces set up incorrectly.
If the sensor is not seeing packets, follow these steps:
Log in to the CLI.
Step 2 Make sure the interfaces are up and receiving packets.
Step 3 If the interfaces are not up, do the following:
Step 4 Check to see that the interface is up and receiving packets.
For the procedure for installing the sensor properly, refer to your sensor chapter in Cisco Intrusion Prevention System Appliances and Modules Installation Guide for IPS 7.2 .
Cleaning Up a Corrupted SensorApp Configuration
If the SensorApp configuration has become corrupted and the SensorApp cannot run, you must delete it entirely and restart the SensorApp.
To delete the SensorApp configuration, follow these steps:
Log in to the service account.
Step 3 Stop the IPS applications.
Step 4 Replace the virtual sensor file.
cp /usr/cids/idsRoot/etc/defVirtualSensorConfig.xml /usr/cids/idsRoot/etc/VS-Config/virtualSensor.xml
Step 5 Remove the cache files.
Step 6 Exit the service account.
Step 7 Log in to the sensor CLI.
Step 8 Start the IPS services.
Step 9 Log in to an account with administrator privileges.
To learn more about IPS system architecture, see Appendix A, “System Architecture.”
Blocking
This section provides troubleshooting help for blocking and the ARC service. It contains the following topics.
Troubleshooting Blocking
After you have configured the ARC, you can verify if it is running properly by using the show version command. To verify that the ARC is connecting to the network devices, use the show statistics network-access command.
Note The ARC was formerly known as Network Access Controller. Although the name has been changed since IPS 5.1, it still appears in IDM, IME, and the CLI as Network Access Controller, nac, and network-access.
To troubleshoot the ARC, follow these steps:
1. Verify that the ARC is running.
2. Verify that the ARC is connecting to the network devices.
3. Verify that the Event Action is set to Block Host for specific signatures.
4. Verify that the master blocking sensor is properly configured.
• For the procedure to verify that the ARC is running, see Verifying the ARC is Running.
- For the procedure to verify that the ARC is connecting, see Verifying ARC Connections are Active.
- For the procedure to verify that the Event Action is set to Block Host, see Blocking Not Occurring for a Signature.
• For the procedure to verify that the master blocking sensor is properly configured, see Verifying the Master Blocking Sensor Configuration.
- For a discussion of ARC architecture, see Attack Response Controller.
Verifying the ARC is Running
To verify that the ARC is running, use the show version command. If the MainApp is not running, the ARC cannot run. The ARC is part of the MainApp.
To verify that the ARC is running, follow these steps:
Log in to the CLI.
Step 2 Verify that the MainApp is running.
Step 3 If the MainApp displays
Not Running
, the ARC has failed. Contact TAC.
To learn more about IPS system architecture, see Appendix A, “System Architecture.”
Verifying ARC Connections are Active
If the State is not
Active
in the ARC statistics, there is a problem.
To verify that the State is Active in the statistics, follow these steps:
Log in to the CLI.
Step 2 Verify that the ARC is connecting. Check the State section of the output to verify that all devices are connecting.
Step 3 If the ARC is not connecting, look for recurring errors.
Step 4 Make sure you have the latest software updates.
Note If you do not have the latest software updates, download them from Cisco.com. Read the Readme that accompanies the software upgrade for any known DDTS for the ARC.
Step 5 Make sure the configuration settings for each device are correct (the username, password, and IP address).
Step 6 Make sure the interface and directions for each network device are correct.
Step 7 If the network device is using SSH-3DES, make sure that you have enabled SSH connections to the device.
Step 8 Verify that each interface and direction on each controlled device is correct.
• For the procedure for obtaining the latest Cisco IPS software, see Obtaining Cisco IPS Software.
- For more information about configuring devices, see Device Access Issues.
• For the procedure for verifying the interfaces and directions for each network device, see Verifying the Interfaces and Directions on the Network Device.
- For the procedure for enabling SSH, see Enabling SSH Connections to the Network Device.
Device Access Issues
The ARC may not be able to access the devices it is managing. Make sure the you have the correct IP address and username and password for the managed devices and the correct interface and direction configured.
Note SSH devices must support SSH 1.5. The sensor does not support SSH 2.0.
To troubleshoot device access issues, follow these steps:
Step 2 Verify the IP address for the managed devices.
Step 3 Manually connect to the device to make sure you have used the correct username, password, and enable password, and to ensure that the device is reachable from the sensor:
a. Log in to the service account.
b. Telnet or SSH to the network device to verify the configuration.
c. Make sure you can reach the device.
d. Verify the username and password.
Step 4 Verify that each interface and direction on each network device is correct.
For the procedure for verifying the interfaces and directions for each network device, see Verifying the Interfaces and Directions on the Network Device.
Verifying the Interfaces and Directions on the Network Device
To verify that each interface and direction on each controlled device is correct, you can send a manual block to a bogus host and then check to see if deny entries exist for the blocked addresses in the ACL of the router.
Note To perform a manual block using IDM, choose Configuration > Sensor Management > Time-Based Actions > Host Blocks. To perform a manual block using IME, choose Configuration > sensor_name > Sensor Management > Time-Based Actions > Host Blocks.
To initiate a manual block to a bogus host, follow these steps:
Step 1 Enter ARC general submode.
Step 2 Start the manual block of the bogus host IP address.
Step 4 Press
Enter
to apply the changes or type
no
to discard them.
Step 5 Telnet to the router and verify that a deny entry for the blocked address exists in the router ACL. Refer to the router documentation for the procedure.
Step 6 Remove the manual block by repeating Steps 1 through 4 except in Step 2 place
no
in front of the command.
Enabling SSH Connections to the Network Device
If you are using SSH-3DES as the communication protocol for the network device, you must make sure you have enabled it on the device.
To enable SSH-3DES connections to the network device, follow these steps:
Step 2 Enter configuration mode.
Step 4 Type
yes
when prompted to accept the device.
Blocking Not Occurring for a Signature
If blocking is not occurring for a specific signature, check that the event action is set to block the host.
To make sure blocking is occurring for a specific signature, follow these steps:
Step 2 Enter signature definition submode.
Step 3 Make sure the event action is set to block the host.
Note If you want to receive alerts, you must always add produce-alert any time you configure the event actions.
Step 4 Exit signature definition submode.
Step 5 Press
Enter
to apply the changes or type
no
to discard them.
Verifying the Master Blocking Sensor Configuration
To verify that a master blocking sensor is set up properly or to troubleshoot a master blocking sensor that is not set up properly, you can use the show statistics network-access command. Make sure that the forwarding sensor is set up as TLS trusted host if the remote master blocking sensor is using TLS for web access.
To verify a master blocking sensor configuration, follow these steps:
Step 2 View the ARC statistics and verify that the master blocking sensor entries are in the statistics.
Step 3 If the master blocking sensor does not show up in the statistics, you need to add it.
Step 4 Initiate a manual block to a bogus host IP address to make sure the master blocking sensor is initiating blocks.
Step 5 Exit network access general submode.
Step 6 Press
Enter
to apply the changes or type
no
to discard them.
Step 7 Verify that the block shows up in the ARC statistics.
Step 8 Log in to the CLI of the master blocking sensor host, and using the
show statistics network-access
command, verify that the block also shows up in the master blocking sensor ARC statistics.
Step 9 If the remote master blocking sensor is using TLS for web access, make sure the forwarding sensor is configured as a TLS host.
For the procedure to configure the sensor to be a master blocking sensor, see Configuring the Sensor to be a Master Blocking Sensor.
Logging
TAC may suggest that you turn on debug logging for troubleshooting purposes. Logger controls what log messages are generated by each application by controlling the logging severity for different logging zones. By default, debug logging is not turned on. If you enable individual zone control, each zone uses the level of logging that it is configured for. Otherwise, the same logging level is used for all zones. This section contains the following topics:
Enabling Debug Logging
Caution Enabling debug logging seriously affects performance and should only be done when instructed by TAC.
To enable debug logging, follow these steps:
Step 1 Log in to the service account.
Step 2 Edit the log.conf file to increase the size of the log to accommodate the additional log statements.
Step 3 Change
fileMaxSizeInK=500
to
fileMaxSizeInK=5000
.
Step 4 Locate the zone and CID section of the file and set the severity to debug.
Step 5 Save the file, exit the vi editor, and exit the service account.
Step 6 Log in to the CLI as administrator.
Step 7 Enter master control submode.
Step 8 Enable debug logging for all zones.
Step 9 Turn on individual zone control.
Step 10 Exit master zone control.
Step 12 Change the severity level (debug, timing, warning, or error) for a particular zone.
Step 13 Turn on debugging for a particular zone.
Step 14 Exit the logger submode.
Step 15 Press
Enter
to apply changes or type
no
to discard them:
For a list of what each zone name refers to, see Zone Names.
Zone Names
Table C-2 lists the debug logger zone names:
To learn more about the IPS Logger service, see Logger.
Directing cidLog Messages to SysLog
It might be useful to direct cidLog messages to syslog.
To direct cidLog messages to syslog, follow these steps:
Go to the idsRoot/etc/log.conf file.
Step 2 Make the following changes:
Comment out the
enabled=true
because
enabled=false
is the default.
b. Set [drain/main]
type=syslog
The following example shows the logging configuration file:
The syslog output is sent to the syslog facility local6 with the following correspondence to syslog message priorities:
Note Make sure that your /etc/syslog.conf has that facility enabled at the proper priority.
TCP Reset Not Occurring for a Signature
Note There is only one sensing interface on the ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP), so you cannot designate an alternate TCP reset interface.
If you do not have the event action set to reset, the TCP reset does not occur for a specific signature.
Note TCP Resets are not supported over MPLS links or the following tunnels: GRE, IPv4 in IPv4, IPv6 in IPv4, or IPv4 in IPv6.
To troubleshoot a reset not occurring for a specific signature, follow these steps:
Log in to the CLI.
Step 2 Make sure the event action is set to TCP reset.
Step 3 Exit signature definition submode.
Step 4 Press
Enter
to apply the changes or type
no
to discard them.
Step 5 Make sure the correct alarms are being generated.
Step 6 Make sure the switch is allowing incoming TCP reset packet from the sensor. Refer to your switch documentation for more information.
Step 7 Make sure the resets are being sent.
Software Upgrades
This section helps in troubleshooting software upgrades. It contains the following topics:
Upgrading Error
When you upgrade an IPS sensor , you may receive an error that the Analysis Engine is not running:
Warning: Executing this command will apply a major version upgrade to the application partition. The system may be rebooted to complete the upgrade.If you receive this error, you must get the Analysis Engine running before trying to upgrade again. This error is often caused by a defect in the currently running version. Try rebooting the sensor, and after reboot, run the setup command and remove the interfaces from the virtual sensor vs0. When it is not monitoring traffic, Analysis Engine usually stays up and running. You can upgrade at this time. After the upgrade, add the interfaces back to the virtual sensor vs0 using the setup command.
Or you can use the system image file to reimage the sensor directly to the version you want. You can reimage a sensor and avoid the error because the reimage process does not check to see if the Analysis Engine is running.
• For more information on running the setup command, see Chapter3, “Initializing the Sensor”
- For more information on reimaging your sensor, see Chapter21, “Upgrading, Downgrading, and Installing System Images”
Which Updates to Apply and Their Prerequisites
You must have the correct service pack and minor and major version of the software. If you are having trouble with applying new software, make sure that you are applying the proper updates with the proper prerequisites:
• Signature updates require the minimum version and engine version listed in the filename.
- Engine updates require the major or minor version in the engine update filename. Service packs require the correct minor version.
• Minor versions require the correct major version.
To understand how to interpret the IPS software filenames, see IPS Software Versioning.
Issues With Automatic Update
The following list provides suggestions for troubleshooting automatic updates:
– Create a service account.
Su
to root and run TCPDUMP on the command and control interface to capture packets between the sensor and the FTP server.
– Use the upgrade command to manually upgrade the sensor.
– Look at the TCPDUMP output for errors coming back from the FTP server.
• Make sure the sensor is in the correct directory. The directory must be specified correctly. This has caused issues with Windows FTP servers. Sometimes an extra “/” or even two “/” are needed in front of the directory name. To verify this, use the same FTP commands you see in the TCPDUMP output through your own FTP connection.
- You must use the Windows FTP server setup option to emulate UNIX file structure and not MS-DOS file structure.
- If you are using SCP, make sure you have added the SSH host key to the known hosts list.
Try the manual upgrade command before attempting the automatic update. If it works with the upgrade command and does not work with the automatic update, try the following:
• Determine which IPS software version your sensor has.
- Make sure the passwords are configured for automatic update. Make sure they match the same passwords used for manual update.
• Make sure that the filenames in the FTP server are exactly what you see on Downloads on Cisco.com. This includes capitalization. Some Windows FTP servers allow access to the file with the incorrect capitalization but the sensor ultimately rejects the file because the name has changed.
- If necessary, run TCPDUMP on automatic update. You can compare the successful manual update with the unsuccessful automatic update and troubleshoot from there.
• For the procedure for creating the service account, see Creating the Service Account.
- For the procedure for reimaging your sensor, see Chapter21, “Upgrading, Downgrading, and Installing System Images”
• For the procedure for adding hosts to the SSH known hosts list, see Adding Hosts to the SSH Known Hosts List.
- For the procedure for determining the software version, see Displaying Version Information.
Updating a Sensor with the Update Stored on the Sensor
You can store the update package in the /var directory on the sensor and update the sensor from there if you need to.
To update the sensor with an update stored on the sensor, follow these steps:
Log in to the service account.
Step 2 Obtain the update package file from Cisco.com.
Step 3 FTP or SCP the update file to the sensor /usr/cids/idsRoot/var directory.
Step 4 Set the file permissions:.
Step 5 Exit the service account.
Step 6 Log in to the sensor using an account with administrator privileges.
Step 7 Store the sensor host key.
For the procedure for obtaining Cisco IPS software, see Obtaining Cisco IPS Software.
Troubleshooting the IDM
Note These procedures also apply to the IPS section of the ASDM.
Note After you upgrade any IPS software on your sensor, you must restart the IDM to see the latest software features.
This section contains troubleshooting procedures for the IDM. It contains the following topics:
• Cannot Launch the IDM - Loading Java Applet Failed
• The IDM, Remote Manager, or Sensing Interfaces Cannot Access Sensor
Cannot Launch the IDM - Loading Java Applet Failed
Symptom The browser displays
Loading Cisco IDM. Please wait ...
At the bottom left corner of the window,
Loading Java Applet Failed
is displayed.
Possible Cause This condition can occur if multiple Java Plug-ins are installed on the machine on which you are launching the IDM.
Recommended Action Clear the Java cache and remove temp files and clear history in the browser you are using. The result is that neither of these plug-ins will be used by default and each applet should use the correct plug-in.
To clear the cache, follow these steps:
Step 1 Close all browser windows.
Step 2 If you have Java Plug-in 1.3.
x
installed:
a. Click
Start
>
Settings
>
Control Panel
>
Java Plug-in 1.3.x
.
c. Under Java Runtime Environment, select
JRE 1.3.x
from the drop-down menu.
Step 3 If you have Java Plug-in 1.4.
x
installed:
a. Click
Start
>
Settings
>
Control Panel
>
Java Plug-in 1.4.x
.
c. Under Java Runtime Environment, select
JRE 1.3.x
from the drop-down menu.
f. Deselect all browser check boxes.
Step 4 Delete the temp files and clear the history in the browser.
Cannot Launch the IDM-The Analysis Engine Busy
Error Message Error connecting to sensor. Failed to load sensor-errNotAvailable-Analysis Engine is busy. Exiting IDM.Possible Cause This condition can occur if the Analysis Engine in the sensor is busy getting ready to perform a task and so does not respond to the IDM.
Recommended Action Wait for a while and try again to connect.
The IDM, Remote Manager, or Sensing Interfaces Cannot Access Sensor
If the IDM, a remote manager, or sensing interfaces cannot access the sensor, but you can access the sensor CLI using SSH or Telnet (if enabled), follow these steps:
Make sure the network configuration allows access to the web server port that is configured on the sensor:
Step 2 If network devices, such as routers, switches, or firewalls, are between the sensor and the workstation, make sure these devices are configured to allow the workstation to access the sensor web server port. All remote management communication is performed by the sensor web server.
• For the procedure for enabling and disabling Telnet on the sensor, see Enabling and Disabling Telnet.
- For the procedure for configuring the web server, see Changing Web Server Settings.
Signatures Not Producing Alerts
Caution You cannot add other actions each time you configure the event actions. You are actually replacing the list of event actions every time you configure it, so make sure you choose Produce Alert every time you configure event actions.
If you are not seeing any alerts when signatures are firing, make sure that you have configured Produce Alert as an event action. For example, if you choose Produce Alert, but later add another event action and do not add Produce Alert to the new configuration, alerts are not sent to the Event Store. To make sure you are getting alerts, check the statistics for the virtual sensor and the Event Store.
- For more information about event actions, see Event Actions.
- For the procedure for configuring event actions, see Assigning Actions to Signatures.
- For the procedure for obtaining statistics about the virtual sensor and Event Store, see Displaying Statistics.
Troubleshooting the IME
This section describes troubleshooting tools for the IME, and contains the following sections:
• Time Synchronization on IME and the Sensor
Time Synchronization on IME and the Sensor
Symptom The IME displays
No Data Available
on the Events dashboard. A historical query does not return any events; however, events are coming in to the IME and they appear in the real-time event viewer.
Possible Cause The time is not synchronized between the sensor and the IME local server. The IME dashboards use a time relative to the IME local time. If these times are not synchronized, the query does not return any results. When you add a sensor to the IME, it checks for the time synchronization and warns you to correct it if is in wrong. The IME also displays a clock warning in Home > Devices > Device List to warn you about problems with synchronization.
Recommended Action Change the time settings on the sensor or the IME local server. In most cases, the time change is required for the sensor because it is configured with the incorrect or default time.
• For more information on time and the sensor, see Time Sources and the Sensor.
- For the procedure for changing the time on the sensor, see Correcting Time on the Sensor.
Not Supported Error Message
Symptom The IME displays
Not Supported
in the device list table and in some gadgets, and no data is included.
Possible Cause Click Details to see an explanation for this message. The IME needs IPS 6.1 or later to obtain certain information. The IME still operates with event monitoring and reporting for IPS 5.0 and later and specific IOS IPS versions, but some functions, such as health information and integrated configuration, are not available.
Troubleshooting the ASA 5500-X IPS SSP
Tip Before troubleshooting the ASA 5500-X IPS SSP, check the Caveats section of the Readme for the software version installed on your sensor to see if you are dealing with a known issue.
This section contains troubleshooting information specific to the ASA 5500-X IPS SSP, and contains the following topics:
- Health and Status Information
- Failover Scenarios
- The ASA 5500-X IPS SSP and the Normalizer Engine
- The ASA 5500-X IPS SSP and Memory Usage
- The ASA 5500-X IPS SSP and Jumbo Packets
- IPS Reloading Messages
Health and Status Information
To see the general health of the ASA 5500-X IPS SSP, use the show module ips details command.
The output shows that the ASA 5500-X IPS SSP is up. If the status reads
Down
, you can reset it using the
sw-module module 1 reset
command.
If you have problems with reimaging the ASA 5500-X IPS SSP, use the debug module-boot command to see the output as it boots. Make sure you have the correct IP address for the TFTP server and you have the correct file on the TFTP server. Then use the sw-module module ips recover command again to reimage the module.
Failover Scenarios
The following failover scenarios apply to the ASA 5500-X series in the event of configuration changes, signature/signature engine updates, service packs, and SensorApp crashes on the ASA 5500-X IPS SSP.
- If the ASA is configured in fail-open mode for the ASA 5500-X IPS SSP, and the ASA 5500-X IPS SSP experiences a configuration change or signature/signature engine update, traffic is passed through the ASA without being inspected.
- If the ASA is configured in fail-open mode for the ASA 5500-X IPS SSP, and the ASA 5500-X IPS SSP experiences a SensorApp crash or a service pack upgrade, traffic is passed through the ASA without being inspected.
- If the ASA is configured in fail-close mode for the ASA 5500-X IPS SSP, and the ASA 5500-X IPS SSP experiences a configuration change or a signature/signature engine update, traffic is stopped from passing through the ASA.
- If the ASA is configured in fail-close mode for the ASA 5500-X IPS SSP, and the ASA 5500-X IPS SSP experiences a SensorApp crash or a service pack upgrade, traffic is stopped from passing through the ASA.
- If the ASAs are configured in fail-open mode and if the ASA 5500-X IPS SSP on the active ASA experiences a configuration change or a signature/signature engine update, traffic is still passed through the active ASA without being inspected. Failover is not triggered.
- If the ASAs are configured in fail-open mode, and if the ASA 5500-X IPS SSP on the active ASA experiences a SensorApp crash or a service pack upgrade, failover is triggered and traffic passes through the ASA 5500-X IPS SSP that was previously the standby ASA 5500-X IPS SSP.
- If the ASAs are configured in fail-close mode, and if the ASA 5500-X IPS SSP on the active ASA experiences a configuration change or a signature/signature engine update, traffic is stopped from passing through the active ASA. No failover is triggered.
- If the ASAs are configured in fail-close mode, and if the ASA 5500-X IPS SSP on the active ASA experiences a SensorApp crash or a service pack upgrade, failover is triggered and traffic passes through the ASA 5500-X IPS SSP that was previously the standby for the ASA 5500-X IPS SSP.
The ASA 5500-X IPS SSP and the Normalizer Engine
The majority of the features in the Normalizer engine are not used on the ASA 5500-X IPS SSP, because the ASA itself handles the normalization. Packets on the ASA IPS modules go through a special path in the Normalizer that only reassembles fragments and puts packets in the right order for the TCP stream. The Normalizer does not do any of the normalization that is done on an inline IPS appliance, because that causes problems in the way the ASA handles the packets.
The following Normalizer engine signatures are not supported:
The ASA 5500-X IPS SSP and Memory Usage
For the ASA 5500-X IPS SSP, the memory usage is 93%. The default health thresholds for the sensor are 80% for yellow and 91% for red, so the sensor health will be shown as red on these platforms even for normal operating conditions. You can tune the threshold percentage for memory usage so that it reads more accurately for these platforms by configuring the memory-usage-policy option in the sensor health metrics.
Note Make sure you have the memory-usage-policy option in the sensor health metrics enabled.
Table C-3 lists the yellow-threshold and the red-threshold health values.
The ASA 5500-X IPS SSP and Jumbo Packets
The jumbo packet count in the
show interface
command output from the lines
Total Jumbo Packets Received
and
Total Jumbo Packets Transmitted
for ASA IPS modules may be larger than expected due to some packets that were almost jumbo size on the wire being counted as jumbo size by the IPS. This miscount is a result of header bytes added to the packet by the ASA before the packet is transmitted to the IPS. For IPv4, 58 bytes of header data are added. For IPv6, 78 bytes of header data are added. The ASA removes the added IPS header before the packet leaves the ASA.
IPS Reloading Messages
The following messages generated during some IPS signature and global correlation updates for IPS 7.1 and later on the ASA 5500-X IPS SSP can cause confusion since the IPS is not reloading:
These messages are generated during some, but not all, of the global correlation updates that are attempted every five minutes. This is expected behavior. There is a global correlation check every five minutes, but there may not be an update available, thus the message appears every hour or so. When a global correlation update actually takes place, a message is sent from the IPS to the ASA indicating that a configuration change is taking place.
Troubleshooting the ASA 5585-X IPS SSP
Tip Before troubleshooting the ASA 5585-X IPS SSP, check the Caveats section of the Readme for the software version installed on your sensor to see if you are dealing with a known issue.
This section contains troubleshooting information specific to the ASA 5585-X IPS SSP, and contains the following topics:
- Health and Status Information
- Failover Scenarios
- Traffic Flow Stopped on IPS Switchports
- The ASA 5585-X IPS SSP and the Normalizer Engine
- The ASA 5585-X IPS SSP and Jumbo Packets
- IPS Reloading Messages
Health and Status Information
To see the general health of the ASA 5585-X IPS SSP, use the show module 1 details command.
The output shows that the ASA 5585-X IPS SSP is up. If the status reads
Down
, you can reset it using the
hw-module module 1 reset
command.
If you have problems with reimaging the ASA 5585-X IPS SSP, use the debug module-boot command to see the output as it boots. Make sure you have the correct IP address for the TFTP server and you have the correct file on the TFTP server. Then use the hw-module module 1 recover command again to reimage the module.
The module in slot 1 will be recovered. This may erase all configuration and all data on that device and attempt to download a new image for it.
Slot-1 176> tftp IPS-SSP_10-K9-sys-1.1-a-7.2-1.img@192.0.2.15 via 192.0.2.254
Failover Scenarios
The following failover scenarios apply to the ASA 5585-X in the event of configuration changes, signature/signature engine updates, service packs, and SensorApp crashes on the ASA 5585-X IPS SSP.
Single ASA 5585-X in Fail-Open Mode
- If the ASA is configured in fail-open mode for the ASA 5585-X IPS SSP, and the ASA 5585-X IPS SSP experiences a configuration change or signature/signature engine update, traffic is passed through the ASA without being inspected.
- If the ASA is configured in fail-open mode for the ASA 5585-X IPS SSP, and the ASA 5585-X IPS SSP experiences a SensorApp crash or a service pack upgrade, traffic is passed through the ASA without being inspected.
Single ASA 5585-X in Fail-Close Mode
- If the ASA is configured in fail-close mode for the ASA 5585-X IPS SSP, and the ASA 5585-X IPS SSP experiences a configuration change or a signature/signature engine update, traffic is stopped from passing through the ASA.
- If the ASA is configured in fail-close mode for the ASA 5585-X IPS SSP, and the ASA 5585-X IPS SSP experiences a SensorApp crash or a service pack upgrade, traffic is stopped from passing through the ASA.
Two ASA 5585-Xs in Fail-Open Mode
- If the ASAs are configured in fail-open mode and if the ASA 5585-X IPS SSP on the active ASA experiences a configuration change or a signature/signature engine update, traffic is still passed through the active ASA without being inspected. Failover is not triggered.
- If the ASAs are configured in fail-open mode, and if the ASA 5585-X IPS SSP on the active ASA experiences a SensorApp crash or a service pack upgrade, failover is triggered and traffic passes through the ASA 5585-X IPS SSP that was previously the standby ASA 5585-X IPS SSP.
Two ASA 5585-Xs in Fail-Close Mode
- If the ASAs are configured in fail-close mode, and if the ASA 5585-X IPS SSP on the active ASA experiences a configuration change or a signature/signature engine update, traffic is stopped from passing through the active ASA. No failover is triggered.
- If the ASAs are configured in fail-close mode, and if the ASA 5585-X IPS SSP on the active ASA experiences a SensorApp crash or a service pack upgrade, failover is triggered and traffic passes through the ASA 5585-X IPS SSP that was previously the standby for the ASA 5585-X IPS SSP.
Traffic Flow Stopped on IPS Switchports
Problem Traffic on any port located on the ASA 5585-X IPS SSP (1/x) no longer passes through the adaptive security appliance when the ASA 5585-X IPS SSP is reset or shut down. This affects all traffic through these ports regardless of whether or not the traffic would have been monitored by the IPS. The link on the ports will link down when the ASA 5585-X IPS SSP is reset or shut down.
Possible Cause Using the ports located on the ASA 5585-X IPS SSP (1/x), and resetting or shutting it down via any mechanism.
Solution Use the ports on the adaptive security appliance (0/x) instead because those ports do not lose their link when the ASA 5585-X IPS SSP is reset or shut down.
The ASA 5585-X IPS SSP and the Normalizer Engine
The majority of the features in the Normalizer engine are not used on the ASA 5585-X IPS SSP, because the ASA itself handles the normalization. Packets on the ASA IPS modules go through a special path in the Normalizer that only reassembles fragments and puts packets in the right order for the TCP stream. The Normalizer does not do any of the normalization that is done on an inline IPS appliance, because that causes problems in the way the ASA handles the packets.
The following Normalizer engine signatures are not supported:
The ASA 5585-X IPS SSP and Jumbo Packets
The jumbo packet count in the
show interface
command output from the lines
Total Jumbo Packets Received
and
Total Jumbo Packets Transmitted
for ASA IPS modules may be larger than expected due to some packets that were almost jumbo size on the wire being counted as jumbo size by the IPS. This miscount is a result of header bytes added to the packet by the ASA before the packet is transmitted to the IPS. For IPv4, 58 bytes of header data are added. For IPv6, 78 bytes of header data are added. The ASA removes the added IPS header before the packet leaves the ASA.
IPS Reloading Messages
The following messages generated during some IPS signature and global correlation updates for IPS 7.1 and later on the ASA 5585-X IPS SSP can cause confusion since the IPS is not reloading:
These messages are generated during some, but not all, of the global correlation updates that are attempted every five minutes. This is expected behavior. There is a global correlation check every five minutes, but there may not be an update available, thus the message appears every hour or so. When a global correlation update actually takes place, a message is sent from the IPS to the ASA indicating that a configuration change is taking place.
Gathering Information
You can use the following CLI commands and scripts to gather information and diagnose the state of the sensor when problems occur. You can use the show tech-support command to gather all the information of the sensor, or you can use the other individual commands listed in this section for specific information. This section contains the following topics:
• Health and Network Security Information
- Tech Support Information
- Version Information
- Statistics Information
- Interfaces Information
- Events Information
Health and Network Security Information
Caution When the sensor is first starting, it is normal for certain health metric statuses to be red until the sensor is fully up and running.
Note The ASA 5500-X IPS SSP and the ASA 5585-X IPS SSP do not support bypass mode. The adaptive security appliance will either fail open, fail close, or fail over depending on the configuration of the adaptive security appliance and the type of activity being done on the IPS.
Use the show health command in privileged EXEC mode to display the overall health status information of the sensor. The health status categories are rated by red and green with red being critical.
To display the overall health status of the sensor, follow these steps:
Log in to the CLI.
Step 2 Show the health and security status of the sensor.
Tech Support Information
This section describes the show tech-support command, and contains the following topics:
Understanding the show tech-support Command
Note The /var/log/messages file is now persistent across reboots and the information is displayed in the output of the show tech-support command.
The show tech-support command captures all status and configuration information on the sensor and includes the current configuration, version information, and cidDump information. The output can be large, over 1 MB. You can transfer the output to a remote system. For the procedure for copying the output to a remote system, see Displaying Tech Support Information.
Note Always run the show tech-support command before contacting TAC.
Displaying Tech Support Information
Note The show tech-support command now displays historical interface data for each interface for the past 72 hours.
Use the show tech-support [ page ] [ destination-url destination_url ] command to display system information on the screen or have it sent to a specific URL. You can use the information as a troubleshooting tool with the TAC.
The following parameters are optional:
• page —Displays the output, one page of information at a time. Press Enter to display the next line of output or use the spacebar to display the next page of information.
- destination-url —Indicates the information should be formatted as HTML and sent to the destination that follows this command. If you use this keyword, the output is not displayed on the screen.
- destination_url —Indicates the information should be formatted as HTML.The URL specifies where the information should be sent. If you do not use this keyword, the information is displayed on the screen.
- You can specify the following destination types:
–
ftp:
—Destination URL for FTP network server. The syntax for this prefix is:
ftp://[[username@location]/relativeDirectory]/filename
or
ftp://[[username@location]//absoluteDirectory]/filename
–
scp:
—Destination URL for the SCP network server. The syntax for this prefix is:
scp://[[username@]location]/relativeDirectory]/filename
or
scp://[[username@]location]//absoluteDirectory]/filename
The /var/log/messages file has the latest logs. A new softlink called varlog has been created under the /usr/cids/idsRoot/log folder that points to the /var/log/messages file. Old logs are stored in varlog.1 and varlog.2 files. The maximum size of these varlog files is 200 KB. Once they cross the size limit the content is rotated. The content of varlog, varlog.1, and varlog.2 is displayed in the output of the show tech-support command.
Displaying Tech Support Information
To display tech support information, follow these steps:
Log in to the CLI using an account with administrator privileges.
Step 2 View the output on the screen. The system information appears on the screen, one page at a time. Press the spacebar to view the next page or press
Ctrl-C
to return to the prompt
Step 3 To send the output (in HTML format) to a file:
a. Enter the following command, followed by a valid destination. The
password:
prompt appears.
To send the tech support output to the file
/absolute/reports/sensor1Report.html
:
b. Enter the password for this user account. The
Generating report:
message is displayed.
Tech Support Command Output
The following is an example of the show tech-support command output:
Note This output example shows the first part of the command and lists the information for the interfaces, authentication, and the Analysis Engine.
Version Information
The show version command is useful for obtaining sensor information. This section describes the show version command, and contains the following topics:
Understanding the show version Command
The show version command shows the basic sensor information and can indicate where a failure is occurring. It gives the following information:
• Which applications are running
Note To get the same information from IDM, choose Monitoring > Sensor Monitoring > Support Information > Diagnostics Report. To get the same information from IME, choose Configuration > sensor_name > Sensor Monitoring > Support Information > Diagnostics Report.
Displaying Version Information
Use the show version command to display version information for all installed operating system packages, signature packages, and IPS processes running on the system. To view the configuration for the entire system, use the more current-config command.
Note The CLI output is an example of what your configuration may look like. It will not match exactly due to the optional setup choices, sensor model, and IPS version you have installed.
Note For the IPS 4500 series sensors, the show version command output contains an extra application called the SwitchApp.
To display the version and configuration, follow these steps:
Log in to the CLI.
Step 2 View version information.
Note If the —-MORE-— prompt is displayed, press the spacebar to see more information or Ctrl-C to cancel the output and get back to the CLI prompt.
Step 3 View configuration information.
Note You can use the more current-config or show configuration commands.
Statistics Information
The show statistics command is useful for examining the state of the sensor services. This section describes the show statistics command, and contains the following topics:
Understanding the show statistics Command
The show statistics command provides a snapshot of the state of the sensor services. The following services provide statistics:
- Authentication
- Denied Attackers
- Event Server
- Event Store
- Host
- Logger
- Attack Response (formerly known as Network Access)
- Notification
- SDEE Server
- Transaction Server
- Transaction Source
- Virtual Sensor
- Web Server
Note To get the same information from IDM, choose Monitoring > Sensor Monitoring > Support Information > Statistics. To get the same information from IME, choose Configuration > sensor_name > Sensor Monitoring > Support Information >Statistics.
Displaying Statistics
Use the show statistics [analysis-engine | anomaly-detection | authentication | denied-attackers | event-server | event-store | external-product-interface | global-correlation | host | logger | network-access | notification | os-identification | sdee-server | transaction-server | virtual-sensor | web-server ] [ clear ] command to display statistics for each sensor application.
Use the show statistics { anomaly-detection | denied-attackers | os-identification | virtual-sensor } [ name | clear ] command to display statistics for these components for all virtual sensors. If you provide the virtual sensor name, the statistics for that virtual sensor only are displayed.
Note The clear option is not available for the analysis engine, anomaly detection, host, network access, or OS identification applications.
For the IPS 4510 and IPS 4520, at the end of the command output, there are extra details for the Ethernet controller statistics, such as the total number of packets received at the Ethernet controller, the total number of packets dropped at the Ethernet controller under high load conditions, and the total packets transmitted including the customer traffic packets and the internal keepalive packet count.
Note The Ethernet controller statistics are polled at an interval of 5 seconds from the hardware side. The keepalives are sent or updated at an interval of 10 ms. Because of this, there may be a disparity in the actual count reflected in the total packets transmitted. At times, it is even possible that the total packets transmitted may be less that the keepalive packets transmitted.
To display statistics for the sensor, follow these steps:
Log in to the CLI.
Step 2 Display the statistics for the Analysis Engine.
Step 3 Display the statistics for anomaly detection.
Step 4 Display the statistics for authentication.
Step 5 Display the statistics for the denied attackers in the system.
Step 6 Display the statistics for the Event Server.
Step 7 Display the statistics for the Event Store.
Step 8 Display the statistics for global correlation.
Step 9 Display the statistics for the host.
Note: CPU Usage statistics are not a good indication of the sensor processin load. The Inspection Load Percentage in the output of 'show inspection-load' should be used instead.
Step 10 Display the statistics for the logging application.
Step 11 Display the statistics for the ARC.
Step 12 Display the statistics for the notification application.
Step 13 Display the statistics for OS identification.
Step 14 Display the statistics for the SDEE server.
Step 15 Display the statistics for the transaction server.
Step 16 Display the statistics for a virtual sensor.
Step 17 Display the statistics for the web server.
Step 18 Clear the statistics for an application, for example, the logging application. The statistics are retrieved and cleared.
Step 19 Verify that the statistics have been cleared. The statistics now all begin from 0.
Interfaces Information
The show interfaces command is useful for gathering information on the sensing and command and control interfaces. This section describes the show interfaces command, and contains the following topics:
Understanding the show interfaces Command
You can learn the following information from the show interfaces command:
• Whether the interface is up or down
• Whether or not packets are being dropped by SensorApp
The show interfaces command displays statistics for all system interfaces. Or you can use the individual commands to display statistics for the command and control interface ( show interfaces command_control_interface_name ), the sensing interface ( show interfaces interface_name ).
Displaying Interface Traffic History
Use the show interfaces-history [ traffic-by-hour | traffic-by-minute ] command in EXEC mode to display historical interfaces statistics for all system interfaces. The historical information for each interface is maintained for three days with 60 seconds granularity. Use the show interfaces-history {FastEthernet | GigabitEthernet | Management | PortChannel} [traffic-by-hour | traffic-by-minute ] command to display statistics for specific interfaces.
Note You must have health monitoring enabled to support the historic interface function.
Each record has the following details:
- Total packets received
- Total bytes received
- FIFO overruns
- Receive errors
- Received Mbps
- Missed packet percentage
- Average load
- Peak load
Note Historical data for each interface for the past 72 hours is also included in the show tech-support command.
The following parameters apply:
• traffic-by-hour —Displays interface traffic history by the hour.
- traffic-by-minute —Displays interface traffic history by the minute.
- past —Displays historical interface traffic information.
- HH:MM —Specifies the amount of time to go back in the past to begin the traffic display. The range for HH is 0 to 72. The range for MM is 0 to 59. The minimum value is 00:01 and the maximum value is 72:00.
- FastEthernet —Displays statistics for FastEthernet interfaces.
- GigabitEthernet —Displays statistics for GigabitEthernet interfaces.
- Management —Displays statistics for Management interfaces.
Note Only platforms with external ports marked Management support this keyword.
Displaying Historical Interface Statistics
To display interface traffic history, follow these steps:
Log in to the CLI.
Step 2 Display the interface traffic history by the hour.
Step 3 Display the interface traffic history by the minute.
Step 4 Display the interface traffic history for a specific interface.
Events Information
You can use the show events command to view the alerts generated by SensorApp and errors generated by an application. This section describes the show events command, and contains the following topics:
Sensor Events
There are five types of events:
• evAlert—Intrusion detection alerts
• evLogTransaction—Record of control transactions processed by each sensor application
Events remain in the Event Store until they are overwritten by newer events.
Understanding the show events Command
Note The Event Store has a fixed size of 30 MB for all platforms.
The show events command is useful for troubleshooting event capture issues in which you are not seeing events in Event Viewer or Security Monitor. You can use the show events command to determine which events are being generated on the sensor to make sure events are being generated and that the fault lies with the monitoring side.
You can clear all events from Event Store by using the clear events command.
Displaying Events
Note The Event Store has a fixed size of 30 MB for all platforms.
Note Events are displayed as a live feed. To cancel the request, press Ctrl-C.
Use the show events [{ alert [informational] [low] [medium] [high] [ include-traits traits ] [ exclude-traits traits ] [ min-threat-rating min-rr ] [ max-threat-rating max-rr ] | error [warning] [error] [fatal] | NAC | status }] [ hh:mm:ss [ month day [ year ]] | past hh:mm:ss ] command to display events from Event Store. Events are displayed beginning at the start time. If you do not specify a start time, events are displayed beginning at the current time. If you do not specify an event type, all events are displayed.
The following parameters apply:
• alert —Displays alerts. Provides notification of some suspicious activity that may indicate an attack is in process or has been attempted. Alert events are generated by the Analysis Engine whenever a signature is triggered by network activity. If no level is selected (informational, low, medium, or high), all alert events are displayed.
- include-traits —Displays alerts that have the specified traits.
- exclude-traits —Does not display alerts that have the specified traits.
- traits —Specifies the trait bit position in decimal (0 to 15).
- min-threat-rating —Displays events with a threat rating above or equal to this value. The default is 0. The valid range is 0 to 100.
- max-threat-rating—Displays events with a threat rating below or equal to this value. The default is 100. The valid range is 0 to 100.
- error —Displays error events. Error events are generated by services when error conditions are encountered. If no level is selected (warning, error, or fatal), all error events are displayed.
- NAC —Displays the ARC (block) requests.
Note The ARC is formerly known as NAC. This name change has not been completely implemented throughout the IDM, the IME, and the CLI.
- status —Displays status events.
- past —Displays events starting in the past for the specified hours, minutes, and seconds.
- hh:mm:ss —Specifies the hours, minutes, and seconds in the past to begin the display.
Note The show events command continues to display events until a specified event is available. To exit, press Ctrl-C.
To display events from the Event Store, follow these steps:
Log in to the CLI.
Step 2 Display all events starting now. The feed continues showing all events until you press
Ctrl-C
.
Step 3 Display the block requests beginning at 10:00 a.m. on February 9, 2011.
Step 4 Display errors with the warning level starting at 10:00 a.m. on February 9, 2011.
Step 5 Display alerts from the past 45 seconds.
Step 6 Display events that began 30 seconds in the past.
Clearing Events
Use the clear events command to clear the Event Store.
To clear events from the Event Store, follow these steps:
Log in to the CLI using an account with administrator privileges.
Step 3 Enter
yes
to clear the events.
cidDump Script
If you do not have access to the IDM, the IME, or the CLI, you can run the underlying script cidDump from the service account by logging in as root and running /usr/cids/idsRoot/bin/cidDump. The path of the cidDump file is /usr/cids/idsRoot/htdocs/private/cidDump.html. cidDump is a script that captures a large amount of information including the IPS processes list, log files, OS information, directory listings, package information, and configuration files.
To run the cidDump script, follow these steps:
Log in to the sensor service account.
Step 2
Su
to
root
using the service account password.
Step 3 Enter the following command.
Step 4 Enter the following command to compress the resulting /usr/cids/idsRoot/log/cidDump.html file.
Step 5 Send the resulting HTML file to TAC or the IPS developers in case of a problem.
For the procedure for putting a file on the Cisco FTP site, see Uploading and Accessing Files on the Cisco FTP Site.
Uploading and Accessing Files on the Cisco FTP Site
You can upload large files, for example, cidDump.html, the show tech-support command output, and cores, to the ftp-sj server.
To upload and access files on the Cisco FTP site, follow these steps:
Log in to ftp-sj.cisco.com as anonymous.
Step 2 Change to the /incoming directory.
Step 3 Use the
put
command to upload the files. Make sure to use the binary transfer type.
Step 4 To access uploaded files, log in to an ECS-supported host.
Step 5 Change to the /auto/ftp/incoming directory.
Feedback