|
|
Table Of Contents
Installing, Upgrading, and Uninstalling IDS MC and Security Monitor on Windows
Installing, Upgrading, and Uninstalling IDS MC and Security Monitor on Solaris
Obtaining Technical Assistance
Cisco Technical Support Website
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Notes for Management Center for IDS Sensors 2.0 and Monitoring Center for Security 2.0 on Windows and Solaris
These release notes are for use with Management Center for IDS Sensors 2.0.1 (IDS MC) and Monitoring Center for Security 2.0.1 (Security Monitor) on Windows 2000 or Solaris. The supported Windows version is Windows 2000, Service Pack 4; the supported Solaris version is 2.8.
These release notes provide:
•
Additional Information Online
•
•
Important Notes
The following information is important to you as a user of IDS MC 2.0 or Security Monitor 2.0:
•
•
•
•
•
•
•
•
•
•
•
Caution
•
•
•
•
•
New Features
IDS MC 2.0 contains the following new features:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Security Monitor 2.0 contains the following new features:
•
•
•
•
•
•
•
•
•
•
•
•
•
Product Documentation
Note
Table 1 describes the product documentation that is available.
Table 1 Product Documentation
Release Notes for Management Center for IDS Sensors 2.0 and Monitoring Center for Security 2.0 on Windows and Solaris
•
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_ids/idsmc20/chmrn20.htmUsing Management Center for IDS Sensors 2.0
•
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_ids/idsmc20/ug/index.htm•
Using Monitoring Center for Security 2.0
•
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mon_sec/secmon20/ug/index.htm•
Supported Devices and Software Versions for Management Center for IDS Sensors 2.0
•
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_ids/idsmc20/mcsdt20.htmSupported Devices and Software Versions for Monitoring Center for Security 2.0
•
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mon_sec/secmon20/smsdt20.htmContext-sensitive online help
•
•
1 See Obtaining Documentation.
Related Documentation
Note
Table 2 describes the additional documentation that is available.
Table 2 Related Documentation
Quick Start Guide for VPN/Security Management Solution 2.2
This document describes the basic tasks involved in preparing and configuring network devices using Management Centers.
•
•
Readme for CiscoWorks VMS 2.2 Update 1.
•
Installation and Setup Guide for CiscoWorks Common Services 2.2 (Includes CiscoView 5.5) on Windows.
This document describes installing and setting up CiscoWorks Common Services 2.2 (includes CiscoView 5.5) on Windows.
•
•
Installation and Setup Guide for CiscoWorks Common Services 2.2 (Includes CiscoView 5.5) on Solaris.
This document describes installing and setting up CiscoWorks Common Services 2.2 (includes CiscoView 5.5) on Solaris.
•
•
1 See Obtaining Documentation.
Additional Information Online
You can download signature updates for IDS MC and Security Monitor by logging in to Cisco.com at http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ids.
Installation Notes
This section contains information on installing, upgrading, and uninstalling IDS MC and Security Monitor 2.0, as well as defining the client requirements. The following topics are detailed:
•
•
Installing, Upgrading, and Uninstalling IDS MC and Security Monitor on Windows
This section describes how to install, upgrade, and uninstall Management Center for IDS Sensors (IDS MC) and Monitoring Center for Security (Security Monitor) on Windows. It contains the following sections:
•
•
•
•
System Requirements
IDS MC and Security Monitor are components of the VPN/Security Management Solution (VMS). CiscoWorks Common Services 2.2 is required for IDS MC and Security Monitor to work. CiscoWorks Common Services 2.2 provides the CiscoWorks Server base components and software developed to support IDS MC and Security Monitor, including the necessary software libraries and packages. For more information, see Installation and Setup Guide for CiscoWorks Common Services 2.2 (Includes CiscoView) on Windows.
Note
You can install IDS MC and Security Monitor on Windows 2000 and Solaris. Table 0-3 shows VMS bundle server requirements for Windows 2000 systems.
Note
Additionally, you should not install any VMS products on a Windows server that is running any of the following services:
•
•
•
System Preparation
After you have verified that your system meets the requirements outlined in System Requirements, you can prepare your system for installation. Before you install or upgrade IDS MC and Security Monitor, make sure that the following components and patches have been installed:
•
•
Note
If you have questions about which major or minor updates you are eligible to download and you have a service contract, check the Cisco Product Upgrade tool at www.cisco.com/upgrade for help.•
Additional Security Measures
The least secure component of a system defines how secure the system is. Before installing your server software, you should take some basic steps to secure the target server and operating system:
•
•
•
•
•
•
•
Caution
•
•
•
•
•
Downloading IDS MC 2.0 and Security Monitor 2.0 for Windows from Cisco.com
To download IDS MC 2.0 and Security Monitor 2.0 for Windows from Cisco.com, follow these steps:
Step 1
Step 2
Step 3
Step 4
Installing IDS MC 2.0 and Security Monitor 2.0
This section describes how to install IDS MC 2.0 and Security Monitor 2.0. You can install either IDS MC or Security Monitor, or you can install both. If you are upgrading from a previous version, see Upgrading Existing Installations.
Note
Before you begin
•
•
•
To install IDS MC and/or Security Monitor, follow these steps:
Step 1
Step 2
The Welcome page appears.
Step 3
The Software License Agreement page appears.
Step 4
Note
Step 5
•
•
–
–
•
–
–
The System Requirements page appears.
Step 6
The Select Database Location page appears.
Step 7
The Select Database Password page appears.
Step 8
If you are installing Security Monitor, the Select CiscoWorks Syslog Port page appears. If you are installing only IDS MC, the Summary page appears, and you should skip to Step 11.
Step 9
The Configure Communication Properties page appears.
Step 10
The properties are used to establish communication between this host and the IDS postoffice device. The Summary page appears.
Step 11
The selected applications are installed. After installation, the Restart page appears.
Step 12
Note
Upgrading Existing Installations
If you have an earlier version of IDS MC or Security Monitor installed on your server, you should review the information in Table 0-4 to determine how to upgrade to version 2.0.
Before you begin
•
•
Table 0-4 Recommended Upgrade Sequence
IDS MC 1.2.3
upgrade to IDS MC 2.0
or
upgrade to IDS MC 2.0 and install Security Monitor 2.0
1.
2.
Security Monitor 1.2.3
upgrade to Security Monitor 2.0
or
upgrade to Security Monitor 2.0 and install IDS MC 2.0
1.
2.
IDS MC 1.2.3 and Security Monitor 1.2.3
upgrade to IDS MC 2.0 and Security Monitor 2.0
Note
1.
2.
IDS MC prior to version 1.2.3
upgrade to IDS MC 2.0
or
upgrade to IDS MC 2.0 and install Security Monitor 2.0
1.
Note
2.
3.
Security Monitor prior to version 1.2.3
upgrade to Security Monitor 2.0
or
upgrade to Security Monitor 2.0 and install IDS MC 2.0
1.
Note
2.
3.
IDS MC prior to
version 1.2.3 and Security Monitor prior to version 1.2.3upgrade to IDS MC 2.0 and Security Monitor 2.0
Note
1.
2.
3.
Upgrading to IDS MC 1.2.3 and Security Monitor 1.2.3
This section describes how to upgrade to IDS MC 1.2.3 and Security Monitor 1.2.3. If you are running a version of IDS MC or Security Monitor prior to version 1.2.3, you must first upgrade to 1.2.3 before you can upgrade to version 2.0.
If IDS MC and Security Monitor are installed on the same server, you must upgrade both. If only one component (IDS MC or Security Monitor) is currently installed on the server, and you want to install the other component on the same server, you should wait and install it using the 2.0 installer.
To upgrade to IDS MC 1.2.3 and/or Security Monitor 1.2.3, follow these steps:
Step 1
Step 2
a.
b.
c.
Step 3
The Welcome page appears.
Step 4
The Software License Agreement page appears.
Step 5
Note
Step 6
•
•
–
–
•
–
–
The System Requirements page appears.
Step 7
The Summary page appears.
Step 8
The applications are upgraded, and then the Setup Complete page appears.
Step 9
Upgrading to IDS MC 2.0 and Security Monitor 2.0
This section describes how to upgrade to IDS MC 2.0 and Security Monitor 2.0. If IDS MC and Security Monitor are installed on the same server, you must upgrade both. If only one component is currently installed on the server, you can optionally install the current version of the other component on the same server during the upgrade process.
To upgrade IDS MC, Security Monitor, or both, or to upgrade one component while installing the other, follow these steps:
Step 1
Step 2
The Welcome page appears.
Step 3
The Software License Agreement page appears.
Step 4
Note
Step 5
•
•
–
–
•
–
–
The System Requirements page appears.
Step 6
If you are installing Security Monitor (not upgrading), the Select CiscoWorks Syslog Port page appears. If you are not installing Security Monitor, the Summary page appears, and you should skip to Step 9.
Step 7
The Configure Communication Properties page appears.
Step 8
The properties are used to establish communication between this host and the IDS postoffice device. The Summary page appears.
Step 9
You are prompted to save the existing IDS MC/Security Monitor database.
Step 10
The applications are upgraded, and then the Setup Complete page appears.
Step 11
Post-Upgrade Installation Note for IDS MC 2.0 and Security Monitor 2.0
This post-upgrade installation note applies when both of the following conditions are met:
1.
Note
2.
To ensure a proper upgrade installation after installing IDS MC 2.0 or Security Monitor 2.0, follow these steps:
Step 1
Step 2
Step 3
Step 4
Uninstalling IDS MC and Security Monitor
This section describes how to uninstall IDS MC and Security Monitor. You can uninstall either IDS MC or Security Monitor, or you can uninstall both.
To uninstall IDS MC and/or Security Monitor, follow these steps:
Step 1
The Uninstallation page appears.
Step 2
a.
b.
c.
Note
The IDS MC/Security Monitor Common Framework component is not listed in the uninstaller for IDS MC 2.0 and Security Monitor 2.0.A page displays the components that you have selected to delete.
Step 3
Messages display the progress of the uninstallation. Then, an information message states that uninstallation is complete.
Step 4
Uninstallation is complete.
Installing, Upgrading, and Uninstalling IDS MC and Security Monitor on Solaris
This chapter describes how to install, upgrade, and uninstall IDS MC and Security Monitor on the Sun Solaris operating system. It contains the following sections:
•
•
•
•
•
System Requirements
IDS MC and Security Monitor are components of the VPN/Security Management Solution (VMS). CiscoWorks Common Services 2.2 is required for IDS MC and Security Monitor to work. CiscoWorks Common Services 2.2 provides the CiscoWorks Server base components and software developed to support IDS MC and Security Monitor, including the necessary software libraries and packages. For more information, see Installation and Setup Guide for CiscoWorks Common Services 2.2 (Includes CiscoView 5.5) on Solaris.
Note
You can install IDS MC and Security Monitor on Windows 2000 and Solaris. Table 0-5 shows the server requirements for Solaris systems.
Note
Table 0-5 Server Requirements for Solaris
System Hardware
•
•
•
•
•
•
System Software
•
–
–
–
–
Note
Memory
1 GB minimum memory.
Virtual Memory
2 GB virtual memory2 .
Hard Drive Space
12 GB minimum available disk drive space.
Note
1 Solaris SPARC station or Sun Ultra 10 is the minimum hardware requirement.
2 Virtual Memory should be twice the Main Memory size.
To verify the amount of available disk space in each of the specified partitions and directories, enter:
# df -k directory
where directory is the partition or directory for which you want to check the available disk space.
Note
System Preparation
After you have verified that your system meets the requirements outlined in System Requirements, you can prepare your system for installation. Before you install or upgrade IDS MC and Security Monitor, make sure that the following components and patches have been installed:
•
•
Note
If you have questions about which major or minor updates you are eligible to download and you have a service contract, check the Cisco Product Upgrade tool at www.cisco.com/upgrade for help.•
•
Additional Security Measures
The least secure component of a system defines how secure the system is. Before installing your server software, you should take some basic steps to secure the target server and operating system.
This section contains important information that you should read before you begin
installation:
•
–
If you select another directory during installation, the application is installed in that directory.
•
•
•
Caution
•
If SSL is enabled:
–
–
You cannot enable SSL on the CiscoWorks Server if there is an application that is not SSL-compliant installed on the server.
Note
•
•
System Parameter Tuning on Solaris
During installation, IDS MC sets the following system parameters in the /etc/system file on Solaris:
set shmsys:shminfo_shmmax=4294967295set shmsys:shminfo_shmmin=1set shmsys:shminfo_shmmni=100set shmsys:shminfo_shmseg=10set semsys:seminfo_semmsl=160set semsys:seminfo_semopm=100set semsys:seminfo_semvmx=32767set semsys:seminfo_semaem=16384set semsys:seminfo_semmap=66set semsys:seminfo_semume=20set semsys:seminfo_semmns=510set semsys:seminfo_semmni=170set semsys:seminfo_semmnu=120set rlim_fd_cur=120If you are running other applications that use these parameters, you must increment them according to application documentation. If you change these parameters, you must reboot the system for the changes to take effect.
You can find general information about tuning the system parameters on the Sun Microsystem website:
http://docs.sun.com/db/doc/806-7009
Downloading IDS MC 2.0 and Security Monitor 2.0 for Solaris from Cisco.com
To download IDS MC 2.0 and Security Monitor 2.0 for Solaris from Cisco.com, follow these steps:
Step 1
Step 2
Step 3
Step 4
Step 5
# cd tempdir# unzip fcs-IDSMDC-v2.0-sol-K9.zipwhere tempdir is the location where you downloaded the installation software.
Installing IDS MC 2.0 and Security Monitor 2.0
This section describes how to install IDS MC 2.0 and Security Monitor 2.0. You can install either IDS MC or Security Monitor, or you can install both. If you are upgrading from a previous version, see Upgrading Existing Installations.
Note
Before you begin
•
•
•
•
To install IDS MC and/or Security Monitor, follow these steps:
Step 1
Step 2
# cd tempdir# ./setup.shwhere tempdir is the location where you extracted the installation files.
The following message appears:
Press Enter to read/browse the following license agreement:Step 3
The following message appears at the end of the license agreement:
You must accept this License agreement for the installation to proceed.If you enter N/n, the installation will exit. Do you accept all the terms of the preceding License Agreement? (y/n) [y]Step 4
Note
The following options appear:
(1) IDS Management Center(2) Security Monitor(3) All of the Above (IDS Management Center + Security Monitor)Step 5
Step 6
•
•
•
Step 7
•
•
•
•
•
If you selected (3) All of the Above (IDS Management Center + Security Monitor), you should enter the Host IP address twice—once for setting the IP address of the host system and again when entering postoffice settings.
The installation proceeds.
During installation, a warning message appears if the /etc/system file is modified for tuning system parameters. You should reboot the system for the changes to the /etc/system file to take effect. If you do not reboot the system, IDS MC and Security Monitor may not work as expected.
You should enable and configure syslogd service for IDS_Receiver to receive syslog events from remote hosts.
After the installation is completed, Daemon Manager starts.
Note
If errors occurred during installation, check the installation log file: /var/tmp/ciscoinstall.log. Each installation appends to this file.
Upgrading Existing Installations
If you have an earlier version of IDS MC or Security Monitor installed on your server, you should review the information in Table 0-4 to determine how to upgrade to version 2.0.
Before you begin
•
•
Table 0-6 Recommended Upgrade Sequence
IDS MC 1.2.3
upgrade to IDS MC 2.0
or
upgrade to IDS MC 2.0 and install Security Monitor 2.0
1.
2.
Security Monitor 1.2.3
upgrade to Security Monitor 2.0
or
upgrade to Security Monitor 2.0 and install IDS MC 2.0
1.
2.
IDS MC 1.2.3 and Security Monitor 1.2.3
upgrade to IDS MC 2.0 and Security Monitor 2.0
Note
1.
2.
IDS MC prior to version 1.2.3
upgrade to IDS MC 2.0
or
upgrade to IDS MC 2.0 and install Security Monitor 2.0
1.
Note
2.
3.
Security Monitor prior to version 1.2.3
upgrade to Security Monitor 2.0
or
upgrade to Security Monitor 2.0 and install IDS MC 2.0
1.
Note
2.
3.
IDS MC prior to
version 1.2.3 and Security Monitor prior to version 1.2.3upgrade to IDS MC 2.0 and Security Monitor 2.0
Note
1.
2.
3.
Upgrading to IDS MC 1.2.3 and Security Monitor 1.2.3
This section describes how to upgrade to IDS MC 1.2.3 and Security Monitor 1.2.3. If you are running a version of IDS MC or Security Monitor prior to version 1.2.3, you must first upgrade to 1.2.3 before you can upgrade to version 2.0.
If IDS MC and Security Monitor are installed on the same server, you must upgrade both. If only one component (IDS MC or Security Monitor) is currently installed on the server, and you want to install the other component on the same server, you should wait and install it using the 2.0 installer.
To upgrade to IDS MC 1.2.3 and/or Security Monitor 1.2.3, follow these steps:
Step 1
Step 2
a.
b.
c.
d.
e.
# cd tempdir# unzip fcs-IDSMDC-v1.2.3-sol-K9.zipwhere tempdir is the location where you downloaded the installation software.
Step 3
# cd tempdir# ./setup.shwhere tempdir is the location where you extracted the installation files.
The following message appears:
Press Enter to read/browse the following license agreement:Step 4
The following message appears at the end of the license agreement:
You must accept this License agreement for the installation to proceed.If you enter N/n, the installation will exit. Do you accept all the terms of the preceding License Agreement? (y/n) [y]Step 5
Note
One of the following apply depending on which components are currently installed on your server:
•
•
(1) IDS Management Center(2) Both IDS Management Center and Security Monitor•
(1) Security Monitor(2) Both IDS Management Center and Security MonitorStep 6
Note
Step 7
•
•
•
•
•
Upgrade proceeds and the installation is completed.
During upgrade, a warning message is displayed if the /etc/system file is modified for tuning system parameters. You should reboot the system for the changes to the /etc/system file to take effect. If you do not reboot the system, IDS MC and Security Monitor may not work as expected.
You should enable and configure syslogd service for IDS_Receiver to receive syslog events from remote hosts.
After the installation is completed, Daemon Manager starts.
Note
If errors occurred during installation, check the installation log file: /var/tmp/ciscoinstall.log. Each installation appends to this file.
Upgrading to IDS MC 2.0 and Security Monitor 2.0
This section describes how to upgrade to IDS MC 2.0 and Security Monitor 2.0. If IDS MC and Security Monitor are installed on the same server, you must upgrade both. If only one component is currently installed on the server, you can optionally install the current version of the other component on the same server during the upgrade process.
To upgrade IDS MC, Security Monitor, or both from version 1.2.3 to 2.0, or to upgrade one component while installing the other, follow these steps:
Step 1
Step 2
# cd tempdir# ./setup.shwhere tempdir is the location where you extracted the installation files.
The following message appears:
Press Enter to read/browse the following license agreement:Step 3
The following message appears at the end of the license agreement:
You must accept this License agreement for the installation to proceed.If you enter N/n, the installation will exit. Do you accept all the terms of the preceding License Agreement? (y/n) [y]Step 4
Note
One of the following apply depending on which components are currently installed on your server:
•
•
(1) IDS Management Center(2) Both IDS Management Center and Security Monitor•
(1) Security Monitor(2) Both IDS Management Center and Security MonitorStep 5
Note
Step 6
•
•
•
Step 7
•
•
•
•
•
The installation proceeds.
Step 8
During installation, a warning message appears if the /etc/system file is modified for tuning system parameters. You should reboot the system for the changes to the /etc/system file to take effect. If you do not reboot the system, IDS MC and Security Monitor may not work as expected.
You should enable and configure syslogd service for IDS_Receiver to receive syslog events from remote hosts.
After the installation is completed, Daemon Manager starts.
Note
If errors occurred during installation, check the installation log file: /var/tmp/ciscoinstall.log. Each installation appends to this file.
Post-Upgrade Installation Note for IDS MC 2.0 and Security Monitor 2.0
This post-upgrade installation note applies when both of the following conditions are met:
1.
Note
2.
To ensure a proper upgrade installation after installing IDS MC 2.0 or Security Monitor 2.0, follow these steps:
Step 1
Step 2
Step 3
Step 4
Uninstalling IDS MC and Security Monitor
This section describes how to uninstall IDS MC and Security Monitor on Solaris. You can uninstall either IDS MC or Security Monitor, or you can uninstall both.
To uninstall IDS MC or Security Monitor, or both, follow these steps:
Use the uninstall script to remove IDS MC and Security Monitor files and settings.
Caution
To uninstall IDS MC and/or Security Monitor:
Step 1
# cd /# /opt/CSCOpx/bin/uninstall.sh/opt/CSCOpx is the default installation directory. If you specified a different directory when you installed CiscoWorks Common Services, use that directory.
A list of components similar to the following appears:
1) IDS Management Center2) CiscoWorks Common Services3) IDS MC/Security Monitor Common Framework4) Security Monitor5) All of the aboveEnter the number corresponding to the uninstall option you require or press q to quit. You can select more than one component; if you do, use commas to separate the numbers corresponding to the components.
The uninstall script lets you confirm whether you want to uninstall each selected component.
Step 2
Note
After uninstallation is complete, the following message appears:
All files were deleted successfully.Client System Requirements
You can access all product features from a client that fulfills the hardware, software, and browser requirements. Table 0-7 shows client hardware and software requirements.
Known and Resolved Problems
Table 8 describes problems known to exist in this release of IDS MC; Table 9 describes problems resolved since the last release of IDS MC.
Table 10 describes problems known to exist in this release of Security Monitor; Table 11 describes problems resolved since the last release of Security Monitor.
Note
Table 8 Known Problems in Management Center for IDS Sensors, Release 2.0
CSCeb16875
Integration with IDS MC does not work when HTTPS is on
By default in v.3.1, ACS can accept both HTTP and HTTPS connections for administration. The VMS MCs can only register with ACS using HTTP. In v.3.1 this is not a problem. In v.3.2, however, ACS will only accept HTTPS by default to ensure a higher security status by default. This will cause IDS MC registration to fail if no further action is taken.
When registering a VMS IDS MC with ACS v.3.2, turn on HTTP communications prior to registering the IDS MC. After the IDS MC is registered, turn off HTTP acceptance. The proper fix is to have the VMS MC communicate with ACS using HTTPS during registration.
CSCeb30898
Transport Layer Security (TLS) does not check if signing keys are authorized for signing
Refer to Explanation of CSCeb30898.
CSCin03858
Install: Temporary directory not cleared after install is over
After installing IDS MC/Security Monitor, temporary installation files are left on the machine.
To fix, check the directory that the TEMP environment variable is set to. Remove any temporary files/directories that are not needed.
CSCeb21533
IP address not discovered right when multi NIC present on server
When installing IDS MC or Security Monitor on a computer with multiple network interface cards (NICs), the install program does not let the user select which NIC address to use. The install program uses the "first" NIC found.
To work around this problem:
1. Stop the CiscoWorks Daemon manager.
2. Edit the following file, found in the installation directory: \CSCOpx\MDC\etc\ids\xml\SystemConfig.xml.
Find the HostIP line and change the IP address to the correct one.
3. If IDS MC is installed, copy the edited file to <install dir>\CSCOpx\MDC\Tomcat\vms\ids-config\web-inf\classes\com\cisco\nm\mdc\ids\common\SystemConfig.xml.
If Security Monitor is installed, copy the edited file to <install dir>\CSCOpx\MDC\Tomcat\vms\ids-monitor\webinf\classes\com\cisco\nm\mdc\ids\common\SystemConfig.xml.
4. Restart the CiscoWorks Daemon Manager.
CSCeb21533 (cont.)
If IDS MC is installed and you've configured any 3.x sensors, you must update the IP address of the Remote Host (Configuration > Settings > Communications > Remote Hosts) for each sensor, then generate and deploy the updates.
If IDS MC is installed and you've configured any 4.x sensors, you must update the IP address of the Allowed Host (Configuration > Settings > Communications > Allowed Hosts) for each sensor, then generate and deploy the updates.
If Security Monitor is installed, you must update the IP address of the Server Postoffice Settings (Admin > System Configuration > PostOffice Settings > Server IP Address).
CSCin43277
Unable to register idscom with ACS for Solaris
During registration of IDS MC and Security Monitor with ACS, the registration screen will also display the Common Framework for IDS MC & Security Monitor package (idscom). This package should not be registered with ACS. If you select idscom to be registered with ACS, you will see an error message and the idscom package will not register with ACS.
To work around this problem, do not select the idscom package for registration with ACS.
CSCsa05905
Check for sufficient disk space before starting database compact
The database compact utility does not check for sufficient disk space prior to compacting the database. If sufficient disk space is not available, the database compact utility stops when it runs out of space and leaves the database in a corrupt state.
This issue is seen on both Solaris and Windows.
To work around this problem, verify that there is adequate disk space before compacting the database.
Determining how much free disk space is required when compacting the database cannot be done with certainty, but a good approximation can be achieved by planning for twice the space occupied by the database prior to compaction.
CSCsa17075
Netscape browser crashes frequently
Netscape occasionally fails while using the Object Selector and other Java components in IDS MC. For example, failure might occur when you select a device in the Object Selector or click the Object Selector handle.
To avoid this problem, use Internet Explorer. If you cannot use Internet Explorer, restarting Netscape is likely to work around this problem.
CSCsa17101
IDS MC allows duplicate IP addresses
It is possible to enter the same IP address and netmask for certain configuration settings in IDS MC, such as the Never Block Addresses setting. IDS MC does not report this as an error and ignores the duplicate IP address and netmask entry.
The IDS MC handles this condition without error so no work around is needed.
CSCsa22185
Deploy fails for IOSIPS when all signatures selected
If you deploy all signatures for an IOS IPS device that was added using the default settings or imported into IDS MC without built-in signatures loaded in the device, the deployment will fail because IDS MC sends all the signatures to the device and the device doesn't have sufficient memory to handle the signatures.
To work around this issue, select a reduced set of signatures to be deployed and then deploy.
If an IOS IPS device is added with default settings or imported into IDS MC without built-in signatures loaded in the device, IDS MC adds all default signatures (as understood by IDS MC). If the user has added the device with default settings, a reduced set of signatures must be deployed to the sensor for deployment to be successful.
To enable and load built-in signatures in the device,
a) Execute "ip ips sdf built-in" command in the device.
b) Create an IPS rule and apply the rule over an interface.
This will cause the device built-in signatures to be enabled and loaded in the device.
CSCsa25297
Error while accessing the Signature page for IDSM 3.x device
IDS MC will not be able to edit IDSM signatures if the user chooses the link "IDS 3.x" from the content area. This problem applies to IDSM devices, not to IDSM2 devices.
This occurs when the following conditions are met:
1. Add any IDSM device to IDS MC.
2. From the TOC, select Configuration > Settings > Signatures.
3. Click on the link 'IDS 3.x' in the content area (Not the 'IDS 3.x' link in the TOC item).
To work around this issue, use the "IDS 3.x" link from the TOC area to edit the IDSM signatures.
CSCsa33357
Install/Upgrade preserves 1.2.3 database rules in 2.0
Upon upgrade from version 1.2.x to 2.0 of IDS MC/Security Monitor, any user written database pruning scripts may not be deleted. The install/upgrade program does not know if the database rule scripts are pruning related or not and only deletes scripts that start with "Prune" in the name. Database pruning has changed in version 2.0 and does not require pruning scripts.
This issue occurs when upgrading between version 1.2.x and 2.0 on either the Windows or Solaris platform.
To work around this issue, delete any custom pruning scripts that you have defined after upgrading to Security Monitor 2.0.
The following default pruning scripts shipped with versions 1.2.x:
•
•
•
•
•
•
During the 2.0 upgrade, these default scripts are deleted. In 2.0, a maximum number of events are retained. Once this value is reached, as new records are added, the oldest records are deleted. This algorithm reduces the system impact of pruning.
If you have defined custom pruning scripts, you must manually delete the scripts as they are no longer valid in this release. The upgrade program attempts to delete any script that contains the word "Prune" in the name.
CSCsa33394
Link status severity not deployed properly
Link Status severity for IDS 3.x sensors does not deploy to the Sensor
Changes made to LinkStatus Severity are not deployed to the Sensor. This value appears as "Info" while reimporting the Sensor.
There is no work around. You cannot manage Link Status Severity using IDS MC.
CSCsa34160
Batch Add should handle the special characters in the XML file
If the element or attribute values used in the input XML file for Multiple device add contains reserved XML characters, such as '&', '<' and '>', the IDS MC fails to parse the input file correctly and the Multiple device add operation fails.
To work around this issue, ensure the XML input file is well formed. Reserved XML characters can be represented using entity references. For example:.
Symbol = Entity
less than = <
greater than = >
ampersand = &
apostrophe = '
quotation mark= "
CSCsa34330
Group level Custom sigs should not be allowed to delete at device level
If you create a Custom signature at a group/global level and then select a sensor and navigate to the list of custom signatures, the custom signature that was created is visible in the list. If you then select the custom signature and delete it, it appears to be deleted. However, you should not be able to delete a custom signature created at a different level.
To work around this issue, navigate away from the page and then return to it to see that the custom signature is still in the list as it was not deleted.
CSCsa34740
IOS IPS devices could not be managed using SSH keys
IDS MC uses Secure Shell (SSH) for communication with the IOS IPS device to manage the IOS IPS configurations. The current release supports SSH communications only via username/password based authentication. Using SSH keys for the SSH communication between IDS MC and IOS IPS device is not supported in the current release.
To work around this issue, use the SSH username and password for SSH communication between an IOS IPS device and IDS MC.
CSCsa34760
Upgrade from 1.2.3 -> 2.0 fails, when lower version of 3.x sensor is added
IDS MC does not launch after you upgrade from IDS MC 1.2.3 to IDS MC 2.0.
For information on valid upgrade paths, refer to Installation Notes.
To work around this issue, ensure that all the sensors that you are configuring or monitoring are running the most recent versions of 3.0 or 4.0 before you upgrade to IDS MC 2.0 and Security Monitor 2.0.
CSCsa35394
Movement of devices permitted between sbgroups without regard to ACS Network Device Groups
Cannot move sensors between subgroups when using ACS. The device level authorization credentials do not follow the sensor when moving to another group.
Integrated CiscoWorks desktop into CiscoSecure ACS (TACACS+). Registered IDS MC into the VMS AAA server configuration.
To work around this issue, edit the sensor permissions in ACS after moving the sensor to another group.
CSCsa36365
IOSIPS: Traversing to Reassembly page creates pending changes
Traversing to Reassembly page creates pending changes in the following scenarios:
1. Import a device without configuring virtual-reassembly for all the available interfaces. In this case, the Reassembly page will try to populate the screen with default reassembly settings for all the available interfaces.
2. Import a device without configuring virtual-reassembly for some of the interfaces. In this case, the Reassembly page will try to populate the screen with default reassembly settings for those interfaces that are not configured with reassembly options.
3. Add a default device, select Query Interface on the IOS IPS Rules screen and then select the IOS Reassembly page. Now, the Reassembly page will try to populate the screen with default reassembly settings for all the interfaces that are obtained from the devices.
To work around this issue, configure any imported IOS IPS device with the virtual-reassembly for all of its available interfaces. In this configuration, pending changes will not be created when you traverse to IOS IPS Reassembly Options page.
CSCsa37054
ConfigDiff runs again if clicked on icon bar buttons.
When you click an icon button, the system tries to retain the previously accessed navigational screen after completing the icon button's action. For example, if you click the Save button after you launch "Compare Current Configuration with any other configuration," the system tries to retain the previously accessed navigational screen (in this case "Compare Current Configuration with any other configuration" link).
No work around exists for this issue.
CSCsa39512
Error message when sensor busy should be to try again.
While deploying a configuration, the user encounters the following message:
"Error while pushing files to the sensor java.lang.Exception: An exception occurred during deploy, detail=An error occurred while trying to get the configuration file AnalysisEngine from the sensor. err=(RDEP Error, msg = Command not valid or not supported)"
This issue occurs when you deploy two times to the same sensor without allowing enough time to elapse between deployments.
You can avoid this state by waiting several minutes between deployments to the same sensor.
CSCsa39957
Cannot Import an IOS-IPS Router with Existing Certificate
When, after reinstalling VMS, you attempt to import an IOS-IPS router into the IDS MC, an error message stating that the "certificate already exists on this device." displays and the import fails due to an I/O write error.
The device's TLS certificate does not match the certificate used by the IDS MC sever. This state can occur when VMS is uninstalled and then re-installed, and the user attempts to re-import an IOS-IPS router that was previously managed using a certificate. The re-installed IDS MC server cannot import the device until the expired certificate is manually removed. You can removed the expired certificates from the CLI of the router.
Two workarounds exist:
1. Remove the existing certificate on the IOS IPS device and then re-import the device into IDS MC.
2. Add this device to IDS MC as a default device, and then update the device's crypto configuration using the new TLS certificate from Admin > Update IOS IPS Crypto Configuration and then re-import the device.
CSCsa14057
Disabled signatures have inconsistency in severity
If you import the configuration for an IDS 3.x sensor (appliance or module), "Device Name" is shown in the Prop Source field for disabled signatures. This prevents settings for the signatures from being inherited from a parent group unless those settings are set as Mandatory. As a side effect, the Config Diff tool shows differences for the disabled signatures of IDS 3.x sensors.
To work around this problem, manually add IDS 3.x sensors using default settings instead of importing the sensor.
CSCsa24462
Unable to override the ACL signature settings at subgroup/device level
Overriding the ACL, String, TCP connection & UDP Connection signature settings are not reflected after applying the changes.
Even after overriding the settings, the signature page shows only the values configured at the group level.
It seems the Global level is set to mandatory and the mandatory setting cannot be cleared.
This issue is only a problem with 3.x sensors not 4.x sensors.
To work around this issue, create the Custom, ACL, TCP, UDP, String signatures at the device level to avoid the issues from creating these type of signatures for 3.x sensors at the Global level.
CSCsa31395
Pending changes not preserved after upgrade from 1.2.3 to 2.0
Pending changes are not preserved after upgrading from IDS MC 1.2.3 to IDS MC 2.0.
To work around this issue, save all changes and back up system before upgrading.
CSCsa39734
License updated - IDS MC permits import fails to deploy or sigupdate
IDS MC fails to import and deploy devices after updating the system with a valid license file.
To work around this issue, stop and start the daemons after updating the license. Open a command window and enter the following commands:
pdcmd -K
pdcmd -S
Proceed to import and deploy devices as was done before license expiration.
CSCdx09624
Uninstall should cleanup
When IDS MC or Security Monitor is uninstalled, a directory, and possibly some files, are not removed.
To work around this issue, after uninstalling IDS MC or Security Monitor, change directory to the directory pointed to by the TEMP environment variable. Then delete the subdirectory deploy and any files in the subdirectory.
CSCdy68738
IDS Processes not releasing Semaphores
The IDS MC processes do not release semaphores and shared memory when the Daemon Manager is stopped. This may cause problems when the IDS MC processes are restarted.
To work around this issue, you can remove the stray semaphores and shared memory by executing the cleanup routine (/opt/CSCOpx/MDC/bin/ids/rsema.sh) after stopping the daemons. Optionally, you can download and install a patch (cmf2.2-sol-CSCin437221.tar.Z) that executes the cleanup routine when the Daemon Manager is stopped
CSCin28793
IDS MC does not recognize IDS3.x when sensor prompt changed.
The IDS MC does not recognize IDS3.x when the sensor prompt is changed.
When IDS3.x does not have the ("greater than" symbol) prompt, IDS MC is not able to recognize the sensor type. It seems IDS MC searches for the "greater than" symbol when opens a telnet connection to the sensor. If the symbol is found, then it assumes it is a IDS3.x. If it does not find the prompt then it tries to execute other commands applicable for IDS4.x and IDSM. Since IDS3.x reports error for this, Import/Deploy will abort.
There is no work around.
CSCin32177
Import fails to bring filter if it contains SystemVariables on it
Import fails to bring filter if it contains System Variables on it.
There is no work around.
CSCin35233
Max Entries should be taken care in IDS MC
The maximum entries of PIX devices allowed at the 4.x sensor is 10. When the user adds more than 10 PIX devices at the IDS MC and deploys, the deployment fails with the error message:
sensor6.OrganizationName - CliMap.set caught: CLI Error: "pix-devices ip-address X.X.X.Y Error: Array contains max entries, could not add new entry
To work around this issue, do not enter more than 10 devices.
CSCeb30898
TLS: does not check if signing keys are authorized for signing
Refer to Explanation of CSCeb30898.
CSCin03858
Install: Temporary directory not cleared after install is over
After installing IDS MC/Security Monitor, temporary installation files are left on the machine.
To fix, check the directory that the TEMP environment variable is set to. Remove any temporary files/directories that are not needed.
CSCin05675
Install : Temp environment variable not read properly.
After installing IDS MC/Security Monitor, temporary installation files are left on the machine.
If the TEMP environment variable is not in the DOS 8.3 file name format, the temp directory is incorrectly created.
To fix, check to see if the TEMP environment variable is in DOS 8.3 file name format. If not, check at each directory level for directories/files that were left over.
If the TEMP environment variable is c:\1\2\3, check c:\1 for left over files. Check c:\1\2 for left over files. Check c:\1\2\3 for left over files.
CSCin21186
NSDB notes have to be preserved after reinstall
The Network Security Database (NSDB) notes files are not preserved after reinstall. The notes files should be preserved in reinstall.
CSCin34497
Problems with the filtering on the sensorname for Reports
When selecting a device for a Config Import Report via the report filter, records for other devices may be included in the report body along with the selected device.
In order to see the problem, the selected device name must be a substring of the name of another device which is managed by the application.
There are no known workarounds.
When generating a report, each record's text is searched for a match on the device name selected via the report filter. When one device name happens to be a substring of another device in the system, a positive match will occur when records for the other device are encountered.
CSCin47088
Tomcat Consumes System Resources After Database Restore
After restoring a backed-up database and restarting the daemons, Tomcat may consume the system resources. This problem is not as bad in later versions of IDS MC.
CSCin24622
Notification not sent when deploying more than 200 sensors
Notification not sent when deploying more than 200 sensors. When deployment to 300 sensors was done, notification was received, but the notification did not contain the deploy details of all the 300 sensors. It contained the details of only 136 sensors. The last line of the notification is incomplete and shows 'success'.
CSCdy10799
When clicking on the IDS MC link it spawns multiple windows
This problem occurs when using Common Services with the appropriate IDS MC with PIX MC, AUS, and Router MC with Internet Explorer version 6.0.
When clicking on the IDS MC link, one is able to spawn multiple browser windows. Multiple windows can easily cause a conflict of trying to synchronize multiple changes in multiple windows.
CSCin14528
Multiple PuTTY Secure Copy clients (PSCP) existence problem
If I have older version of PSCP in the machine in which IDS MC is installed and it is in the PATH, the IDS MC uses that PSCP instead of using the PSCP installed by IDS MC. This causes the IDS MC import/deploy to fail. The IDS MC should use the PSCP and Plink installed by IDS MC.
CSCsa41023
Admin user is not allowed to delete jobs.
When deleting deploy job(s), user may get an error message stating "null"; the deploy job(s) are not deleted.
If the user deletes a sensor before deleting a deploy job that the sensor was a part of, the user will not be able to delete the deploy job.
To work around this problem, the user must delete deploy jobs that the sensor is a part of before deleting the deploy job.
CSCeb06855
Cannot back out a signature update
If a bad signature update is installed it cannot be backed out. This problem has only appeared once, and was caused by two packages of the same name being placed on CCO. The first package was in error, and a replacement with the same name was placed on CCO and this caused confusion and problems.
The procedures have been changed so that a package can't be placed on CCO with the same name so this should remove the confusion.
To fix this problem, update the sensor(s) with the next signature update package available. Since the package was in error, this package is usually available within a day or so to correct the previous bad package. Once this new update is applied the problem should no longer exist. Even though the bad package is still installed within the IDS MC if there are no sensors at that version this doesn't present any problems for the IDS MC.
CSCsa34579
Protocol param value is not set for FLOOD.NET engine signatures (IDS3x)
When tuning a 3.x FLOOD.NET signature engine at either the global/group/sensor level the required Protocol parameter does not have a default value.
This defect only affects 3.x signatures w/ the FLOOD.NET engine.
To work around this problem, select one or more Protocol values from the provided list when tuning a 3.x FLOOD.NET signature engine prior to saving your tunings to avoid getting an error that the required Protocol parameter must have a value specified.
CSCsa41932
Upgraded IDS MC does not load signatures of 3.x devices
Upgrade from IDS MC 1.2.3 to IDS MC 2.0 with IDS 3.x sensors in them.
The sensors have no signatures after update.
This only occurs if you are using old versions of the signature updates.
To work around this problem, make sure you are running the latest signature update for IDS 3.x before upgrading.
CSCdz11633
Change in computer name and/or IP address needs re-install
A change in computer name after installing all MC related applications forces a reboot and after restart, all other applications work fine but for IDS MC and Security Monitor.
CSCin21355
INSTALL: uninstalling application should remove data from database
Data from a previous installation may appear when either IDS MC or Security Monitor are reinstalled on the server.
When IDS MC and Security Monitor are installed on the same server, they share a common database. When only one of the two applications are uninstalled, the data for that application remains in the database. This causes data that may have been entered in a previous installation to appear in the application when it is reinstalled.
To work around this problem, delete all device configuration information from the application before uninstalling the application.
CSCin45548
Import/Deploy using keys will not work for IDSM3.0(5)
IDS MC will not be able to communicate with IDSM using keys with versions less than 3.0(6). Users need to move to IDSM service pack version IDSM3.0(6) if they want the IDS MC to manage IDSM using keys.
CSCin50426
IDS MC cannot manage IDSM3.x using keys.
Public key communication with IDSM3.0(6)S42 will not work if the user changes the password of the IDSM after adding the IDS MC's public key.
CSCsa27120
NSDB not updated when signature version is imported from sensor
IDS MC allows you to import a 4.x sensor even without applying a corresponding signature update to IDS MC. However, Network Security Database (NSDB) files are not updated in this case.
NSDB is updated only when the corresponding signature update is installed on the IDS MC side.
To work around this problem, install the corresponding signature update at IDS MC to fix the problem.
CSCsa39786
Approver not allowed to approve configuration
If the user enables "Enable manual configuration file change approval" option under Admin page and a configuration is generated thereafter, an user with Approver privilege is not able to approve the configuration.
To work around this issue, use an account with the Admin privileged, which is able to approve the configuration.
If an user with Approver privilege tries to approve the configuration, the operation fails with the following error message"
"You do not have deploy privileges for sensor <sensor-name>"
CSCsa42422
If restore fails, IDS MC/Security Monitor can become unusable
If database restore of IDS MC or Security Monitor fails for any reason, they become unusable.
The restore failure may be due to an invalid database file, insufficient permissions to the database file, etc. Sometimes, when restore fails, the database that existed before restore is not copied back to the database directory, rendering the IDS MC\Security Monitor unusable.
To work around this issue, follow these steps:
1.
2.
3.
CSCsa43336
IDSMC/SecMon become unusable, if restore fails after password change
IDS MC and Security Monitor become unusable if database restore fails after password change.
This problem occurs when the following conditions are met:
1.
2.
3.
4.
5.
There is no workaround.
CSCsa42793
Blocking Devices getting carried at Global on 1.2.3 to 2.0 Upgrade
After upgrading to IDS MC 2.0, the Blocking Devices for a device in IDS MC show the source as Global or another Group and you cannot edit or delete the blocking device shown with source as Group Name.
This problem occurs when IDS MC 1.2.3 with Blocking Device configured at Group level, is upgraded to 2.0. The blocking device configured at at the Group level is inherited by all devices in that group.
Since configuring Blocking Devices is not supported at group level from IDS MC 2.0, the ones showing any group as parent can not be edited or deleted.
If Blocking Device was configured at Global group during 1.2.3, there is no workaround. Otherwise, to work around this issue, move all devices under such group to a new group. The group that has Blocking Device configuration should be deleted from IDS MC.
CSCsa21972
Install should check whether TFTP is enabled in vms server
Import of an IOSIPS device fails.
During installation of IDSMC, installer will not check whether tftp server is enabled or not in the server.
If the import of an IOSIPS devivce fails, verify that the TFTP server is running or not. If it is not running, start it manually and reimport.
CSCsa43631
Custom Signature - Name not getting deployed
Custom signature name is removed after reimport.
This problem occurs when the following conditions are met:
•
•
•
No workaround exists.
CSCeg43075
Database upgrade on Solaris does not upgrade evError messages
After upgrading from either IDSMC 1.2.3 or Security Monitor 1.2.3 to version 2.0 of either product, the evError messages in the 1.2.3 audit log are not visible in the 2.0 database. The following parse errors appear in the upgrade log:
Updating evError messages.
could not find open parenthese
Could not find: evError
could not find open parenthese
The evError messages are temporal messages from network IDS devices that reflect current conditions on the device at the time that the message is generated.
This problem occurs when upgrading any installation of IDSMC version 1.2.3 and/or Security Monitor version 1.2.3 (from the VMS 2.2 bundle) to version 2.0 of the same components.
No workaround exists. The result of this problem is that historical logs are lost and the parse error messages are recorded. This problem does not hinder future system operation after the upgrade; the system itself operates correctly.
Explanation of CSCeb30898
An attacker can create a Transport Layer Security (TLS) host certificate and sign it with a certificate that is not authorized for signing if the attacker is in possession of the certificate and its associated private key.
Conditions:
The victim is running IDS sensor software 4.1(1). To resolve a connectivity problem, CSCeb30820, exposed this vulnerability. It was decided that the vulnerability's severity is low enough that the connectivity issue was of greater importance.
Workaround:
None.
Further problem description:
The IDS software TLS client processes X.509 certificates without checking if the certificate is authorized for signing. This was not an issue until CSCeb30820 changed the maxCertificateChainDepth to 2. (In IDS software versions 4.0[1] and 4.0[2], it had been 1.)
Suppose a sensor "S" trusts a TLS server "A". An attacker is able to compromise "A" and gain access to its certificate and private key. The attacker creates a new certificate "V" that is signed by "A". Now the attacker sets up an attack server, and configures it to return the certificate chain ("V", "A").
Finally, the attacker tricks "S" into visiting "V". "S" connects to "V" without complaint, because "V" is signed by "A", and "S" trusts "A".
The IDS sensor ships with no predefined trusted root CAs, so there is no single certificate "A" that an attacker can exploit. This attack will therefore require that the attacker be able to compromise "A" and trick "S".
Table 10 Known Problems in Monitoring Center for Security, Release 2.0
CSCin62556
Rollback the database/Not allow the user to abort
If you abort the compact utility by pressing Ctrl+Break, the database might become corrupted.
This problem is seen in both Solaris and Windows.
To work around this problem, look for a backed up copy of the database (named idsmdc.db.orig) in the location <install-dir>\MDC\Sybase\Db\IDS and retrieve it using these steps:
Stop the daemon manager.
1.
2.
3.
idsmdc.log.4.
CSCsa05905
Check for sufficient disk space before starting database compact
The database compact utility does not check for sufficient disk space prior to compacting the database. If sufficient disk space is not available, the database compact utility stops when it runs out of space and leaves the database in a corrupt state.
This issue is seen on both Solaris and Windows.
To work around this problem, verify that there is adequate disk space before compacting the database.
Determining how much free disk space is required when compacting the database cannot be done with certainty, but a good approximation can be achieved by planning for twice the space occupied by the database prior to compaction.
CSCsa29827
Event Viewer problems due to Java Plug-in Cache
Accessing two different versions of the Event Viewer may cause one of the Event Viewers not to load residual applet information in the Java cache. The window of the Event Viewer that fails will contain a red 'X' in the upper left hand corner.
The problem is that the Java cache still contains older Event Viewer applet information.
To resolve the problem, clear out the Java cache and try to launch the Event Viewer again.
CSCsa31384
Redundant reports seen in Security Monitor UI after Upgrade from 1.2.3 to 2.0
After upgrading IDS MC/Security Monitor from version 1.2.x to 2.0, some MC specific reports that were run before the upgrade may now show up in the completed page of both IDS MC and Security Monitor. The user should be able to manually delete any reports he or she no longer wants.
To work around this problem, delete any completed report in Security Monitor that you no longer want.
CSCsa34441
Pruning-idsalarms with -z option has problems
If IdsAlarms is run with both the -f"filename" and -z options, an empty file of the name filename is created.
Running IdsAlarms with -f"filename" and -z options.
To work around this problem, delete the empty file.
CSCsa37419
Can not view IP log for forwarded events
The user selects one or more events in Event Viewer, and then runs the "View IP Log" menu function, a message is displayed that says "Viewing IP logs of forwarded events is not supported at this time."
This happens only when the user is attempting to run the "View IP Log" menu function from events that were forwarded from another Security Monitor (as opposed to directly from the sensor).
To work around this problem, go to the Security Monitor that is directly connected to the sensor, and run the "View IP Log" menu function there. The "View IP Log" feature is only supported on the Security Monitor that communicates directly with the sensor.
CSCsa38538
Core Dump generated by IDS pruning daemon.
A core dump file is found even though the system appears to be running fine. The core dump file is located in the directory /opt/CSCOpx/objects/dmgt.
The core dump file is created when the Daemon Manager shuts down. This occurs because the Daemon Manager does not wait for the Daemon to complete shutdown and continues shutting down items on which the Daemon depends.
You can ignore this core file.
CSCsa38560
Analyzer doesn't support CSAMC alarms
Event Rules cannot trigger on CSAMC events
A CSAMC device cannot be selected as an originating device in the trigger conditions of an Event Rule
There is no work around. Only NIDS events are analyzed for triggering event rule notifications.
CSCsa39150
Reports:Date/Time filter is not working properly
In Security Monitor, Network IDS Events appear to occur in the future or appear to have arrived in the past relative to when the network events actually occurred.
If time is not synchronized among sensors and the Security Monitor server, security events may appear to arrive in either the future or in the past.
To work around this problem, deploy the NTP time service or synchronize the network time by other means.
CSCsa39301
Eviewer:ALL column set consumes too much memory
The EvsServer.exe process consumes a lot of system memory.
This problem can occur when a user views a large number of events while the 'All' Column Set option is selected.
To work around this problem, do not select the 'All' Column Set option when viewing a large number of events. What is considered large decreases as the amount of RAM in the computer is increased.
CSCsa39603
GUI accepts Database Rules with no trigger conditions.
Database Rules may be created without trigger conditions. No error message is displayed if the user creates a database rule without any trigger conditions
There is no work around for this condition. Database rules that have no trigger conditions will never trigger. Any rule created without a trigger condition
CSCsa40296
Error while running graphical reports if Date/Time filter is disabled
A graph-based report fails to generate. This type of report can fail to generate when a report description is created using a report template that generates a graph and the Time/Date attribute filter is left disabled. The report description is then used to generate a report.
To work around this problem, you must specify a time range value when defining a graph-based report. Do not leave the Time/Date attribute filter disabled when creating a Report Definition for a graph-based report template.
CSCsa08415
Unable to edit the Add Note
In Security Monitor 2.0, you cannot edit a note associated with events. You can only create, view, and delete notes.
There is no work around.
CSCed47098
NSDB names not updated with Signature packages
Security Monitor consumes both the Network Security Database (NSDB) and the signature packages as data and does not resolve conflicts.
There is no work around.
CSCin16654
Event rule clause was not validated properly.
The only characters that users should add to the filter box are parentheses if clause grouping is unclear. Adding additional text or modifying the filter may cause unexpected behavior.
There is no work around.
CSCin41741
Socket error after restarting EvsServer
Stopping the EvsServer by using pdterm and restarting it immediately causes the EventViewer to not function correctly and generates a "Socket communication error".
When the EvsServer is terminated using pdterm, EvsServer tears down the connection and makes the Tomcat Applet client to go to TIME_WAIT state. The Solaris OS will not release the port number until tcp_time_wait_interval, 240000ms (4 min) expires.
To work around this problem, wait for 5 minutes before restarting the daemon after stopping the EvsServer.
CSCsa34404
Pruning should validate Absolute Location for archiving
If you enter a relative path on the "Prune Archive Location" page, which you access by selecting
Admin -> System Configuration -> Prune Archive Location, then the directory is created in the same directory for which the Servlet Engine was started.
Windows: $NMSROOT/MDC/tomcat
Solaris:$NMSROOT/objects/dmgt
When a relative path is entered into the Prune Archive Location screen.
To work around this problem, enter a full non-relative path to specify where the directory is created. The pruning utility will use the specified directory if it exists or create it if it can be created. You must be sure to enter only valid directory locations.
CSCsa34956
Security Monitor imports non-authorized devices from IDS MC (not defined in CS ACS)
Security Monitor does not implement role based access per device. There is no grouping/partitioning support using ACS Network Device Groups in Security Monitor and all sensors/devices will be imported from IDS MC into Security Monitor.
To work around this problem, delete the device configurations you do not want to monitor in Security Monitor after you import device configurations from IDS MC. You must manually handle grouping/partitioning your devices on each Security Monitor server.
Or, you can manually add each sensor/device configuration into Security Monitor instead of importing the configurations from IDS MC.
CSCsa36400
IP Log Archive Location should require full path
On the Admin > System Configuration > IP Log Archive Location page, you can enter relative path for the IP log archive location. If you use a relative path, it is unclear where the directory ends up being created.
To work around this problem, enter a fully specified path name in the IP Log Archive Location.
CSCsa37251
Pulling events from Security Monitor to Security Monitor should be in a single direction
Security Monitor does not force events to flow in only one direction between Security Monitor servers.
To work around this problem, take care when setting using the Security Monitor event server to prevent events from flowing in a circular fashion. That is, there should be no return path for events that have been sent from one server, back to that server.
CSCsa37490
Connection status was 'Connected TLS' even after stopping the Receiver
Connection status for RDEP/SDEE device or Cisco Security Agent Management Center (CSAMC) server does not update.
The IDS_Receiver daemon is stopped or no longer running. The connection status shown is the last known state, not the current state.
There is no work around. The connection status messages for devices that use pull protocols (RDEP/SDEE or CSAMC) are only updated when the receiver is running. If the IDS_Receiver process is not running, the status displayed may be incorrect.
CSCsa37605
Revoking permissions doesn't work
User attempting to log into Security Monitor sees the following error message: "You are not authorized for the screen..."
Role associated with user account does not have View permission.
To use the Security Monitor effectively, users must log in using an account with at least view capability.
CSCsa38733
After signature update, got error on viewing details
The user sees a database error message when that user selects the Pending Jobs page for Signature Updates, then selects a job, and then clicks Show Details.
This error occurs when a job is running while the page is initially displaying, but the job finishes before the user selects that job and clicks Show Details.
To work around this problem, refresh the Pending Jobs page before selecting Show Details to ensure that completed jobs do not appear in the table.
CSCsa07021
Database backup/restore across machines is not supported
A backup copy of the database from one particular server cannot be restored to a different server.
There is no work around. Separate backups must be done for each VPN/Security Management Solution servers.
CSCea44060
Security Monitor cannot properly validate certificate for NATed sensors
Internally, code in the receiver does not supply all of the needed parameters to the TLS connection API to fully validate a certificate from a sensor in a NATed environment. This results in TLS warnings being generated for these connections.
CSCea93893
Time zone starts showing BST from 30 Mar03 instead of GMT
All previous reports display (release 1.1 and 1.2) display Greenwich Mean Time (GMT). Since then, all reports display British Summer Time (BST).
CSCeb13553
Apache errors if Security Monitor CSAMC device created w/o CSAMC
This defect is caused when a CSAMC device is added to the monitored device table before it has been installed. The work around is to install the CSAMC software before placing the device in the table. If the device has already been added, delete it and then install the CSAMC software and re-add it to the table.
CSCin45873
Event Viewer not able to parse source address for FragDBLimitExd in FWSM
Event Viewer cannot extract the source address from the following syslog message from the Firewall Service Module:
209003: Fragment database limit of 0 exceeded: src = 10.77.201.92, dest = 172.20.107.92, proto = icmp, id = 11788Source address is shown as n/a in the Security Monitor Event Viewer if you open the following event type:
PIX Fragment DB Limit Exceeded.This problem occurs for every instance of the FragDbLimitExd syslog message
There is no workaround.
CSCin46479
IDSImportArchivedData waits forever when trying to import alerts
The utility IdsImportArchivedData waits forever when trying to import alert data.
This problem occurs when some combination of daemons and utilities running leaves a database lock on the table storing the alert data. This lock prevents the data from being imported.
To work around this problem, refer to Workaround for CSCin46479.
CSCin47050
Event Rule doesn't trigger for NATed CSAMC if Originating Device selected
If a NATted address must be used to contact a CSAMC device, the user should not reference that device as the "Originating Device" in a clause of the event rule filter. Instead the user should use "Originating Device Address" and specify the local address (not the NATted address) of the CSAMC device.
The originating device in this context refers to the CS Agent residing on the same box as the CSAMC. Messages sent to Security Monitor through the CSAMC that did not come from the CS Agent on that box will not trigger the rule.
CSCin62556
Rollback the database/Not allow the user to abort
The user can check if there is any backed up copy of the database (named idsmdc.db.orig) in the location <install-dir>\MDC\Sybase\Db\IDS and retrieve it following the steps below.
1.
2.
3.
4.
5.
CSCsa40760
Upstream Security Monitor can not pull 500 events/sec.
In version 2.0, upstream (concentrating) Security Monitor(s) may appear to extract events more slowly than the user typically experiences for a given installation.
Though the upstream Security Monitor rate appears slow, the actual problem is that the downstream Security Monitor is too busy to simultaneously collect events at the given rate and serve them upstream.
Problem occurs in topologies using tiered Security Monitor installations where the leaf node security monitors are handling a high event flow.
If the (busy) leaf node Security Monitor is not using the throttle feature then the situation may be aggravated.
CSCsa40488
SM2.0:(SOL) EV takes some time to load the events (minimum 2 minutes)
The Event Viewer takes a very long time to load or update the events. When the event database contains a large numbers of events, as measured in millions of events, there is noticeable degradation in the loading and update of events in the event viewer.
To work around this problem, you must decrease the maximum number of events in the database. You can reduce the number of events in your database by launching Security Monitor, selecting Admin->Data Management->Database->Pruning Configuration, and reducing the maximum numbers associated with each event type. Deleting events from the system will not necessarily relieve the symptoms because the system will only prune the number of events back to the maximum number.
CSCsa14182
Database rules are not ignoring Trailing Spaces
When leading or trailing spaces are entered in input fields, the user may receive validation errors on those input fields.
To avoid validation errors caused by leading/trailing spaces, try entering input values without leading or trailing spaces.
CSCsa39950
Most of the daemons are not running after system reboot
When Solaris system with VMS is rebooted, the VMS application is not started correctly.
In the daemons log file (/var/adm/CSCOpx/log/daemons.log), various applications log errors indicating database connection error. In addition, you are unable to access the VMS GUI.
This issue occurs when a Solaris system with a VMS install is rebooted or does not shutdown cleanly for some reason.
To work around this problem, manually stop and restart the VMS application using the following commands.
/etc/init.d/dmgtd stop
/etc/init.d/dmgd start
This will clean up the problem caused by a reboot or bad shutdown and cause the daemons to come back up properly.
CSCsa41933
Unable to export/email the graphical report while generating the reports
Cannot export and email the graphical report.
You cannot Export/Email the Graphical reports('IDS Attacker Summary' or 'IDS Victim Summary') if he/she tries to export/email the report by selecting 'Run with options' while creating the report definition.The report definition is then used to generate a report.
To work around this issue, email the already generated Graphical reports by using the 'Email' button in 'Reports-->Completed' page. You can export the graphical reports by pressing the 'Export to' icon while viewing the report.
CSCsa40359
SDEE interaction with Security Monitor on event buffer rollover
The Security Monitor may stop reporting alerts from a Cisco IOS IPS device. This symptom is observed when the event buffer rolls over, that is, the event buffer goes beyond the configured number of maximum SDEE events.
To work around this issue, view the events via syslog or view the SDEE event buffer via the router console or a web browser.
CSCsa12013
Event Rules ${Query} keyword is incompatible with IdsAlarms in scripts
The IdsAlarms utility will generate an error when these incompatibilites are used. The user output will either be empty or otherwise undefined.
The ${Query} keyword is passed when Event Rules trigger into scripts so that the script can access the set of events that triggered the rule, and further parse the data in these events so that it can be passed to the user, usually in an email message.
The Event Rules subsystem (Analyzer) builds the appropriate query based on the (logical) view that it uses to access the database. However, the IdsAlarms utility used in the scripts to extract the event set uses the physical table structure to generate its output.
Because the two subsystems are using different views of the data, they are incompatible in certain instances.
This condition arises when the Event Rule uses a data field which is tied to a column that is accessed differently by the Analyzer and IdsAlarms.
No workaound exists.
CSCed19051
RDEP collector does not store last recieved data timestamp in DB
Any IDS sensor events recorded on the sensors while IDS Security Monitor receiver process is not running are not retrieved from the sensor. If the receiver was running but was stopped (or failed,) then there will be a gap in the alarm data generated by the sensor.
Upon restart of the receiver, there is no option to query the sensors and retrieve alarms from the past.
This problem manifests itself in the Security Monitor audit log report, where messages indicating the successful start of the receiver process will indicate that event reception has been initiated. Any events generated on the sensor(s) prior to that time are not retrieved.
If the receiver process is stopped and restarted, then no events will be collected during the time that the receiver was not running.
No workaround exists.
CSCsa43618
SM SDEE Server failed to serve events to all clients when server is busy
When a Remote Security Monitor is under attack for a sustained period of time, it is possible for some events to be dropped before they are served upstream to another Security Monitor.
The situation occurs when the Remote Security Monitor device has received events at a relatively high sustained rate for a long period of time and it is very busy, possibly serving to more than one upstream Security Monitor.
To work around this problem, avoid the situation where a single Security Monitor is serving to more than one upstream SecMon. Also when serving events upstream, devices should be tuned to reduce the sustained flow of events to the serving Security Monitor.
CSCsa43623
SecMon Xvfb Server not running after CMF SP3 install
Using graphical reports in Security Monitor displays an error similar to the following:
Error: 500
Location: /ids-monitor/reportsCompleted.do
Internal Servlet Error:
java.lang.InternalError: Can't connect to X11 window server using ':0.0' as the value of the DISPLAY variable.
at sun.awt.X11GraphicsEnvironment.initDisplay(Native Method)
.... at com.cisco.nm.mdc.ids.reports.ui.ReportAction.handleViewReportForm(ReportAction.java:1408)This problem occurs because the XVFB server not functioning properly after installing Common Services Service Pack 3 on top of an existing IDS Management Center/Security Monitor installation.
To work around this issue, manually unregister and re-register the daemon as follows:
1.
2.
3.
4.
CSCef45313
IDS_DbAdminAnalyzer.log file grows out of control
The IDS_DbAdminAnalyzer.log file is not bounded in size. Therefore, it can grow excessively large and consume a large amount of disk space.
This problem manifests itself as a very large file or a disk full error during any disk access.
IDS MC and/or Security Monitor running for an extended amount of time can exhibit this condition. This problem becomes more important to the depending on hard drive size.
To work around this issue, follow these steps:
1.
2.
3.
Alternatively, you can place this workaround could in a cron or other job scheduler.
CSCeg43075
Database upgrade on Solaris does not upgrade evError messages
After upgrading from either IDSMC 1.2.3 or Security Monitor 1.2.3 to version 2.0 of either product, the evError messages in the 1.2.3 audit log are not visible in the 2.0 database. The following parse errors appear in the upgrade log:
Updating evError messages.
could not find open parenthese
Could not find: evError
could not find open parenthese
The evError messages are temporal messages from network IDS devices that reflect current conditions on the device at the time that the message is generated.
This problem occurs when upgrading any installation of IDSMC version 1.2.3 and/or Security Monitor version 1.2.3 (from the VMS 2.2 bundle) to version 2.0 of the same components.
No workaround exists. The result of this problem is that historical logs are lost and the parse error messages are recorded. This problem does not hinder future system operation after the upgrade; the system itself operates correctly.
Workaround for CSCin46479
This workaround applies to CSCin46479, "IDSImportArchivedData waits forever when trying to import alerts."
When this problem occurs, all systems that could possibly access the alert data must be shut down.
The following daemon subsystems must be shut down:
•
•
•
•
Daemon subsystems can be shut down through the GUI or through the command line.
To stop the daemon subsystems through the GUI, follow these steps:
Step 1
Step 2
Step 3
Step 4
To stop the daemon subsystems through the Command Line, enter the following at the command prompt:
•
pdterm IDS_Receiver•
pdterm IDS_ReportScheduler•
pdterm IDS_Analyzer•
pdterm IDS_EvsServerThe following utilities must not be run at the same time as IdsImportArchivedData:
•
•
•
•
After completing the data import, you can restart the daemons from either the GUI or the command line:
To restart the daemon subsystems from the GUI, follow these steps:
Step 1
Step 2
Step 3
Step 4
To restart the daemon subsystems from the Command Line, enter each of the following at the command prompt:
•
pdexec IDS_Receiver•
pdexec IDS_ReportScheduler•
pdexec IDS_Analyzer•
pdexec IDS_EvsServer
Note
t
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
•
http://www.cisco.com/en/US/partner/ordering/index.shtml
•
Documentation Feedback
You can send comments about technical documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883We appreciate your comments.
Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.
Cisco Technical Support Website
The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year, at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Note
Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.
Severity 1 (S1)—Your network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
•
http://www.cisco.com/go/marketplace/
•
http://cisco.com/univercd/cc/td/doc/pcat/
•
•
•
http://www.cisco.com/go/iqmagazine
•
•
http://www.cisco.com/en/US/learning/index.html
This document is to be used in conjunction with the documents listed in the "Product Documentation" section.
Copyright © 2004 Cisco Systems, Inc.
All rights reserved.
Posted: Tue Jan 25 14:10:32 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
