What is the error “Signature Auto Update Fails with Error HTTP connection failed [1, 110] “ in Cisco IPS sensors?
Recently, I configured our Cisco IPS Sensors modules SSM-40 installed in the Cisco ASA 5540 and Cisco IPS 4270 sensor to auto update the signature behind our Blue Coat Proxy SG, upon configuration, I discovered that the auto updates failed. When I tried to know status by using Cisco IOS command.
“show statistics host” I discovered the auto updates failed, and the command was giving the following errors
IPS#show statistics host
Auto Update Statistics
lastDirectoryReadAttempt = 19:31:09 CST Thu May 9 2013
= Read directory: https://126.96.36.199//cgi-bin/front.x/ida/locator/locator.pl
= Error: AutoUpdate exception: HTTP connection failed [1,110] <–
lastDownloadAttempt = 19:08:10 CST Thu May 9 2013
lastInstallAttempt = 19:08:44 CST Thu May 9 2013
nextAttempt = 19:35:00 CST Thu May 9 2013
These errors generally observed in IPS sensors running 7.0(7) and 7.0(8) due to a bug “CSCub08230”. In order to overcome this problem available work around is either to download the signature update package manually from Cisco.com and apply the updates manually to the IPS sensors or to upgrade the Cisco IPS sensors to latest update of 7.2.
The strange thing is that the IPS Sensors were communicating with the Cisco Servers they could be able to connect bypass the proxy servers as shown in my below capture.
However, they failed to update signature simply because the initial connection to the locator service is performed using the HTTPS connection, and the once sensor is authenticated by the digital certificate provided by the server. The connection is switched over to HTTP for the auto-update process. This changer over from HTTPS to HTTP is failing due to the bug “CSCub08230”
Hence, temporarily I was forced to revert my configuration and allow IPS sensors to communicate directly with Cisco servers bypassing our bluecoat proxy server.