E-52
Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.1
OL-24002-01
Appendix E Troubleshooting
Troubleshooting the Appliance
Step 5 Make sure the correct alarms are being generated.
sensor# show events alert
evAlert: eventId=1047575239898467370 severity=medium
originator:
hostId: sj_4250_40
appName: sensorApp
appInstanceId: 1004
signature: sigId=20000 sigName=STRING.TCP subSigId=0 version=Unknown
addr: locality=OUT 172.16.171.19
port: 32771
victim:
addr: locality=OUT 172.16.171.13 port: 23
actions:
tcpResetSent: true
Step 6 Make sure the switch is allowing incoming TCP reset packet from the sensor. Refer to your switch
documentation for more information.
Step 7 Make sure the resets are being sent.
root# ./tcpdump -i eth0 src host 172.16.171.19
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0
13:58:03.823929 172.16.171.19.32770 > 172.16.171.13.telnet: R 79:79(0) ack 62 win 0
13:58:03.823930 172.16.171.19.32770 > 172.16.171.13.telnet: R 80:80(0) ack 62 win 0
13:58:03.823930 172.16.171.19.32770 > 172.16.171.13.telnet: R 80:80(0) ack 62 win 0
13:58:03.823930 172.16.171.19.32770 > 172.16.171.13.telnet: R 80:80(0) ack 62 win 0
Software Upgrades
This section helps in troubleshooting software upgrades. It contains the following topics:
• Upgrading and Analysis Engine, page E-52
• Which Updates to Apply and Their Prerequisites, page E-53
• Issues With Automatic Update, page E-53
• Updating a Sensor with the Update Stored on the Sensor, page E-54
Upgrading and Analysis Engine
When you upgrade an IPS sensor, you may receive an error that the Analysis Engine is not running:
Password: ********
Warning: Executing this command will apply a major version upgrade to the application
partition. The system may be rebooted to complete the upgrade.
Continue with upgrade?: yes
Error: AnalysisEngine is not running. Please reset box and attempt upgrade again.
If you receive this error, you must get the Analysis Engine running before trying to upgrade again. This
error is often caused by a defect in the currently running version. Try rebooting the sensor, and after
reboot, run the setup command and remove the interfaces from the virtual sensor vs0. When it is not
monitoring traffic, Analysis Engine usually stays up and running. You can upgrade at this time. After the
upgrade, add the interfaces back to the virtual sensor vs0 using the setup command.
Comments to this Manuals