IPS Engine Dead

Question

Hi all. I've been running SFOS on an SG125w here, and i've noticed my IPS engine is dead, I cannot restart it and reboots don't change anything. If I try and conduct a Pattern Update, the log shows the IPS update downloading, pass its checksum but fail to install. Here's a snippet of the U2D.log

 
 SG125w_XN02_SFOS 15.01.0# tail -f u2d.log DEBUG Nov 13 14:58:39 [2458]: Response length : 401 DEBUG Nov 13 14:58:39 [2458]: Received name : ips_10.0_3.12.48.tar.gz.gpg DEBUG Nov 13 14:58:39 [2458]: Received location : d30ncyzaneb4q0.cloudfront.net/ips_10.0_3.12.48.tar.gz.gpg DEBUG Nov 13 14:58:39 [2458]: Received version : 3.12.48 DEBUG Nov 13 14:58:39 [2458]: Received size : 946452 DEBUG Nov 13 14:58:39 [2458]: Received md5sum : 3a028f4f6cdb3e43c8f56732ed3dfed6 DEBUG Nov 13 14:58:39 [2458]: Received module : ips DEBUG Nov 13 14:58:39 [2458]: Received cv : 10.0 DEBUG Nov 13 14:58:39 [2458]: Received type : full Fri Nov 13 14:59:30 2015 Starting download for file ips_10.0_3.12.48.tar.gz.gpg Fri Nov 13 15:00:30 2015 Download completed for file ips_10.0_3.12.48.tar.gz.gpg gpg: Signature made Fri Nov 6 00:12:45 2015 EST using RSA key ID 6A20EB0B gpg: NOTE: trustdb not writable gpg: Good signature from "Sophos Up2Date Server " Fri Nov 13 15:00:30 2015 Download for file ips_10.0_3.12.48.tar.gz.gpg passed integrity and gpg checks Fri Nov 13 15:00:30 2015 Current ips patterns are at /content/ips_10.0/3.12.38 Fri Nov 13 15:00:30 2015 New updated patterns are now at /content/ips_10.0/3.12.48 Fri Nov 13 15:00:44 2015 Callback u2d_pt_installed failed for ips, version = 3.12.48. Fri Nov 13 15:00:44 2015 Setting status 'fail' in DB and reverting link for ips to old version = 3.12.38. Fri Nov 13 15:00:44 2015 ips patterns are again at /content/ips_10.0/3.12.38

Here's a snippet of the IPS.log that is pointing to an 'Invalid CPU Number'.

 
 INFO[4163]:Nov 11 15:38:03:spo_alert_garnersock.c:250:GarnerStart:Start called INFO[4163]:Nov 11 15:38:03:spo_alert_garnersock.c:291:GarnerStart:fd 3 host 127.0.0.1 sport 2929 dport 198 INFO[4163]:Nov 11 15:38:03:snort.c:1574:main:SnortInit() done INFO[4163]:Nov 11 15:38:03:snort.c:1605:main:Snort master started INFO[4163]:Nov 11 15:38:03:snort.c:434:get_cpu_cnt:got cores = 2 from '/proc/interrupts' INFO[4163]:Nov 11 15:38:03:snort.c:511:put_cpulist:cpunum=2 snort_cpulist = 2 fd 5 size 528384 size 1022 maxapp 4096 counter 2 bytesize 512 IPS: invalid cpu number 2 ERROR[4161]:Nov 11 15:38:03:snort.c:1045:notify_newmaster:read_full failed: ret: 0 Success INFO[4161]:snort.c:2873:child_handler:child 4163 dead INFO[4161]:Nov 11 15:38:03:snort.c:1009:kill_snortmaster:exited(4163): exited, status=255 ERROR[4161]:Nov 11 15:38:03:snort.c:1566:main:Snort exited with '-1' INFO[4161]:Nov 11 15:38:03:snort.c:2936:CleanExit:killing snort master svc_set_status: svc_init not done

Anyone else seen this?

AzRoN · Accepted Answer

have fixed this.. 
 
I needed to clear the IPS instances within the console of the XG. Using the command ‘set ips ips-instance clear’ I was able to purge the config that had 1 ip instance with 2 CPU. 
 
After the clear i then set a new IPS Instance using the command ‘set ips ips-instance add IPS CPU 1' 
 
Once I did this I was able to start the IPS Engine and then perform and Pattern Update which downloaded the correct sigs. 
 
I’ll be interested to see of others ‘set ips ips-instance add IPS CPU 1’ - using TAB to autocomplete the line after the CPU and before entering an number, I’d be keen to see what CPU configuration it allows… my SG125w says the options are 0 (zero) and 1.

Will32 · Answer

I was unable to start IPS and receiving the same error in an esxi 6 install configured with 2 virtual sockets and 1 core per socket. After changing the number of virtual sockets to 1 with multiple (4) cores per socket, the error went away and IPS started successfully and updated normally.

Will