Troubleshooting and FAQs

This appendix provides solutions to problems you might encounter when using Cisco ICS and answers frequently asked questions. It contains the following sections:

• General Troubleshooting

• Device Configuration Troubleshooting Tips

• Multiple Device Addition Messages

• Malware Tester Utility Messages

• Frequently Asked Questions

General Troubleshooting

This section provides solutions to general problems you might encounter. For specific problems related to configuring devices, see Device Configuration Troubleshooting Tips.

This section contains the following topics:

• Restoring Program Settings

• Device Connection Problems

• Problems with OPACLs

• Problems with OPSigs

• Problems with the Web Console

• Problems with the Cisco ICS Master Service

• Problems with Adding Devices

• Problems with Viewing Reports

Restoring Program Settings

If you are experiencing problems with your Cisco ICS installation and want to reinstall or if you want to revert to a previous configuration, you can save a copy of the Cisco ICS database and important configuration files to roll back your Cisco ICS program.

To restore program settings, follow these steps:

Step 1 From the web console, back up the Cisco ICS server database to a location outside the Cisco ICS program directory. For more information, see Backing Up the Database, page 9-12.

Caution

Do not back up the database with any other tool or software.

Table D-1 shows the files and folders you must manually back up.

Table D-1 Program Files and Folders to Back Up
File or Folder Name	Path	Description
ofcscan.ini	Program Files\Cisco Systems\CICS\PCCSRV	Global configuration settings
CSV folder	Program Files\Cisco Systems\CICS\PCCSRV\Log	Outbreak logs for viewing details related to a specific outbreak management task and the verify connection log
verconn.log	Program Files\Cisco Systems\CICS\PCCSRV\Web\TmOpp	Outbreak management task settings
ActiveAlertPolicy.xml	Program Files\Cisco Systems\CICS\PCCSRV\Web\TmOpp	Outbreak management task settings
CiscoAgent.ini	Program Files\Cisco Systems\CICS\PCCSRV\Private	Global configuration settings
DCS.ini
Ofcserver.ini
Backup Database	Copy all files in the backup DB folder to the following: Program Files\Cisco Systems\CICS\PCCSRV\HTTPDB	The Cisco ICS database

Step 2 Uninstall Cisco ICS.

For the precedure, see Uninstalling Cisco ICS, page 2-5.

Step 3 Perform a fresh install.

For the precedure, see Installing Cisco ICS, page 2-2.

Step 4 After installation is complete, stop the Cisco ICS service on the target computer:

a. In the Windows Start menu, choose Settings > Control Panel > Administrative Tools > Services.

b. Stop Cisco ICS Master Service.

Step 5 With the backups you created previously, overwrite the Cisco ICS database and the relevant files and folders in the PCCSRV folder.

Step 6 Restart Cisco ICS Master Service.

Device Connection Problems

Table D-2 provides solutions to potential network connection problems between Cisco ICS and devices.

Table D-2 Device Connection Problems
Problem	Potential Solution
Verify Connection from the Device List window is unsuccessful.	Verify the following on the Cisco ICS server: •The device communication settings are correct. •The Cisco ICS server can access the network. •The device certificate is imported and is not untrusted. For the procedure, see Importing Untrusted Device Certificates, page 9-7. Verify the following on the device: •The device is online and operational. •No ACL is preventing communications. Verify the following on the network: •A firewall is not preventing communications between the Cisco ICS server and the device. The default verify connection timeout is 22 seconds. You cannot modify this value from the web console. Cisco ICS verifies connection using the protocol you selected for communication settings (switches and routers use HTTP or HTTPS; IPS devices use Telnet or SSH).

Problems with OPACLs

Table D-3 provides solutions to problems with OPACLs.

Table D-3 Problems with OPACLs
Problem	Potential Solution
Cisco ICS is unable to deploy an OPACL.	Verify the following: •The OPACL is not empty. To view the OPACL, choose Outbreak Management > Outbreak Management Summary \| View/Edit Outbreak Policy from the menu. For more information, see Modifying Outbreak Management Task Options, page 6-12. If it is empty, connect to the device through a Telnet, console, or aux connection and enter at least one valid ACL command in the OPACL. •No undefined ACL is already applied to the interface or VLAN to which you are trying to apply the OPACL. Connect to the device through a Telnet, console, or aux connection and view the existing ACLs. •The certificate for the device to which you are deploying the OPACL is imported. For more information, see Importing Untrusted Device Certificates, page 9-7.
The OPACL Status column in the device list does not have a green check mark even though the latest OPACL is deployed.	Verify the following: •The deployment event was logged in the Event log. If the result was unsuccessful, the log displays the reason. •All required interfaces were already added through the web console. For the procedures, see Configuring Switches, page 4-12, and Configuring Routers, page 4-14. •The OPACL is not empty. To view the OPACL choose Outbreak Management > Outbreak Management Summary \| View/Edit Outbreak Policy from the menu. For more information, see Modifying Outbreak Management Task Options, page 6-12. If it is empty, connect to the device through a Telnet, console, or aux connection and enter at least one valid ACL command in the OPACL.

Problems with OPSigs

Table D-4 provides solutions to problems with OPSigs.

Table D-4 Problems with OPSigs
Problem	Potential Solution
OPSig deployment is not successful.	Verify the following on your IPS devices: •The IPS account is not locked. •The IPS service is running. •The certificate for the IPS device to which you are deploying the OPSig is imported. For the procedure, see Importing Untrusted Device Certificates, page 9-7.
Registered Cisco IOS IPS devices cannot receive OPSig files.	IOS IPS devices use the Trend Micro public key to verify the OPSig. Trend Micro may have issued a new public key and this public key has not been deployed to registered IOS IPS devices. Cisco ICS automatically deploys the latest public key to IOS IPS devices. If deployment is not successful, manually deploy the public key. To manually deploy the public key: 1. Get the public key from the Cisco folder on your computer or from the Cisco website. •Open the PublicKey.txt file located in C:\Program Files\Cisco Systems\CICS\PCCSRV\Private\OPSig. OR •Go to http://www.cisco.com/cgi-bin/tablebuild.pl/ics. Type the user name and password you specified when you registered your product. 2. Connect to the Cisco IOS IPS device through a Telnet, console, or aux connection. 3. Enter the following commands and text: configure terminal crypto key pubkey-chain rsa named-key realm-trend.pub key-string (paste the public key here) quit end

Problems with the Web Console

Table D-5 provides solutions to problems with the web console.

Table D-5 Problems with the Web Console
Problem	Potential Solution
The root account password is lost or forgotten.	Cisco ICS provides a password recovery utility. To run the password recovery utility, do the following: 1. Open a command prompt on the Cisco ICS server and go to the following folder: Program Files\Cisco Systems\CICS\PCCSRV\Admin\Utility\PasswordRecovery\. 2. Enter PasswordRecovery.exe to start the utility. A confirmation message appears. 3. Enter Y or y to continue. The utility resets the web console password to the following: Cisco123 4. Log in to the web console using the root account username and the reset password. 5. Change the root account password using Cisco123 as the old password For the procedure, see Managing Administrator Accounts, page 9-5.
ActiveX warnings or errors keep appearing when you access the web console.	If you are accessing the web console from a computer running Windows 2003 Server, the default setting blocks ActiveX components. Modify the settings to allow ActiveX components and cookies.
The login window appears with only the Password field. The Username field is missing. The web console does not display any windows.	The web server service or Cisco ICS Master Service is not running. From the Windows Start menu, choose Settings > Control Panel > Administrative Tools > Services. Restart the web server service (IIS or Apache) and Cisco ICS Master Service.
The web console does not load the next page after I click certain buttons or links, such as Save or Delete.	Verify that your web browser allows pop-up messages to appear. Cisco ICS often uses pop-ups to prompt you to perform additional actions. See your Internet Explorer help for instructions on allowing pop-ups.
The web console cannot be accessed.	If a Cisco ICS administrator is logged in to the web console and the computer on which the web server is located loses power, the IIS virtual or default website might not restart automatically. To restart the virtual or default website, do the following: 1. Open a command prompt and enter mmc. The Microsoft Management Console opens. 2. Restart OfficeScan, which is the name of the website. 3. Verify that Cisco ICS Master Service is running.

Problems with the Cisco ICS Master Service

Table D-6 provides solutions to problems with the Cisco ICS master service.

Table D-6 Problems with the Cisco ICS Master Service
Problem	Potential Solution
Cisco ICS Master Service unexpectedly stopped.	The Cisco ICS service could unexpectedly stop for any of the following reasons: •Web server shutdown—Access the services running on the Cisco ICS server and verify that the web server (Apache or IIS) service is running. •Database corruption—If you have a recent backup of the necessary Cisco ICS folders and files, you can restore your program settings. For the procedures, see Backing Up the Database, page 9-12, and Restoring Program Settings.

Problems with Adding Devices

Table D-7 provides solutions to problems with adding devices.

Table D-7 Problems with Adding Devices
Problem	Potential Solution
Devices appear offline in the device list.	A communication or authentication error might have occurred. For more information, see Device Configuration Troubleshooting Tips.
Not all devices appear on the device list.	Click Refresh to update the device list. If you are using the tool for adding multiple devices, verify that the device information file is correct. For the procedure, see Adding Multiple Devices, page 4-5.

Problems with Viewing Reports

Table D-8 provides solutions to problems with viewing reports.

Table D-8 Problems with Viewing Reports
Problem	Potential Solution
Reports do not open properly.	Verify that Adobe Acrobat or Acrobat Reader is installed and functioning properly. If the HTTP error 404 file not found appears in your browser when you open a report, do the following: 1. From the Internet Explorer main menu, choose Tools > Internet Options. 2. Click the Advanced tab. 3. Under Security, uncheck Do not save encrypted pages to disk.

Device Configuration Troubleshooting Tips

Table D-9 shows the errors that generate entries in the event log.

Table D-9 Device Configuration Troubleshooting Tips
Cause	Troubleshooting Tip
Communication Errors
The incorrect IP address was entered when the device was added.	1. Choose Devices > Device List. 2. Click the device. 3. Click Configure. 4. Modify the IP address.
The device is unreachable because of a network connectivity problem.	Make sure Cisco ICS can communicate with the device.
The device certificate has not been imported into Cisco ICS.	If you selected SSH as the communication protocol for a switch or router or HTTPS for an IPS device, you must import the device's certificate. When you add a device, a certificate import window will appear after you click Save & Configure for a router or switch or Save & Verify for an IPS device. If you did not import the certificate when you added the device, choose Global Settings > Device Certificates and import the certificate. You must also reimport a device certificate if you generate a new certificate on the device or reimage the device operating system. For the procedure, see Importing Untrusted Device Certificates, page 9-7.
One of the following: •The selected communication type is not enabled on the device. •SSH (switches and routers only) is configured with an empty username. •The port number is incorrect.	Enable and completely configure the communication type on the device (SSH and/or Telnet for switches and routers and HTTP and/or HTTPS for IPS and Cisco IOS IPS devices). Also verify or modify the device communications port. Save the config file. To verify or modify the selected method of communication saved on the Cisco ICS server, do the following: 1. Choose Devices > Device List. 2. Click the device. 3. Click Configure. 4. Verify or change the selection in the Communication list and the Port list.
Authentication Errors
The username or password is incorrect.	Verify that the login credentials in the device configuration file are correct. Also verify that the username has level 15 or root view privilege (for switches and routers) or administrator access (for IPS and Cisco IOS/IPS devices). To verify or modify the login credentials saved on the Cisco ICS server, access the web console, do the following: 1. Choose Devices > Device List. 2. Click the device. 3. Click Configure. 4. Verify or change the username or password.
Cisco ICS cannot add the device.	If you are adding a standard Cisco router without a Cisco IOS IPS image, you must select the Cisco router device type. Verify that you selected the correct device type. If you are adding an IPS device, verify that the account is not locked and that the IPS service is running.

Multiple Device Addition Messages

The tool for adding multiple devices displays a series of messages on the command line interface. Any of the messages in Table D-10 can appear. If the message states a problem, try to implement the recommended solution before calling support. For the procedure, see Adding Multiple Devices, page 4-5.

Table D-10 Multiple Device Addition Messages
Message	Description or Recommended Solution
Reading configuration file [{$file_name}]...	The ICS tool is obtaining information from the configuration file BatchAddDev.ini, which contains the Cisco ICS server IP address, and the port number and type of protocol (HTTP or HTTPS) used to access the web console.
Reading device information file [{$file_name}]...	The tool is obtaining information from the device information file you created.
Unable to connect to Cisco ICS. The configuration file parameters are incorrect.	Verify that the IP address, port number, and SSL value in the BatchAddDev.ini are correct. Modify the file if necessary.
Loading device information...	The tool is reading information about the devices.
Loading license information...	The tool is reading information about the available licenses.
{$device_numbers} devices are already registered with Cisco ICS.	The number of devices currently on the device list. To verify that this number is correct, see Using the Device List Window, page 4-3.
{$license_numbers} ACL licenses and {$license_numbers} IPS licenses are available.	The available licenses. To verify the number of available licenses, see Viewing License Information, page 9-11.
No licenses available.	You do not have enough licenses available to add the devices in the device information file. Verify the number of licenses you have on the License Summary window by choosing Global Settings > Licenses.
Added device [{$Device_name}].	Cisco ICS added the specified device.
Tried to add device [{$Device_name}]. Response: [{$Response}].	The following are the possible responses: •Successful. •Unable to connect to the Cisco ICS database. •Not enough licenses are available to add this device. •The device information is incorrect. •Communication error. •Authentication error. •The IPS device does not authorize addition to Cisco ICS. •The IPS device is not available or not configured. •Cisco ICS is unable to add the device. The device you selected might be incorrect. If adding a standard Cisco router without an IOS IPS image, you must select the Cisco route device type. •Cisco ICS is unable to add the device. Check if the device is a real Cisco IPS device/Cisco IOS IPS. •Unsuccessful. If Cisco ICS cannot add the device, verify the following: •Enough valid device licenses are available. •The devices are online and working properly. •The Cisco ICS server can connect to the devices you are trying to add. •The username and password credentials for each device are correct and belong to an account with administrative privileges. For more information, see Device Configuration Troubleshooting Tips.
Unable to add device [{$Device_name}]. Reason: [{$Reason}].	Any of the following information for the device is invalid: •Protocol type •License number •Logical name •IP address format •Port •Username •PasswordACL setting •Product type •OPACL direction •Protocol type for importing public key •Port range for importing public key Modify the appropriate field in the device information file. For the valid information to specify, see Table D-11.
Skipping the interface [{$Device_name}].	Verify that the interface name is correct using the show interface command.
Tried to add interface [{$Interface_name}: {$Interface_Direction}]. Response: [{$Response}]. or Tried to add VLAN [{$VLAN_ID}]. Response: [{Response}].	The following are the possible responses: •Successful. •Unable to use Pre-ACL. •Unable to find this interface or VLAN. •Unable to get interface or VLAN information. •Unable to set the interface or VLAN. •The Pre-ACL commands are invalid. Modify the Pre-ACL information. •Unable to get interface direction. •Invalid interface direction. •An unknown error occurred. If Cisco ICS cannot add the interface or VLAN or use the Pre-ACL, verify the following: •The device, interface, and VLAN details are correct. •The devices are online and working properly. •The Cisco ICS server can connect to the devices you are trying to add. •The Pre-ACL commands are valid. For more information, see Device Configuration Troubleshooting Tips.
Unable to add interface [{$Interface_name}:{$Interface_Direction}]. Reason: [{$Reason}].	Any of the following information for the interface is invalid: •Protocol type •License number •Logical name •IP address format •Port •Username •PasswordACL setting •Product type •OPACL direction •Protocol type for importing public key •Port range for importing public key Modify the appropriate field in the device information file. for the valid information to specify, see Table D-11.
Processing complete.	The tool finished trying to add the devices.
The certificate for this device has not been imported into the Cisco ICS trusted root. You must import the certificate on the Global Settings Device Certificates window and run the add multiple device tool again.	If you are adding a router or switch and you selected SSL for the communication protocol, or if you are adding an IPS device and you selected HTTPS, you must import the device certificate. For more information, see Managing Certificates, page 9-6.
HTTP error, status code: [{$HTTP_error_code}] or HTTP error, status: [{$HTTP_error_description}]	An HTTP error of the specified type occurred. The error code or error description is automatically generated.
Level [{$value}] licenses are insufficient.	You do not have enough licenses available to add the devices in the device information file. Verify that you have the correct number of licenses on the License Summary window by choosing Global Settings > Licenses from the menu.
Unable to open configuration file [{$file_name}].	Verify that BatchAddDev.ini is a valid file and is not locked by another process.
Unable to open device information file [{$file_name}].	Verify that the device information file you created is a valid file and is not locked by another process.
Cisco ICS is not able to add this device. Another device with the same information already exists.	Modify the device information so that it is not the same as an existing device.

Table D-11 Reasons a device or interface cannot be added
Reason	Information to Specify
Invalid protocol type [{$Invalid_parameter_value}].	SSH or TELNET for switches and routers HTTP or HTTPS for IPS devices
Invalid license number.	1 for an ACL license 2 for an IPS license
Invalid logical name [{$Invalid_parameter_value}]. Enter a logical name from 1 to 31 characters. It cannot contain / \ [ ] " : ; \| < > + = , ? ' * !	Between 1 and 31 characters for the logical name The following characters are not allowed: / \ [ ] " : ; \| < > + = , ? ' * !
Invalid IP address format [{$Invalid_parameter_value}].	A valid IP address
Invalid port [{$Invalid_parameter_value}].	A port number between 1 and 65535
Invalid username [{$Invalid_parameter_value}].	A valid username
Invalid password [{$Invalid_parameter_value}].	The correct password for the username
Invalid ACL setting: [{$Invalid_parameter_value}].	PHYS to apply the OPACL to physical interfaces. Routers must use this option. VLAN to apply the OPACL to VLANs Cisco ICS ignores this field if the device is an IPS appliance or an IOS IPS device.
Invalid product type: [{$Invalid_parameter_value}].	SWT for Switch RTR for Router IPS for IPS appliance or Cisco IOS IPS device
Invalid OPACL direction: [{$Invalid_parameter_value}].	IN or OUT
Invalid protocol type for importing public key [{$Invalid_parameter_value}].	SSH or TELNET
Invalid port range for importing public key [{$Invalid_parameter_value}].	A port number between 1 and 65535

A device or interface cannot be added for the following reasons:

Note If you add multiple switches and routers that have different virtual terminal (VTY) connection username and password requirements, the tool might not add some or all devices. You should add devices that require a username and password in one batch and devices that do not require a username and password in another batch. Mixing the two types of devices can cause a CGI timeout or connection failure error message to appear.

Malware Tester Utility Messages

Table D-12 shows the messages the Malware Tester utility might display on the command line console For more information, see Testing OPACL and OPSig Matching, page 3-8.The messages are Windows Sockets Error Codes. Check the MSDN network for details.

Table D-12 Malware Tester Utility Messages
Message	Description or Recommended Solution
On host serving as the victim: Unable to receive attack packet. err = {variable}	A Windows error code that means that the host serving as the victim did not receive the virus packet from the Malware Tester utility. Try to run the Malware Tester utility again. If the problem persists, make sure that no network problems exist between the two hosts.
On host serving as the victim: Received attack packet.	The host serving as the victim received the virus packet from the host serving as the attacker.
On host serving as the attacker: Unable to send attack packet. err = {variable}	A Windows error code that means that the host serving as the attacker did not send the virus packet from the Malware Tester utility. Try to run the Malware Tester utility again. If the problem persists, make sure that no network problems exist between the two hosts.
On host serving as the attacker: Sent attack packet.	The host serving as the attacker sent the virus packet to the host serving as the victim.

Frequently Asked Questions

This section lists answers to frequently asked questions you might have about Cisco ICS. It contains the following topics:

• Outbreak Management Tasks

• Downloading and Deploying

• Logs

• Reports

• Database

• Damage Cleanup Services

Outbreak Management Tasks

Q. When should I create a manual task?

A. We recommend that you create tasks manually if you are concerned that an existing threat poses a risk to your network. Cisco ICS offers protection from a variety of known threats detected by Trend Micro TrendLabs. The advantage of creating a task manually is that you can guard against a threat that is already in circulation before the time when you enabled automatic tasks.

If you enabled automatic tasks immediately after installing Cisco ICS and you are confident that no threats exist on your network, you do not need to create a manual task.

We recommend that you enable Cisco ICS to automatically create tasks and keep this option enabled. Cisco ICS can deploy outbreak management tasks for newly discovered red and yellow alerts after it downloads the tasks from Trend Micro. The advantage of enabling automatic tasks is that it relieves you of creating tasks manually. You must enable scheduled download for Cisco ICS to periodically poll the update source for new tasks.

Q. When I download an automatic outbreak management task, what am I downloading?

A. The outbreak management task is an XML file that contains OPACLs that address all known threats. When Cisco ICS creates an automatic task for yellow or red alerts or when you manually create a task, Cisco ICS uses this file to create the OPACL necessary to prevent a specific threat from spreading.

Q. What's the difference between stopping a task and stopping the OPACL associated with the task?

A. When you stop a task, the associated OPACL and Pre-ACL also stop automatically and the task disappears from the list of tasks on the web console. If you stop a task, you cannot access the task watch list that Cisco ICS created for that task to monitor potentially infected hosts.

When you stop an OPACL, the task that uses the OPACL keeps running. Only the OPACL and Pre-ACL stop. If you stop the OPACL, you can continue to monitor hosts on the watch list as long as the task is active.

The advantage of stopping a task or its OPACL is that the network can regain use of the traffic and ports the OPACL is blocking. You should stop tasks and OPACLs only when you are sure that the threat that a task and the OPACL are addressing no longer poses a risk to the network.

Downloading and Deploying

Q. Do the default scheduled download and automatic deployment settings provide adequate protection?

A. Yes. The default settings keeps your outbreak prevention up-to-date. By default, Cisco ICS polls the update source every 5 minutes for outbreak management tasks and twice daily for OPSig files and DCS components. Cisco ICS deploys all components under these circumstances:

–After you download an updated component.

–After you add a new device.

–If the status of any device changes to online.

Q. When should I download and deploy components manually?

A. If you are concerned that a threat might put your network at risk, you can download and deploy all components manually instead of waiting for the next scheduled download or the next event to trigger an automatic deployment. You can also create a manual outbreak management task to deploy an OPACL.

We recommend, however, that you always keep scheduled download and automatic deployment enabled to allow Cisco ICS to do the job for you.

Logs

Q. Where does Cisco ICS save the debug log for report generation? When would I need this file?

A. The debug log is at the following location:

\Program Files\Cisco Systems\CICS\PCCSRV\Report\TMreportEx.log

If Cisco ICS is unable to generate logs, Cisco Technical Support might ask you to access this file.

Q. Can I still view Damage Cleanup logs even if I unregistered the DCS servers from the Cisco ICS console?

A. No. You will not be able to query Damage Cleanup logs from the web console if no DCS servers are registered with Cisco ICS.

Reports

Q. Where does Cisco ICS save reports?

A. Reports are at the following location:

\Program Files\Cisco Systems\CICS\PCCSRV\Download\Reports\<ReportID>\

Q. How do I know if a report is generated or still in progress?

A. Open Windows Task Manager and verify that TMreportEX.exe is still running.

Database

Q. What information is in the Cisco ICS database?

A. The database contains configuration information about managed devices and contains all logs.

Q. Why should I back up the Cisco ICS database?

A. If you have a backup of the database, you can restore Cisco ICS settings if required. If you want to reinstall Cisco ICS, or if you need to reinstall because of database corruption, you will be able to use the backup so that you won't lose any settings.

Damage Cleanup Services

Q. Some Damage Cleanup Services features, such as Damage Cleanup logs, are not appearing on the web console. Where are they?

A. You must register Cisco ICS to at least one DCS server for DCS features to appear on the web console.

Table Of Contents