Release Notes for Management Center for IDS Sensors 1.1 and Monitoring Center for Security 1.1
These release notes are for use with Management Center for IDS Sensors 1.1 (IDS MC) and Monitoring Center for Security 1.1 (Security Monitor).
IDS MC manages configurations for up to 300 Cisco Intrusion Detection System Sensors. You use a series of web-based screens to manage all aspects of sensor configuration. You can manage individual sensors, and you can manage groups of sensors having a common configuration. The sensor configuration data resides in a database.
Security Monitor is a separate but closely related product that provides event collection, viewing, and reporting capability for network devices. Security Monitor uses a series of web-based screens that have the same look and feel as those used by IDS MC.
These release notes contain the following information:
Support for IDS 4.0 software, including RDEP and IDIOM.
Https export of sensors with an XML format.
Logical grouping of signatures and more usable signature tuning.
A new daemon (IDS_EvsServer) for Event Viewer.
IDS 3.x to 4.x configuration upgrade.
IDS MC and Security Monitor available for both Windows-based and Solaris-based servers.
IDS MC 1.1 and Security Monitor 1.1 Documentation
Note We sometimes update the printed and electronic documentation after original
publication. Therefore, you should also review the documentation on Cisco.com
for any updates.
Table 1 describes the product documentation that is available.
Table 1 Product Documentation
Document Title
Available Formats
Release Notes for Management Center for IDS Sensors 1.1 and Monitoring Center for Security 1.1
Printed document that was included with the product.
On Cisco.com:
a. Log in to Cisco.com.
b. Select Products & Services > Network Management CiscoWorks > CiscoWorks Management Center for IDS Sensors > Technical Documentation > Release Notes.
Installing Management Center for IDS Sensors 1.1 and Monitoring Center for Security 1.1
PDF on the product CD-ROM.
On Cisco.com:
a. Log in to Cisco.com.
b. Select Products & Services > Network Management CiscoWorks > CiscoWorks Management Center for IDS Sensors > Technical Documentation > Installation Guides Books.
Using Management Center for IDS Sensors 1.1
PDF on the product CD-ROM.
On Cisco.com:
a. Log in to Cisco.com.
b. Select Products & Services > Network Management CiscoWorks > CiscoWorks Management Center for IDS Sensors > Technical Documentation > User Guide Books.
Using Monitoring Center for Security 1.1
PDF on the product CD-ROM.
On Cisco.com:
a. Log in to Cisco.com.
b. Select Products & Services > Network Management CiscoWorks > CiscoWorks Monitoring Center for Security > Technical Documentation > User Guide Books.
Supported Devices and Software Versions for Management Center for IDS Sensors 1.1
1. Log in to Cisco.com.
2. Select Products & Services > Network Management CiscoWorks > CiscoWorks Management Center for IDS Sensors > Technical Documentation > Device Support Tables.
Supported Devices and Software Versions for Monitoring Center for Security 1.1
1. Log in to Cisco.com.
2. Select Products & Services > Network Management CiscoWorks > CiscoWorks Monitoring Center for Security > Technical Documentation > Device Support Tables.
Context-sensitive online help
Select an option from the navigation tree, then click Help.
As a user of IDS MC 1.1 or Security Monitor 1.1, you should be aware of the following:
Use static IP addresses for the host or hosts where IDS MC and Security Monitor are installed, because DHCP is not supported for either IDS MC or Security Monitor.
Do not use download accelerator programs such as DAP, because they are not supported.
You cannot use SSH keys in IDS MC 1.1 if you intend to use a sensor as a master blocking sensor.
If you see that the idsmdc.log file is growing too large with unwanted data, you can reset its size to 0 by backing up the database. Then, you can delete the backup file. (The idsmdc.log file is in the same directory as idsmdc.db, the directory that was specified for the database at installation.)
You may see the following dialog under very rare circumstances:
CiscoWorks2000 Setup
An error occurred during the move data process: -106
Component: idsmdc_m
File Group: idsmdc_m
File: eventRules2.jsp
If you see this, uninstall IDS MC and Security Monitor and re-install them, because an unrecoverable installation error has occurred.
We strongly recommend that you avoid attempting to connect to the database directly, because doing so can cause performance reductions and unexpected system behavior.
If you do not specify the -f"filename" option when using the IdsImportIdiom.exe command line utility, the program reads "standard input" for data. As a result, the program waits forever for input; it will not time out or return, and you must abort it. Although this is not a defect, you need to be aware of this behavior to avoid misunderstanding when you use this command line utility.
Notes for IDS MC and Security Monitor for Solaris
IDS MC and Security Monitor for Solaris provide the same web-based interface as the Window-based version. However, there are a few differences in the way that syslog settings and SSH keys are administered in the Solaris version. The documentation that shipped with the product does not reflect these differences. This section contains additions or changes to the documentation that shipped with the product. It includes the information for the Solaris version of the products. Refer to the following topics for more information:
Security Monitor uses the syslog daemon, syslogd, on Solaris to collect syslog messages. These messages are then recorded in a syslog message file. Security Monitor then reads the events from the message file.
You cannot use Security Monitor for Solaris to change the syslog listening port number (port 514) or to forward syslog messages. However, you can change the syslog message file used by syslogd and Security Monitor, and you can manage the size of the message file by manually pruning the syslog messages from the file.
Note The Solaris syslog daemon can forward syslog messages to remote hosts. To learn
how to forward syslog messages on a Solaris server, refer to your Solaris syslogd
documentation. You cannot change the syslog listening port on the supported
Solaris servers.
You cannot configure these settings through the web interface. You must use the command-line utility RxSyslogConf to manage your syslog settings. Refer to the following topics to learn more about using RxSyslogConf to manage your syslog message file:
You can use the RxSyslogConf utility to change the syslog message file used by syslogd and Security Monitor. By default, syslog messages are saved to and read from the /var/log/syslog_receiver.log file. You use a different file at a different location, such as another drive, if you need to free some drive space.
When you change the syslog message file, you are actually pointing syslogd and Security Monitor to a different file (and creating that file if it does not already exist). The old syslog message file remains, and contains the syslog data previously received.
Note When you change the syslog message file, syslog services are temporarily
disabled.
To change the syslog message file, follow these steps:
Step 1 Open a command prompt on the server.
Step 2 Log in as root.
Step 3 Enter RxSyslogConf -c</path/filename>, where </path/filename> is the full path and filename of the new message file. There is no space between the -c and the path and filename. For example:
RxSyslogConf -c/my_logs/syslogs/my_syslogs.log
When the command has finished, the message "syslog service starting appears". All incoming syslog messages are stored in and read from the new message file.
Pruning the Syslog Message File
Security Monitor automatically prunes your syslog message file whenever it reaches 16 MB. However, you may need to manually prune the file to temporarily free some disk space.
Note When you prune the syslog message file, syslog services are temporarily disabled.
To manually prune the syslog log file, follow these steps:
Step 1 Open a command prompt on the server.
Step 2 Log in as root.
Step 3 Enter RxSyslogConf -p.
When the command has finished, the message "syslog service starting" appears. All syslog messages are removed from the message file.
About the RxSyslogConf Utility
The RxSyslogConf utility is used to manipulate the syslog message file. You can use the utility to change the syslog message file used by syslogd and Security Monitor, or you can use it to manually remove all syslog messages from the file. This utility is located in the /opt/CSCOpx/MDC/bin/ids/ directory.
You need root permissions to run the RxSyslogConf utility.
Command Syntax
RxSyslogConf [-c</path/filename>] [-p]
Command Options
-c</path/filename>
Changes the file used by syslogd to store incoming syslog messages. Running this command also configures Security Monitor to retrieve syslog messages from the new log file. When you change the syslog message file, the old syslog message file remains in the original location.
You must include the full path and filename when using this option.
Note Do not put a space between the -c switch and the path
-p
Prunes the syslog log file. Pruning refers to removing the syslog messages from the log file. Any messages that have not been retrieved by Security Monitor are read into the Security Monitor database before they are removed from the log file.
Examples
To change the syslog message file to my_syslogs.log located in the /my_logs/syslogs/ directory, enter the following command:
RxSyslogConf -c/my_logs/syslogs/my_syslogs.log
To change the name of the log file in the previous example to my_new_syslogs.log, enter the following command:
Secure Shell (SSH) is a protocol for secure remote login and other secure network services over an insecure network. For more information about SSH, see Designing Network Security by Merike Kaeo (Indianapolis: Cisco Press, 1999).
NoteIDS MC and Security Monitor make SSH available
because of the importance of being able to transmit login information (including
passwords) in an encrypted form.
The Secure Shell Working Group (SECSH) of the Internet Engineering Task Force (IETF) has the goal of updating and standardizing SSH. More information is available at http://www.ietf.org/html.charters/secsh-charter.html .
IDS MC, and Security Monitor for some features, supports SSH for secure remote login to a sensor. Neither IDS MC nor Security Monitor manages SSH keys, however. The sensor software provides the SSH server, and IDS MC and Security Monitor provide support for an SSH Windows client—PuTTY—and an SSH Solaris client—OpenSSH.
Version 1.0 of IDS MC and Security Monitor for Windows 2000 uses PuTTY 0.51. Version 1.1 of IDS MC and Security Monitor for Windows 2000 uses a customized version of PuTTY 0.53b. IDS MC and Security Monitor 1.1 for Solaris (the first Solaris version) use OpenSSH.
When using IDS MC or Security Monitor (any version) for Windows 2000, you should not install PuTTY, because the IDS MC and Security Monitor installation program installs a customized version of PuTTY for you. When using IDS MC or Security Monitor (any version) for Solaris, you do not need to download or install OpenSSH, because the installation program installs OpenSSH for you.
Sensor appliances running IDS software 3.x and later, and IDSMs running IDS software 3.1(1) and later, have a /usr/nr/.ssh directory. You must create the authorized_keys file (if it does not already exist) and then place that authorized_keys file in the /usr/nr/.ssh directory. Finally, you must place your public key in the authorized_keys file.
To use SSH keys in IDS MC or Security Monitor, follow these steps:
Step 1 To use SSH keys in IDS MC or Security Monitor for Windows 2000, follow these steps:
b. Copy the public key to the sensor's ~.ssh/authorized_keys file.
c. Save the private key. We recommend the name sensorname.key for the private key and we use it in this example.
Caution Guard your private key carefully because of its importance to the security of your network, and back it up to a secure location.
Step 2 Create a session for the sensor and perform the following steps:
a. At a command line prompt, enter putty.
b. Enter the hostname when prompted.
c. Click Protocol SSH.
d. Select System > Saved Sessions.
e. Select sensorname.key (the name of the saved session in this example) from the list box.
f. Click Load.
Your saved settings appear in the configuration panel.
g. Click Connection.
h. Enter the auto-login username: netrangr.
i. Click session.
j. Click SSH.
k. Enter the private key file for authentication: sensorname.key.
l. Enter save.
m. Enter cancel.
n. Enter putty@host name.
You will be prompted for the passphrase that you generated in Step 1a.
Step 3 To use SSH keys in IDS MC or Security Monitor for Solaris, follow these steps:
a. When using a sensor appliance, execute the script ~CSCOpx/MDC/bin/ids/secure_comm. This script is for managing the SSH key pair. Use it for generating, listing, and deleting an SSH key pair.
b. Copy the public key to the sensor's ~.ssh/authorized_keys file.
Table 2 describes problems known to exist in this release of IDS MC; Table 3 describes problems resolved since the last release of IDS MC.
Table 2 Known Problems in IDS MC 1.1
Bug ID
Summary
Explanation
CSCdz43202
Signature update through IDSMC stop sensor from working
Symptom:
After a signature update or service pack the sensor no longer responds via the Postoffice.
Cause:
The signature update package, or service pack, did not properly clear some of the cache files from the previous version of the sensor software. This has only been reported, at this time, for 3.1(3)S35. When the sensor starts with incorrect caches files the behavior is unpredictable.
Solution:
Log into the sensor and perform an nrstop.
Then remove the cache files with the command rm /usr/nr/tmp/cache*
Then restart the sensor with nrstart. After the nrstart has completed the cache files will be regenerated and the sensor will operate normally.
CSCin25060
Import does not import password of Blocking details
Because of a limitation in the IDS 4.0 Command Line Interface, it does not show passwords; therefore IDS MC 1.1 cannot import the password of a blocking device when using IDS 4.x.
CSCin33838
NAC will fail if MBS sensor is added using passphrase in to MC
In IDS MC 1.1, you cannot use SSH keys if you intend to use a sensor as a master blocking sensor.
CSCin33262
IDS MC/Sec Mon is not usable for the following Install sequence
Reinstalling or upgrading IDS MC 1.1 or Security Monitor 1.1 or both does not register all the daemons with the daemon manager; only the new daemon (IDS_EvsServer) is added to the daemon manager, and the remaining daemons are not registered.
To work around this problem, follow these steps:
1. Back up the IDS MC 1.0/Security Monitor 1.0 database.
2. Uninstall IDS MC 1.0 and Security Monitor 1.0 before upgrading to CMF 2.2.
3. Upgrade to CMF 2.2.
4. Install IDS MC 1.1 and Security Monitor 1.1 over CMF 2.2.
5. Restore the 1.0 database that was backed up in Step 1.
CSCin33631
MC should not accept Sensors fingerprint changes
Changes in the SSH fingerprint of a sensor will not be rejected by IDS MC 1.1. To avoid the potential for a man-the-middle attack, users must generate and inspect the Audit Log Report.
CSCin14460
ACS Integration issues with IDS MDC
Symptom:
When the user changes the login model from ACS to internal, or from internal to ACS the pages displayed says that there is a authorization error.
Condition:
This only occurs when changing the system configuration for the AAA services.
Workaround:
After changing the AAA services configuration, restart the CMF Dameon Manager.
CSCin34465
Deploy fails ungracefully for 3.x for unchecked OverwriteConflict
A misleading error message (which does not convey the root cause of the error) may be seen as a result of performing the following steps:
1. Import a 3.x sensor.
2. In a session to that sensor, change a .conf file.
3. Generate and deploy the configuration to the sensor imported in Step 1. While submitting the deployment, uncheck the "Overwrite conflicting sensor(s) configuration?" check box.
The Audit Log Report will contain information such as the following, which does not convey the root cause of the error:
2003-02-25 12:21:33 IST 0.0.0.0 Shared service processes Sensor Config File Deploy error sensor13.cisco: Error deploying configuration files to the sensor - null
2003-02-25 12:21:29 IST 0.0.0.0 Shared service processes Sensor Config File Deploy information sensor13.cisco: Deploying config files started at Feb 25, 2003 12:21:29 PM
2003-02-25 12:21:27 IST 0.0.0.0 Shared service processes Config File Generate information sensor13.cisco: Successfully generated configuration files for the sensor.
CSCin07808
Default config should match with sensor config.
When adding sensors with different versions, there are some differences in the default values. The explanation for this behavior is that The default values are not provided with each signature update, so only defaults in the most general sense are known.
CSCin08619
MDC Install without reboot for previous uninstall causes problems
When installing IDS MC/Security Monitor, the installer may report an error that a service is marked for deletion and installation can not continue.
This can occur if IDS MC/Security Monitor is uninstalled and then re-installed without rebooting the machine.
If this occurs, abort installation, reboot the machine and install IDS MC/Security Monitor again.
CSCin37507
Upgrading from 1.0 to 1.1 does not preserve signature updates
Signature updates done in IDS MC 1.0 are not preserved when upgrading to IDS MC 1.1. To work around this problem, users can upgrade to IDS MC 1.1 to manage sensors of signature versions that are not supported by default in 1.1.
CSCin37410
MC fails to import when the webserver is busy
[not available]
CSCin29571
Import using SSH keys:SensorName should be mandated & not username
[not available]
CSCdz11633
Change in computer name and/or ip address needs re-install
[not available]
CSCin32177
Import fails to bring filter if it contains SystemVariables on it
[not available]
CSCin37870
Enabling or disabling of signatures does not work properly
If the user "Enables" all signatures, user can not revert back to previous configuration of signatures even if changes are not saved. This will also happen when "Disabling" all the signatures.There is no workaround for this.
CSCin34733
Deploy fails as GUI does not validate range for Internal Networks
[not available]
CSCin38476
MC blocks succeeding deploys while deploying to a busy sensor
During deployment, performance can be degraded if some sensors are busy because IDS MC waits for the busy sensors.
The deployment job will not be completed if the sensor has an error or if any of the sensor applications is not responding, and it will block succeeding deployment jobs to the sensors.
To work around this problem, stop and start IDS_DeployDaemon by using the following procedure:
CiscoWorks2000 --> Server Configuration
--> Administration
--> Process Management
--> Stop Process
--> stop [in right-hand pane]
--> Process [radio button]
--> Process Name
--> IDS_DeployDaemon [in dropdown list]
CiscoWorks2000 --> Server Configuration
--> Administration
--> Process Management
--> Start Process
--> start [in right-hand pane]
--> Process [radio button]
--> Process Name
--> IDS_DeployDaemon [in dropdown list]
CSCin38428
MC reports deploy status as error when a sensor is deployed wit
When any changes to the Webserver service is done to an IDS4.x and deployed to the sensor MC might report that deploy failed and it could not deploy the config to the sensor during the specified watchdog timeout. Deploy would have completed properly but MC will not be able to confirm whether the sensor has properly started after rebooting. Users may need to check manually whether the changes have been pushed to the sensor in this case.
CSCin37983
Multiple Destination entries in filters not taken care during dep
Problem Description:
While configuring filters using IDS MC, if the user specifies "Internal" or "External" and then append more IP addresses in the Destination Address portion of the filter, the appended IP Addresses may not get written in the sensor configuration.
Workaround:
Split the Destination Address portion so that "Internal" or "External" stays alone in one filter and the rest in a different filter.
CSCea21657
Import: Failure to import inconsistently
Import sensor will sometimes fail with the following error message:
"The General signatures appear to have an error and can't be loaded. Check the signature settings on the sensor for an error and reimport the sensor."
The workaround for this problem is to import the sensor again. The sensor will import successfully the second time.
CSCin38402
Import fails inconsistently when service.mssql custom sigs exist
[not available]
CSCin45978
MC:Deploy fails after doing spupdate from 4.0(1)S37 to 4.0(2)S42
Deploy may fail on a 4.0 sensor after a service pack and signature update. This problem only occurs if you use custom signature tunings.
If you receive a deploy error after updating the IDS MC server and sensor, check the IDS Deployment report. If you see the following warnings, apply the workaround:
**** Audit(enabled): Warning: sensor - IDS MC signature mismatch:
followed by several:
% Invalid input detected at '^' marker"
Workaround/Solution:
Delete the sensor from IDS MC. Re-import the Sensor and then deploy the configuration.
Table 3 Resolved Problems in IDS MC 1.1
Bug ID
Summary
Additional Information
CSCin14392
SigUpdate should verify the sensor version before updating the sensor
You are no longer required to ensure that IDS MC has the correct version for the sensor. You are no longer required to synchronize the versions from the General Properties configuration page by pressing the Query Sensor button.
CSCdy13762
SYS: Guest user should not see sensor config files
You are no longer required to prevent the Guest account from viewing sensor configuration files by editing the file:
IDS does not report backup/restore failure when it is failing
You are no longer required to ensure that the database is running before issuing a backup/restore command. You are no longer required to check the backup archive directory for the IDS MC after the backup is completed to ensure that the directory is not empty.
CSCin16061
SigUpdate: The configured root password is displayed in clear text
You are no longer required to update sensors outside of IDS MC to prevent the display of root passwords in clear text in the Password Table.
CSCin14258
Not able to create Event rules in one scenario
This problem occurred when the user created an Event Rule that specified an originating device by name and then deleted that device from the device table, causing an error to be displayed when the user tried to view or edit the Event Rules table; the Event Rules table could not be accessed.
This problem appeared only if the user tried to access the table after the rule had been specified. If the rule was in place, it continued to notify.
You are no longer required to add the device back into the device table; you can edit or delete the rule before deleting the device.
CSCin16073
SigUpdate is not accepting the password after cancel button is used
You are no longer required to close and reopen the browser window and then re-apply the update when applying a signature update to two more more appliance sensors.
CSCin07415
Status of configuration shown as Orphaned when deployment fails
Status of configuration has been changed from 'Orphaned' to 'Error' when deployment fails.
CSCdx96153
SYS: Fail to edit sensor in SM when it is deleted from MC
This problem occurred with IDS MC and Security Monitor being installed on the same server. When the user imported a sensor into IDS MC and then imported that same sensor from IDS MC into Security Monitor, the user was not able to edit the sensor using Security Monitor.
Even if the user deleted the sensor from IDS MC and then tried to edit the sensor from Security Monitor, the user was not able to edit the sensor using Security Monitor because the flag that indicated that the sensor must be edited by IDS MC was not cleared when the sensor was deleted from IDS MC.
You are no longer required to delete the sensor from both IDS MC and Security Monitor and then add the sensor back into Security in order to be able to edit the sensor using Security Monitor.
Known and Resolved Problems in Security Monitor 1.1
Table 4 describes problems known to exist in this release of Security Monitor; Table 5 describes problems resolved since the last release of Security Monitor.
Table 4 Known Problems in Security Monitor 1.1
Bug ID
Summary
Explanation
CSCin38443
Legacy parameters are not available by using legacyIf.pl
There is an error in the script LegacyIf.pl.
To correct the error, perform the following steps:
1. Locate LegacyIf.pl in the directory <installdir>\CSCOpx\MDC\etc\ids\scripts.
2. Edit the file LegacyIf.pl
3. Change line 78 to add "-on" to force output in NrLog format:
After this change, LegacyIf.pl will operate correctly.
Note NrLog format is only valid for version 3.x Sensors (postoffice). No data from 4.x (RDEP) Sensors will be output with this script.
CSCea50683
Event Rule doesn't trigger if device natted and Orig Dev selected
Referencing "Originating Device" in an Event Rule filter clause does not work if the specified device is Natted.
If a monitored device has a NAT address, the user should use "Originating Device Address" in the filer clause specifying sensor's the NAT address.
CSCin33967
Report generation reduces the database insertion rate of receiver
Symptom: Performance becomes sluggish when under heavy data rate, combined with heavy usage and high event counts in the database.
Usage Note: System performance is a function of user load, the event count in the database, the complexity of active rules, hardware capabilities, the event flow into the database, etc. Running reports over the entire database can, depending on system hardware capabilities, slow down the system. In this case, we suggest restricting the filter for the report to narrow the set of events included in the report. All of these relationships are a function of processor speed, RAM, and file I/O performance.
CSCin34497
Problems with the filtering on the sensorname for Reports
When selecting a device for a Config Import Report via the report filter, records for other devices may be included in the report body along with the selected device.
In order to see the problem, the selected device name must be a substring of the name of another device which is managed by the application.
There are no known workarounds.
When generating a report, each record's text is searched for a match on the device name selected via the report filter. When one device name happens to be a substring of another device in the system, a positive match will occur when records for the other device are encountered.
Table 5 Resolved Problems in Security Monitor 1.1
Bug ID
Summary
Additional Information
CSCdx90677
Tomcat service crashes during heavy use of the event viewer
For Security Monitor 1.1, the event viewer server is no longer a DLL running under tomcat. Instead, the event viewer server is a service that communicates with the servlet through a socket connection. As a result, it is now nearly impossible for an event viewer server bug of any kind to cause problems for tomcat. Now, if a fatal error occurs with the event viewer server, then tomcat will be unaffected and the user will have to restart the event viewer server.
CSCdy26688
Cannot launch the CiscoWorks2000 desktop after installing netForensics
This problem occurred when users installed the CiscoWorks2000 Server and netForensics on the same host. To work around this problem, Install CiscoWorks Common Services first, and then install netForensics.
CSCdy46094
Receiver allocates large amount of RAM/VRAM in some circumstances
Enhancements have been made to the Receiver.
Known and Resolved Problems in IDS MC 1.1 and Security Monitor 1.1 for Solaris
Table 6 describes problems known to exist in the IDS MC and Security Monitor for Solaris.
Table 6 Known Problems in IDS MC 1.1 and Security Monitor 1.1 for Solaris
Bug ID
Summary
Explanation
CSCdy68378
IDS Processes not releasing Semaphores
The IDS MC processes do not release semaphores and shared memory when the Daemon Manager is stopped. This may cause problems when the IDS MC processes are restarted.
Workaround/Solution:
The stray semaphores and shared memory can be removed by executing the cleanup routine (/opt/CSCOpx/MDC/bin/ids/rsema.sh) after stopping the daemons.
Optionally, you can download and install a patch (cmf2.2-sol-CSCin437221.tar.Z) that executes the cleanup routine when Daemon Manager is stopped.
CSCin42265
IDS_EvsServer doesn't start after a restart from browser.
When you install a CiscoView package, the installer restarts the server. After the server restart, IDS_EvsServer does not restart.
Workaround/Solution:
After installing a CiscoView package, manually restart the server using the following commands:
/etc/init.d/dmgtd stop
/opt/CSCOpx/MDC/bin/ids/rsema.sh
/etc/init.d/dmgtd start
CSCin44573
Solaris Restore DB after password change fails
During backup and restore of the MC database if the users change the database password after backup then restore will fail. Users will not be able to connect to the database after restore.
Workaround/Solution:
Change the database password to the older password using the Database credentials before restoring the database if the database password was changed after backup.
CSCin44704
IDS MC & Sec Mon: Broken help links on Glossary
Clicking on the Glossary link in the online help table of contents results in a page not found error.
Workaround/Solution:
For glossary information, refer to the Cisco Press book Internetworking Terms and Acronyms. This book is available (at no charge) on Cisco.com at the following URL:
Database location prompted during install of IDS MC and Security Monitor does not validate if special characters are entered.
Workaround/Solution:
Make sure you provide a correct directory name with no special characters when prompted.
CSCin45548
Import/Deploy using keys will not work for IDSM3.0(5)
IDS MC will not be able to communicate with IDSM using keys with versions less than 3.0(6). Users need to move to IDSM service pack version IDSM3.0(6) if they want the IDS MC to manage IDSM using keys.
CSCin19533
Daemons.log getting increased in size by db exceptions
The size of the daemons.log file increases unbounded when one or both of the following conditions occur:
The free space in /opt partition becomes very low
The licence expires that will end up crashing /var file system
When either of these conditions occur, the daemons throw exceptions to the daemons.log file. This results in quick increase in size of daemons.log file; within 10 minutes the size can increase to more than 600 MB.
Workaround/Solution:
Verify that you have a valid license file. If you are using a 90-day evaluation license, make sure you upgrade the license before the 90-day evaluation period expires.
Make sure /opt partition does not run out of free disk space.
CSCin42998
Signatures not getting loaded in sunfire boxes
Sometimes the signatures are not listed after installing IDS MC and Security Monitor on sunfire machines.
Workaround/Solution:
Uninstall IDS MC, Security Monitor, and CiscoWorks Common Services and then reinstall.
CSCin39129
Help contents for Syslog settings page need changes
The online help for the Syslog Settings page does not reflect the Security Monitor for Solaris Syslog Settings page.
Workaround/Solution:
Refer to Release Notes for Management Center for IDS Sensors 1.1 and Monitoring Center for Security 1.1 on Cisco.com for updated information about the Syslog Settings page in Security Monitor 1.1 for Solaris.
Help page have to be updates for SSH key usage in Solaris.
The online help does not contain information using SSH keys on Solaris.
Workaround/Solution:
Refer to Release Notes for Management Center for IDS Sensors 1.1 and Monitoring Center for Security 1.1 on Cisco.com for updated information about using SSH keys with IDS MC 1.1 and Security Monitor 1.1 for Solaris.
PostOffice: Changing the PostOffice Settings gives error in UI
Changing the PostOffice settings using the Security Monitor page Admin -> System Configuration -> PostOffice Settings causes the following error:
Local Postoffice settings could not be saved - LocalPostoffice.write could not write local postoffice config files - com.cisco.nm.mdc.ids.common.exceptions.MdcException: Could not restart the local postoffice! LocalPostoffice.restart (nrexec of NRPostOfficeD) returned: Error timeout waiting to register with postoffice LocalPostoffice.restart (CSCOpx/Postoffice/bin/nrget 10000 hostID orgID 1 VersionOfApplication) returned: Error timeout waiting to register with postoffice
This message indicates that the NRPostOfficeD and IDS_Receiver daemons could not be restarted.
Workaround/Solution:
Restart the daemons manually using the following commands:
pdexec NRPostOfficeD
pdexec IDS_Receiver
After running the commands, the application will function normally with the new postoffice settings.
CSCin21355
INSTALL: uninstalling application should remove data from db
Data from a previous installation may appear when either IDS MC or Security Monitor are reinstalled on the server.
When IDS MC and Security Monitor are installed on the same server, they share a common database. When only one of the two applications are uninstalled, the data for that application remains in the database. This causes data that may have been entered in a previous installation to appear in the application when it is reinstalled.
Workaround/Solution:
Before uninstalling the application, delete all device configuration information from the application.
CSCin41741
Socket error after restarting EvsServer.
Stopping the EvsServer using pdterm and restarting it immediately causes the EventViewer to not function correctly and throws a "Socket communication error".
When the EvsServer is terminated using pdterm, EvsServer tears down the connection and makes the Tomcat Applet client to go to TIME_WAIT state. The Solaris OS will not release the port number until tcp_time_wait_interval, 240000ms (4min), expires.
Workaround/Solution:
After stopping the EvsServer, wait for 5 minutes before restarting the daemon.
CSCin39970
Unable to launch event viewer, generate reports when temp dir full
Report Scheduler will fail to generate report if the temp directory is not having enough space. Since report scheduler will store the report in the temporary location before moving into the database if enough space is not there then report will not be created.
Workaround/Solution:
Clean the temporary directory "/var/tmp" or "/tmp".
CSCin45934
Install says sunfire as not a recommended model
While installing IDS MDC, the following warning message might appear on a sunfire machine:
WARNING: Not a recommended computer model. Please refer to the
WARNING: prerequisites chapter of the install guide.
Workaround/Solution:
None. This message does not cause any harm and can be safely ignored. The install will proceed normally.
Obtaining Documentation
Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation on the World Wide Web at this URL:
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.
Registered Cisco.com users can order the Documentation CD-ROM (product number DOC-CONDOCCD=) through the online Subscription Store:
Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).
Documentation Feedback
You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page.
You can email your comments to bug-doc@cisco.com.
You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address:
Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883
We appreciate your comments.
Obtaining Technical Assistance
Cisco provides Cisco.com, which includes the Cisco Technical Assistance Center (TAC) Website, as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from the Cisco TAC website. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC website, including TAC tools and utilities.
Cisco.com
Cisco.com offers a suite of interactive, networked services that let you access Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.
Cisco.com provides a broad range of features and services to help you with these tasks:
Streamline business processes and improve productivity
Resolve technical issues with online support
Download and test software packages
Order Cisco learning materials and merchandise
Register for online skill assessment, training, and certification programs
To obtain customized information and service, you can self-register on Cisco.com at this URL:
The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC website and the Cisco TAC Escalation Center. The avenue of support that you choose depends on the priority of the problem and the conditions stated in service contracts, when applicable.
We categorize Cisco TAC inquiries according to urgency:
Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.
Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.
Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.
Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.
Cisco TAC Website
You can use the Cisco TAC website to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC website, go to this URL:
All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website require a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:
If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC website, you can open a case online at this URL:
If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC website so that you can describe the situation in your own words and attach any necessary files.
Cisco TAC Escalation Center
The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.
To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:
Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
The Cisco Product Catalog describes the networking products offered by Cisco Systems as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:
Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:
Packet magazine is the Cisco monthly periodical that provides industry professionals with the latest information about the field of networking. You can access Packet magazine at this URL:
iQ Magazine is the Cisco monthly periodical that provides business leaders and decision makers with the latest information about the networking industry. You can access iQ Magazine at this URL:
Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in the design, development, and operation of public and private internets and intranets. You can access the Internet Protocol Journal at this URL:
