IPS Troubleshooting: "The root element is required in a well-formed document"

Two updates in one day... I must feel really guilty about not keeping up with this. I thought I'd share a recent issue I had on a couple of our IPS 4215 sensors while importing it to the IPS MC (again... this is the CiscoWorks management console for IPS sensors). The issue occurred when I had updated the IPS sensors to the latest code at the time (5.1(3)) and then attempted to import their configurations into the IPS MC to be managed. I would get this absolutely meaningless error:

ERROR 13:42:28 [main] - (Log.java:198) - IPS-TEST -SensorConfigImportcaught: Unable to import sensor config using RDEP: java.lang.Exception: An exception occurred during the import of file(null), detail=Error on line 1 ofdocument : The root element is required in a well-formed document.

And for those that are seeing the error... this is what the "status messages" dialog shows:



So now what? What does this mean and how do I get my sensors to import without this issue? The error is Cisco's fault and not yours (I know *snicker* *snicker*). The issue is that the latest version of IPS MC cannot parse the configuration of the sensor due to the addition of the V, which is the anti-virus update version (as seen in the sensor version in the above dialog). This bug is found under CSCsh11502. The workaround as presented by Cisco is:

Downgrade the sensor to an earlier version that does not have the V version in it. Then use the IPSMC to upgrade to the current version.

Well.. I know the next thing that I thought was that re-formating the sensor and then doing the update via the IPS MC was just a tremendous waste of time. How do you get around it? Open up a TAC case with Cisco and ask for the "CSM301SP1_Patch.zip" fix for this issue. Once I patched my CSM 3.01 install I was able to import and update. All together this took nearly a month of investigating and going back-and-forth with TAC about this issue. I hope this info can help anyone else that runs into this come to a quicker resolution. As always, questions are welcomed and comment appreciated.

-Mike

He's Back!

Hey All!

I hope everyone had a good holiday. I've been so busy that I've lost track of keeping up-to-date with this. But I see there's still plenty of interest... this site still receives over 100 hits a day. So what's been new an exciting in the world of Cisco security? Let's take a look:

+ CS-MARS Updated to 4.2.3 (2403) - This latest update updates vendor signatures along with enhancements to SSL/SSH fingerprint change detection. See the release notes on cisco.com here.

+ IPS 6.0 Released - Definitely some big news for IPS 4200-series & IDSM-2 sensors users. IPS 6.0 has been release for download for users with an IPS Services contract. IPS 6.0 includes many enhancements that are outlined below (right from cisco.com). I'd like to note that users should continue to wait on upgrading to IPS 6.0 until it is fully integrated with existing management products. As of now CS-MARS is not updated to support the new 6.0 fields and current IPS MC (centralized IPS management console provided by CSM or CiscoWorks VMS) cannot be used to manage 6.0 senors. No need to rush... as tempted as we all are:


+ Cisco Security Manager to Replace CiscoWorks VMS - In what I believe is a great move (but may be frowned on by others), VMS (VPN Management System) is to be replaced with the newest security device management product from Cisco, Cisco Security Manager (CSM). I've worked on both and can say from a management standpoint this change is excellent. CSM includes CSM client to manage PIX and ASA devices centrally, IPS MC to manage all IPS sensors and push updates out from a central repository (really a terrific product), and Resource Manager Essentials. I plan to give a tour of each of the CSM product in an upcoming update to show what it has to offer. It has come under scrutiny as it does not include Security Monitor. Instead, CSM integrates directly with CS-MARS so incident detection can include policy lookups to the CSM server.

I hope this update is proof that I'm still alive and keeping busy. I have enjoyed the wonderful comments everyone has left and am impressed with the talent shared by everyone in the discussions.

-Mike