Filter
Top Products
C-19
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Appendix C Troubleshooting
Advantages and Restrictions of Virtualization
status = Synchronized
Step 4 If the status continues to read Not Synchronized, check with the NTP server administrator to make sure
the NTP server is configured correctly.
Correcting Time on the Sensor
If you set the time incorrectly, your stored events will have the incorrect time because they are stamped
with the time the event was created. The Event Store time stamp is always based on UTC time. If during
the original sensor setup, you set the time incorrectly by specifying 8:00 p.m. rather than 8:00 a.m.,
when you do correct the error, the corrected time will be set backwards. New events might have times
older than old events.
For example, if during the initial setup, you configure the sensor as central time with daylight saving
time enabled and the local time is 8:04 p.m., the time is displayed as 20:04:37 CDT and has an offset
from UTC of -5 hours (01:04:37 UTC, the next day). A week later at 9:00 a.m., you discover the error:
the clock shows 21:00:23 CDT. You then change the time to 9:00 a.m. and now the clock shows
09:01:33 CDT. Because the offset from UTC has not changed, it requires that the UTC time now be
14:01:33 UTC, which creates the time stamp problem.
To ensure the integrity of the time stamp on the event records, you must clear the event archive of the
older events by using the clear events command.
Note You cannot remove individual events.
For More Information
For the procedure for clearing events, see Clearing Events, page C-111.
Advantages and Restrictions of Virtualization
To avoid configuration problems on your sensor, make sure you understand the advantages and
restrictions of virtualization on your sensor.
Virtualization has the following advantages:
• You can apply different configurations to different sets of traffic.
• You can monitor two networks with overlapping IP spaces with one sensor.
• You can monitor both inside and outside of a firewall or NAT device.
Virtualization has the following restrictions:
• You must assign both sides of asymmetric traffic to the same virtual sensor.
• Using VACL capture or SPAN (promiscuous monitoring) is inconsistent with regard to VLAN
tagging, which causes problems with VLAN groups.
–
When using Cisco IOS software, a VACL capture port or a SPAN target does not always receive
tagged packets even if it is configured for trunking.
–
When using the MSFC, fast path switching of learned routes changes the behavior of VACL
captures and SPAN.