Sometimes the analysis engine goes down on a Cisco IPS (Intrusion Prevention System) or IDS (Intrusion Detection System). In that case the analysis engine can be restarted from the service account by following these steps.
Caution: If you restart the Analysis Engine in an IPS Module which is in a firewall which is acting as the active firewall, this will cause a firewall failover to occur.
To determine if the analysis engine is stopped, type
NotRunning status? When this is not running it won’t do inspection of the IPSM. Restarting this is important to having a working IPS.
If this happens to a IPS Module in a firewall it will not cause a failover to occur. However, restarting the service will.
Login using a
A service account is different than a admin account. With this type of account you will be able to navigate around the Linux OS.
SSH into the IPSM using the service account:
Restarting the CIDS service
Once you are ssh’d in, switch your user to root.
Use the same password you used to get in with your service account. Now stop the cids service.
The ‘cids’ service is the Cisco IDS service. Once the service stopped you can confirm it has stopped by issuing the following command:
ps -ef | grep cids
You may see your own grep for ‘cids’ but as long as there aren’t more than 2 or so results it should be stopped.
Now restart the service.
Exit out of the service ssh session.
Verifying it’s Working
Log back in as a normal admin user again. Issue your show version again (note this may take a few minutes for the engine to start all the way up).
You can also monitor for real time IPS events from the command line by watching the output from this command:
show event alert
If you are seeing alerts from this output the system is back up and running as expected. It’s possible that no alerts are being triggered due to the nature of the traffic. In that case you can verify the system is good by doing
show statistics analysis-engine and watching the packets processed number to make sure it is going up.