Support User Manuals

Cisco Systems IPS 7.1 Home Security System User Manual

Open as PDF

of 1042

C-23

Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1

OL-19892-01

Appendix C Troubleshooting

Troubleshooting External Product Interfaces

-----

MainApp N-2007_JUN_19_16_45 (Release) 2007-06-19T17:10:20-0500 Running

AnalysisEngine N-2007_JUN_19_16_45 (Release) 2007-06-19T17:10:20-0500 Not Running

CLI N-2007_JUN_19_16_45 (Release) 2007-06-19T17:10:20-0500

Step 3 Enter show tech-support and save the output.

Step 4 Reboot the sensor.

Step 5 Enter show version after the sensor has stabilized to see if the issue is resolved.

Step 6 If the Analysis Engine still reads Not Running, contact TAC with the original show tech support

command output.

Troubleshooting External Product Interfaces

This section lists issues that can occur with external product interfaces and provides troubleshooting tips.

For more information on external product interfaces, see Chapter 11, “Configuring External Product

Interfaces.” This section contains the following topics:

• External Product Interfaces Issues, page C-23

• External Product Interfaces Troubleshooting Tips, page C-24

External Product Interfaces Issues

When the external product interface receives host posture and quarantine events, the following issues

can arise:

• The sensor can store only a certain number of host records:

–

If the number of records exceeds 10,000, subsequent records are dropped.

–

If the 10,000 limit is reached and then it drops to below 9900, new records are no longer

dropped.

• Hosts can change an IP address or appear to use another host IP address, for example, because of

DHCP lease expiration or movement in a wireless network. In the case of an IP address conflict, the

sensor presumes the most recent host posture event to be the most accurate.

• A network can include overlapping IP address ranges in different VLANs, but host postures do not

include VLAN ID information. You can configure the sensor to ignore specified address ranges.

• A host can be unreachable from the CSA MC because it is behind a firewall. You can exclude

unreachable hosts.

• The CSA MC event server allows up to ten open subscriptions by default. You can change this value.

You must have an administrative account and password to open subscriptions.

• CSA data is not virtualized; it is treated globally by the sensor.

• Host posture OS and IP addresses are integrated into passive OS fingerprinting storage. You can

view them as imported OS profiles.

• You cannot see the quarantined hosts.

• The sensor must recognize each CSA MC host X.509 certificate. You must add them as a trusted

host.

previous next