Common Problems and Resolutions


As mentioned before, this chapter does not detail the troubleshooting of IDS/IPS functionality or the feature of the NM-CIDS. Chapter 14, "Troubleshooting Cisco Intrusion Prevention System," explains the configuration and troubleshooting aspects on the Appliance and other platforms. Hence, IDS/IPS software-related troubleshooting is not explained again in this section. However, the aspects of troubleshooting that are unique to the NM-CIDS are the focus of this section. They are outlined as follows:

  • Hardware issues

  • NM-CIDS Console access issues

  • Communication issues with NM-CIDS command and control port

  • Issues with not receiving traffic from the router using the sniffing port

  • Managing NM-CIDS from IOS router

  • Software installation and upgrade issues

Hardware Issues

After you insert the NM-CIDS into one of the slots on the router, first be sure that the NM-CIDS is recognized by the router. You can execute show running-config | include IDS, or show interfaces | include IDS, or show ip interface brief | include IDS as shown in Example 16-1. Execute these commands to identify the interface name, which can be used to identify the slot number where the NM-CIDS is inserted on the router.

Example 16-1. Identifying the Slot Number Where NM-CIDS Is Seated

3725-ids#show running-config | include IDS ! This is the Fast Ethernet interface on the router side for IDS. interface IDS-Sensor1/0 ! Following can be used to find out the status of the interface. 3725-ids#show interfaces | include IDS IDS-Sensor1/0 is up, line protocol is up ! If you want to find out additional details like IP address, use the following ! command 3725-ids#show ip interface brief | include IDS IDS-Sensor1/0              1.1.1.1         YES TFTP   up                      up 3725-ids# 

Example 16-1 shows that the interface name is IDS-Sensor1/0, which is an indication that the NM-CIDS is inserted into slot 1 on the router. Now that you know the slot number for NM-CIDS, execute show diag slot_number command as shown in Example 16-2 to obtain detailed information about the NM-CIDS.

Example 16-2. show diag output for NM-CIDS on the Router

3725-ids#show diag 1 3725 Backplane EEPROM:         PCB Serial Number        : JAE073617MX         Processor type           : 61         Top Assy. Part Number    : 800-16147-02         Board Revision           : C0         Fab Part Number          : 28-4226-06         Deviation Number         : 65535-65535         Manufacturing Test Data  : FF FF FF FF FF FF FF FF         RMA Number               : 255-255-255-255         RMA Test History         : FF         RMA History              : FF         Chassis Serial Number    : JMX0742L3AQ         Chassis MAC Address      : 0007.b35b.ef40         MAC Address block size   : 48         Field Diagnostics Data   : FF FF FF FF FF FF FF FF         Hardware Revision        : 0.1         Number of Slots          : 2         EEPROM format version 4         EEPROM contents (hex):           0x00: 04 FF C1 8B 4A 41 45 30 37 33 36 31 37 4D 58 09           0x10: 61 40 02 59 C0 46 03 20 00 3F 13 02 42 43 30 85           0x20: 1C 10 82 06 80 FF FF FF FF C4 08 FF FF FF FF FF           0x30: FF FF FF 81 FF FF FF FF 03 FF 04 FF C2 8B 4A 4D           0x40: 58 30 37 34 32 4C 33 41 51 C3 06 00 07 B3 5B EF           0x50: 40 43 00 30 C5 08 FF FF FF FF FF FF FF FF 41 00           0x60: 01 01 02 FF FF FF FF FF FF FF FF FF FF FF FF FF           0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF Slot 1: ! The following line shows Line card type and number of ports available.         IDS Sensor Port adapter, 1 port ! The system has identified the NM-CIDS module port adapter.         Port adapter is analyzed ! Elapsed time since insertion. If unknown, you can ignore it.         Port adapter insertion time unknown         EEPROM contents at hardware discovery: ! Hardware version number of the NM-CIDS.         Hardware Revision        : 1.0         Top Assy. Part Number    : 800-23372-01         Board Revision           : A0         Deviation Number         : 0-0         Fab Version              : 02 ! Serial number of the printed circuit board.         PCB Serial Number        : FOC071617YB         RMA Test History         : 00 ! Return material authorization number, which is an administrative number assigned ! if the NM-CIDS needs to be returned for repair.         RMA Number               : 0-0-0-0 ! Counter that indicates how many times the NM-CIDS has been returned and repaired.         RMA History              : 00 ! Part number of the NM-CIDS.         Fab Part Number          : 28-5683-02         Manufacturing Test Data  : 00 00 00 00 00 00 00 00         Field Diagnostics Data   : 00 00 00 00 00 00 00 00         Product (FRU) Number     : NM-CIDS         EEPROM format version 4         EEPROM contents (hex):           0x00: 04 FF 40 04 25 41 01 00 C0 46 03 20 00 5B 4C 01           0x10: 42 41 30 80 00 00 00 00 02 02 C1 8B 46 4F 43 30           0x20: 37 31 36 31 37 59 42 03 00 81 00 00 00 00 04 00           0x30: 85 1C 16 33 02 C4 08 00 00 00 00 00 00 00 00 C5           0x40: 08 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF           0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF           0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF           0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF         20GB IDE Disc Daughter Card         Hardware Revision        : 1.0         Top Assy. Part Number    : 800-20520-01 ! Revision number (signifying a minor revision) of the NM-CIDS.         Board Revision           : A0 ! Revision number (signifying a minor deviation) of the NM-CIDS.         Deviation Number         : 0-0         Fab Version              : 01         PCB Serial Number        : FOC07160HNW         RMA Test History         : 00         RMA Number               : 0-0-0-0         RMA History              : 00         Fab Part Number          : 28-5685-01         Manufacturing Test Data  : 00 00 00 00 00 00 00 00         Field Diagnostics Data   : 00 00 00 00 00 00 00 00 ! Version number of the EEPROM format.         EEPROM format version 4 ! Dumps of EEPROM programmed data.         EEPROM contents (hex):           0x00: 04 FF 40 03 83 41 01 00 C0 46 03 20 00 50 28 01           0x10: 42 41 30 80 00 00 00 00 02 01 C1 8B 46 4F 43 30           0x20: 37 31 36 30 48 4E 57 03 00 81 00 00 00 00 04 00           0x30: 85 1C 16 35 01 C4 08 00 00 00 00 00 00 00 00 C5           0x40: 08 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF           0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF           0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF           0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3725-ids# 

You can also use show controllers IDS-Sensor 1/0 to obtain more detail about the interface.

If output in Example 16-1 shows that NM-CIDS interfaces are not recognized, work through the following steps to troubleshoot the issue:

Step 1.

Be sure that you are running the supported HW and software on the router for NM-CIDS. Refer to the "Installing NM-CIDS" of the corresponding IPS version for the NM-CIDS to identify the supported hardware and software version. For example, to determine the hardware and software requirements for IPS 5.0, refer to the following link: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/hwguide/hwnmcids.htm

Step 2.

Reseat the NM-CIDS into a different slot on the router to be sure that the initial slot was not faulty.

Step 3.

Check the status light of the NM-CIDS and be sure the appropriate light is lit. Refer to Table 16-2 for details.

Step 4.

If the reseating does not help, get the show tech-support and show logging commands output, and look for any error or other types of messages related to the NM-CIDS to troubleshoot further.

Step 5.

If all efforts fail to uncover the problem, the NM-CIDS is probably having a hardware (HW) failure. If so, contact the Cisco Support center for a hardware replacement.

NM-CIDS Console Access Issues

Unlike the IDS/IPS Appliances, the NM-CIDS does not have the dedicated console port. Therefore, for the initial configuration, you must session into NM-CIDS from the router where it is seated. Before you can session to the NM-CIDS you must assign an IP address to the IDS-Sensor interface, which is discussed in the next section.

Assigning IP Address to the IDS-Sensor Interface on the Router

Before you can assign an IP address, you need to identify the IDS-Sensor interface on the router. When assigning an IP address to IDS-Sensor, do not assign a routable IP address directly. It is strongly recommended to create a loopback interface with a non-routable IP address, and assign the loopback interface IP to the IDS-Sensor interface to prevent the sniffing interface of the NM-CIDS from attack.

Work through the steps that follow to assign the IP address to NM-CIDS:

Step 1.

Find out which IDS-Sensor interface is visible to the router as shown in Example 16-1. This interface is used for sniffing packets for NM-CIDS. Without assigning an IP address to this interface, you cannot session into the NM-CIDS from the router.

Step 2.

Create a loopback interface and assign an IP address as shown in Example 16-3.

Example 16-3. Creating a Loopback Interface on the Router

3725-ids#configure terminal Enter configuration commands, one per line.   End with CNTL/Z. 3725-ids(config)#interface loopback 0 3725-ids(config-if)#ip address 1.1.1.1 255.255.255.0 3725-ids(config-if)#no shutdown 3725-ids(config-if)# 

Step 3.

Assign an unnumbered loopback interface (the loopback interface that you have just created in Step 2) to the IDS-Sensor interface that you have identified in Step 1. Then activate the interface with the no shutdown command, as shown in Example 16-4.

Example 16-4. Unnumbered Loopback 0 Interface Being Applied Under IDS-Sensor Interface 1/0

3725-ids#configure terminal Enter configuration commands, one per line.   End with CNTL/Z. 3725-ids(config)#interface IDS-Sensor 1/0 3725-ids(config-if)#ip unnumbered loopback 0 3725-ids(config-if)#no shutdown 3725-ids(config-if)# *Jan 2 23:04:27.454: %LINK-3-UPDOWN: Interface IDS-Sensor1/0, changed state to up *Jan 2 23:04:28.454: %LINEPROTO-5-UPDOWN: Line protocol on Interface IDS-Sensor1/0,   changed state to up *Jan 2 23:04:33.726: %LINEPROTO-5-UPDOWN: Line protocol on Interface IDS-Sensor1/0,   changed state to down *Jan 2 23:04:43.726: %LINEPROTO-5-UPDOWN: Line protocol on Interface IDS-Sensor1/0,   changed state to up 3725-ids(config-if)#end 3725-ids#write memory Building configuration [OK] 3725-ids# 

Step 4.

Finally, verify that the IDS-Sensor interface is up and assigned with an IP address from the loopback interface as shown in Example 16-5.

Example 16-5. IDS-Sensor Interface Is up and Assigned the IP Address by Loopback Interface

3725-ids#show ip interface brief | include IDS IDS-Sensor1/0 1.1.1.1                      YES TFTP         up              up 3725-ids# 

Once you configure the IDS-Sensor interface with an IP address, and verify that it is up, the next step is to access the NM-CIDS with the service-module ids-module slot_number/0 session command on the router, which is discussed in the next section.

Connecting to NM-CIDS

You can connect to NM-CIDS in the following two ways:

  • Using service-module command

  • Using Telnet

More details on the above items follow.

Using the service-module Command

You can connect to the NM-CIDS with the service-module command with the session argument that starts a reverse Telnet connection using the IP address of the IDS-Sensor interface. This allows you to connect to the IDS as shown in Example 16-6.

Example 16-6. User's Session into the IDS Assuming the Blade Is Slot 1

3725-ids#service-module IDS-Sensor 1/0 session Trying 1.1.1.1, 2033 ... Open User Access Verification ! The default user id and password is cisco/cisco for the initial login. This sample ! output is taken after the initial password is setup. If initially, you log in to ! the NM-CIDS, it will present you with the password change sequence. login: cisco Password: ***NOTICE*** This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery Of Cisco cryptographic products does not imply third-party authority to import, Export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto If you require further assistance please contact us by sending email to export@cisco.com. Sensor# 

Using Telnet

You can console directly to the NM-CIDS sensor by using Telnet to access the router's interface IP address with the reverse Telnet port number from a remote host. You can find out the port number for the NM-CIDS with formula slot_number * 32 + 2001. For example, if the NM-CIDS is inserted into slot 1, then you can Telnet remotely to the console of the NM-IDS with reverse Telnet port number 2033 (1 * 32 + 2001 = 2033).

Another way to determine the reverse Telnet port number is to use the service-module command, as shown in Example 16-7.

Example 16-7. Finding out the Reverse Telnet Port Number and the Statistics from the NM-CIDS

3725-ids#service-module IDS-Sensor 1/0 status Service Module is Cisco IDS-Sensor1/0 ! Following line indicates that reverse telnet is performed on line 33 Service Module supports session via TTY line 33 Service Module is in Steady state Getting status from the Service Module, please wait.. ! Following information is retrieved from the module Cisco Systems Intrusion Detection System Network Module   Software version:  4.1(0.4)S42(0.4)   Model:             NM-CIDS   Memory:            513220 KB 3725-ids# 

Once the port number is identified through either method that was just discussed, use Telnet to access one of the interface IP addresses that you can reach from your host with the reverse Telnet port number as follows:

3745-ids# telnet 172.16.171.30 2033 


Note

Remember that you do not need to use Telnet to access the loopback interface (that is assigned for the IDS-Sensor interface) IP address with reverse Telnet port number. You can use Telnet to access any interface that is reachable from the host.


Disconnecting from NM-CIDS

While you are working with NM-CIDS using the service-module command with the session argument, you might want to switch back and forth to configure both the router and NM-CIDS. To accomplish that, you need to know how to suspend a session to return to the router. Once you have finished with the configuration of NM-CIDS and the router, you might want to close the session to the NM-CIDS completely, so that you do not leave NM-CIDS vulnerable. The following sections discuss in detail how to suspend and close down the session to NM-CIDS.

Suspending a Session and Returning to the Router

When you are finished with a session, you need to return to the router to establish the association between a session (the IDS application) and the router interfaces that you want to monitor.

To toggle between connections in a Telnet session, follow these steps:

Step 1.

Hold CTRL-Shift simultaneously, and press 6. Release all keys, and press x. This command takes you from a session prompt to a router prompt, and vice versa.

Step 2.

Type the following at the prompt:

Router# disconnect 


Step 3.

Press Enter when prompted as follows:

Closing connection to 10.16.0.0 [confirm] <Enter> 


Telnet clients vary. In some cases, you might have to press CTRL-6 + x. The control character is specified as ^^, CTRL-^, or ASCII value 30 (hex 1E).

Caution

Failing to close a session properly makes it possible for others to exploit a connection that is still in place. Remember to type exit at the Router# prompt to close the Cisco IOS session completely. The following section describes how to close an open session.


Closing an Open Session

If you use the Telnet disconnect command to leave the session, the session remains running, and an open session can be exploited by someone wanting to take advantage of a connection that is still in place. To close on open session to the NM-CIDS, follow these steps:

Step 1.

Exit the session by using the following command:

sensor# exit 


Step 2.

Suspend and close the session to the NM-CIDS by holding CTRL-Shift and pressing 6. Finally, release all keys, and press x.

Step 3.

Disconnect from the router by using the following command:

3725-ids# disconnect 


Step 4.

Press Enter to confirm the disconnection:

3725-ids# Closing connection to 10.16.0.0 [confirm] <Enter> 


Step 5.

Exit the session:

3725-ids#exit 


Troubleshooting Console Access Issues

If you cannot use Console to access the sensor with the service-module command from the router or remotely with reverse Telnet, work through the following steps to correct the problem:

Step 1.

Make sure the IDS-Sensor interface has an IP address and shows as UP.

Step 2.

Execute the service-module IDS-Sensor 1/0 status command, and be sure you get the information NM-CIDS. If the NM-CIDS shows something similar to the information shown in Example 16-8, you might want to reset the NM-CIDS with the command shown in Example 16-9.

Example 16-8. Verifying the Status of the NM-CIDS

3725-ids#service-module IDS-Sensor 1/0 status Service Module is Cisco IDS-Sensor1/0 Service Module supports session via TTY line 33 Service Module is in Steady state Getting status from the Service Module, please wait.. STartIng IDS ApplIcatIon 3725-ids#service-module IDS-Sensor 1/0 reset Use reset only to recover from shutdown or failed state Warning: May lose data on the hard disc! Do you want to reset?[confirm] Trying to reset Service Module IDS-Sensor1/0. 3725-ids# 

Step 3.

If you have AAA authentication turned on for Telnet, then understand that the first username/password is from the router itself. Therefore, you need to enter the Telnet username and password, even if you session into the NM-CIDS from the router itself. This is because the session on a router opens a reverse Telnet session across the backplane to NM-CIDS. If you have the authentication turned on (with AAA) for the Telnet session on the router, then when you session into the NM-CIDS, you will be prompted for Telnet login credentials, which have been defined using AAA server, or locally on the router. Then you will be prompted to enter the login credentials for the NM-CIDS. If this is the first time you are sessioning into NM-CIDS, you need to enter cisco/cisco as the username/ password, which will give you the option of changing your password to the username "cisco". You must change the password before you can access the NM-CIDS.

Step 4.

If you have the access-class defined with an ACL to block the IP address, then you need to allow the IP address of the IDS-Sensor interface to be able to session into or reverse-Telnet into the NM-CIDS.

Step 5.

Be sure the NM-CIDS allows the IP address of the NM-CIDS IDS-Sensor, so that you can session into the NM-CIDS.

Another way that you can connect to the NM-CIDS is by using the Command and Control interface of the NM-CIDS. As mentioned before, this is the only Fast Ethernet interface that is visible on the front panel of the NM-CIDS. However, to use the Command and Control interface to Telnet or SSH, you must assign an IP address and initialize the interface, which brings up the next discussion.

Communication Issues with NM-CIDS Command and Control Port

This section presents the configuration and troubleshooting steps for the Command and Control interface of the NM-CIDS.

  • Configuration steps

  • Troubleshooting steps

The sections that follow present more details on both configuration and troubleshooting.

Configuration Steps

Once you are in the NM-CIDS CLI, you can configure the initial setup using the setup command. This process will allow you to bring the NM-IDS online with IP addresses for its Command and Control interface. So, a management station for IDM and IDS MC can be used to manage the NM-IDS. The same IP can be used to pull all events into the Security Monitor. An example of the setup command and output is shown in Example 16-9.

Example 16-9. How to Set Up the IP Address on the Command and Control Interface Using the setup Command

sensor# setup     --- System Configuration Dialog --- At any point you may enter a question mark '?' for help. User ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Current Configuration: ! Only showing the relevant information Continue with configuration dialog?[yes]: Enter host name[sensor]:NMCIDS Enter IP interface[10.1.1.10/24,10.1.1.1]:20.1.1.10/24,20.1.1.1 Enter telnet-server status[disabled]:enabled Enter web-server port[443]: Modify current access list?[no]: yes Current access list entries:   [1] 20.0.0.0/8   [2] 1.1.1.0/24 Delete: NMCIDS# 

At the completion of this process, the CLI will display the entered configuration and prompt you to confirm if the configuration should be saved and if NM-CIDS should be rebooted as follows:

Use this configuration?[yes]: yes Configuration Saved. Warning: The node must be rebooted for the changes to go into effect. Continue with reboot? [yes]: 


Enter yes for both use this configuration and Continue with reboot.

Troubleshooting Steps

If you cannot connect to the Command and Control interface of the NM-CIDS, work through the following steps to correct the problem:

Step 1.

Ping to the default gateway of the NM-CIDS and be sure you can ping. If you cannot ping, be sure that the interface is connected to the switch or hub and that the link light is correct, and be sure that you do not have a duplicate IP addresses in the network.

Step 2.

Be sure that the access-list is modified to allow the hosts or network addresses from where you need to Telnet or SSH to the NM-CIDS.

Step 3.

Be sure that the switch or the hub has the proper routing configured for the Command and Control interface network to the rest of the network so that your host knows how to reach the Command and Control interface via Telnet or SSH.

Step 4.

Be sure that the firewall is not filtering the traffic between the host and the NM-CIDS Command and Control interface.

Issues with Not Receiving Traffic from the Router Using the Sniffing Port

To forward a copy of the traffic to the NM-CIDS from the router, you must configure the IDS-Sensor interface as shown in Example 16-4. Additionally, you must configure monitored interfaces of the router to capture the packets. This section looks at the configuration and troubleshooting aspects of forwarding copies of traffic to the NM-CIDS.

  • Configuration steps

  • Troubleshooting steps

Configuration Steps

To start capturing traffic, you need to enable the desired interfaces (including subinterfaces) on the router for packet monitoring. You can select any number of interfaces or subinterfaces to be monitored. The packets sent and received on these interfaces are forwarded to the NM-CIDS for inspection. The enabling and disabling of the interfaces is configured through the router CLI (Cisco IOS).

Work through the steps that follow to configure packet capturing:

Step 1.

Turn on CEF switching on the router, which is a must for redirecting traffic to NM-CIDS from the router as shown in Example 16-10.

Example 16-10. Turning on CEF Switching

3725-ids# configuration terminal ! CEF can be turned on with the following command 3725-ids(config)# ip cef 3725-ids(config)# exit 3725-ids# 

Step 2.

Identify the interfaces or subinterfaces on which you want the traffic to be captured with the help of the show ip interface brief command on the router. You can capture traffic from more than one interface/subinterface.

Step 3.

Configure the command required to start monitoring the traffic. Example 16-11 shows that monitoring is enabled only on the Fast Ethernet 0/0 interface.

Step 4.

Repeat the previous step for each interface or subinterface that you want to monitor.

Example 16-11. Capturing Traffic on Fast Ethernet 0/0 Interface

3725-ids# configure terminal ! Go into the interface mode where you want the traffic to be captured 3725-ids(config)# interface FastEthernet0/0 ! Following command will copy network traffic to the NM-CIDS. 3725-ids(config-if)# ids-service-module monitoring ! Use the command no ids-service-module monitoring to turn off monitoring. ! Exit interface mode: 3725-ids(config-if)# end 3725-ids# 

Step 5.

You can verify whether the monitoring is working with the show interfaces IDS-Sensor 1/0 command on the NM-CIDS. The interface should show as up and the counters should show as incrementing with time.

Troubleshooting Steps

If NM-CIDS is unable to receive any packets from the router, work through the following steps:

Step 1.

Identify the interface and be sure the output counters increment over the period of time as shown in Example 16-12.

Example 16-12. Interfaces Counters for IDS-Sensor Interface on the Router

3725-ids#show interfaces IDS-Sensor 1/0 IDS-Sensor1/0 is up, line protocol is up   Hardware is I82559FE, address is 0007.b35b.ef50 (bia 0007.b35b.ef50)   Interface is unnumbered. Using address of Loopback0 (1.1.1.1)   MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,      reliability 255/255, txload 1/255, rxload 1/255   Encapsulation ARPA, loopback not set   Keepalive set (10 sec)   ARP type: ARPA, ARP Timeout 04:00:00   Last input 00:00:00, output 00:00:00, output hang never   Last clearing of "show interface" counters never   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0   Queueing strategy: fifo   Output queue: 0/60 (size/max)   5 minute input rate 0 bits/sec, 0 packets/sec ! You can quickly find out if the interface is sending any traffic in last 5 ! minutes or 5 seconds. Counter 0 is an indication that you need more ! investigation and observe this counter for longer period.   5 minute output rate 25 bits/sec, 5 packets/sec      5395 packets input, 350902 bytes, 0 no buffer      Received 0 broadcasts, 0 runts, 0 giants, 0 throttles      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored      0 input packets with dribble condition detected ! Make sure output packets increment over period of time. Other counters ! increments over period of time in higher rate is an indication of problem.      24113 packets output, 2267534 bytes, 0 underruns      0 output errors, 0 collisions, 4 interface resets      0 babbles, 0 late collision, 0 deferred      0 lost carrier, 0 no carrier      0 output buffer failures, 0 output buffers swapped out 3725-ids# 

Step 2.

If the output for the IDS-Sensor interface counter is not incrementing, check to see if the monitored interfaces are dropping the packets by the access-list.

Step 3.

If there is no access-list on the monitored interface of the router, be sure that switching for Cisco Express Forwarding (CEF) is turned on in the router as shown by the commands in Example 16-13.

Example 16-13. Verifying Whether the CEF Switching Is Turned On

3725-ids#show running-config | include cef ip cef 3725-ids# 

Step 4.

If the IDS-Sensor interface shows that it is forwarding the traffic to the NM-CIDS, but if you are still not getting any events, use the show interface command to ensure that the sensing interface of NM-CIDS is receiving the packets. If the NM-CIDS sensing interface does not show the counters incrementing over a period of time, or if the counters remain at zero, then reseat the NM-CIDS and see if that corrects the problem.

Step 5.

If the sensing interface of the NM-CIDS is receiving traffic, troubleshoot the problem with information in Chapter 14, "Troubleshooting Cisco Intrusion Prevention System."

Managing NM-CIDS from an IOS Router

Although most of the commands to manage NM-CIDS are in the NM-CIDS itself, there are some handy commands available on the router itself that are used to manage the IDS blade on the router efficiently. The Cisco IOS provides the following command arguments to control the NM-CIDS: shutdown, reload, and reset:

  • Shutdown To bring NM-CIDS down gracefully, execute the following command:

    3725-ids# service-module ids-sensor 1/0 shutdown 

    Be sure to execute a shutdown command before you remove the hard-disk drive from the NM-CIDS. Failing to do so can lead to the loss of data or the corruption of the hard-disk drive.

  • Reload This option performs a graceful halt and reboot of the operating system on NM-CIDS with the following command:

    3725-ids# service-module ids-sensor 1/0 reload 

  • Reset This command is used to recover from a shutdown as shown in Example 16-14.

    Example 16-14. Performing Reset of the Module

    3725-ids# service-module ids-sensor 1/0 reset Use reset only to recover from shutdown or failed state Warning: May lose data on the hard disc! Do you want to reset?[confirm] 3725-ids# 

    Hard-disk drive data loss only occurs if you issue the reset command without first shutting down the NM-CIDS. You can use the reset command safely in other situations.

  • Status This option provides information on the status of the NM-CIDS as shown in Example 16-15.

    Example 16-15. Sample Output of the status Command

    3725-ids# service-module ids-sensor1/0 status Service Module is Cisco IDS-Sensor1/0 ! Shows the reverse telnet port information Service Module supports session via TTY line 33 ! The following line shows the module is in good state Service Module is in Steady state Getting status from the Service Module, please wait.. ! Following output shows the details of the NM-CIDS Service Module Version information received, Major ver = 1, Minor ver= 1 Cisco Systems Intrusion Detection System Network Module Software version: 4.1(1)S42(0.3) Model: NM-CIDS Memory: 254676 KB 3725-ids# 

Software Installation and Upgrade Issues

There are several images available for NM-CIDS:

  • Boot loader image This image is required to load the helper image, which is required to re-image system image on NM-CIDS on version 4.1.

  • Helper Image The helper image is used to help loading the system image on the application partition of NM-CIDS. This image is no longer required on IPS version 5.x.

  • System Image This is the actual system image file for the application partition that can be used to re-image the application partition of NM-CIDS. As of writing this boot, the latest version of system image is IPS-NM-CIDS-K9-sys-1.1-a-5.0-1.img System.

  • Major/Minor/Signature software upgrade files These files can be upgraded from the Application partition itself.

Remember the following important steps when upgrading from 4.1 to version 5.0:

  • The 5.0(1) major upgrade, when applied to NM-CIDS, upgrades the bootloader to 1.0.17-1. Hence, instead of installing the system image, use the upgrade command to upgrade from 4.x to 5.0 using the major upgrade file (IPS-K9-maj-5.0-1-S149.rpm.pkg). Refer to Chapter 14, "Troubleshooting Cisco Intrusion Prevention System," for more details on how to upgrade the major release.

  • To re-image the IPS 5.0 version from 4.1, you must upgrade the boot loader image (servicesengine-boot-1.0-17-1_dev.bin) first by booting to the old helper file where there is an option to update the boot loader in the helper menu. Refer to the "Common Problems and Resolutions" section of this chapter for a procedure to re-image the application. The procedure for the boot loader is very similar.

  • The newer version of bootloader no longer requires a helper image to upgrade to IPS Version 5.0.

This is the location for different image files for NM-CIDS:

http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/



Cisco Network Security Troubleshooting Handbook
Cisco Network Security Troubleshooting Handbook
ISBN: 1587051893
EAN: 2147483647
Year: 2006
Pages: 190
Authors: Mynul Hoda

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net