AIP-SSM upgrade

Similar Messages

• AIP-SSM Upgrade Procedure

  Hi everybody!
  I have ASA5520 version 8.2(1) with AIP-SSM-20 module
  and I want to upgrade AIP-SSM-20 software from version 6.1(3)E3 to 7.0(2)E4
  I go to the download site and see the following list:
  Intrusion Prevention System (IPS) Recovery Software:
  IPS-K9-r-1.1-a-7.0-2-E4.pkg
          Release Date: 29/Mar/2010
          IPS Recovery Image File
  Intrusion Prevention System (IPS) Signature Updates:
  IPS-sig-S481-req-E4.pkg
          Release Date: 31/Mar/2010
          E4 Signature Update S481
  Intrusion Prevention System (IPS) System Software:
  IPS-SSM_20-K9-sys-1.1-a-7.0-2-E4.img
          Release Date: 29/Mar/2010
          IPS-SSM_20 System Image File
  Intrusion Prevention System (IPS) System Upgrades
  IPS-K9-7.0-2-E4.pkg
          Release Date: 29/Mar/2010
          IPS 7.0 Major Upgrade File (All Supported Platforms Except AIM-IPS and NME-IPS)
  IPS-engine-E4-req-7.0-2.pkg
          Release Date: 29/Mar/2010
          IPS E4 Engine Update
  I am somewhat confused by the number of files and want to ask what the procedure/sequence I should follow to upgrade?

  This is the file that you would like to use to upgrade it:
  Intrusion Prevention System  (IPS) System Upgrades
  IPS-K9-7.0-2-E4.pkg
  To upgrade:
  1) Upload the "IPS-K9-7.0-2-E4.pkg" file through IDM
  2) IDM --> Configuration --> Sensor Management --> Update Sensor --> choose Update is located on this client --> choose the "IPS-K9-7.0-2-E4.pkg" file --> hit the "Update Sensor" button.
  It will take a while (around 20 minutes) to upgrade the sensor, so don't panic if it doesn't come back up in "UP" status straight away.
  Hope that helps.

• Upgrade AIP SSM with Signature Engine 4 file

  When I tried to upload Signature Engine 4 file (IPS-engine-E4-req-7.0-2.pkg),  using FTP server both by CLI and IDM, to new AIP SSM sensor, I got the following  error message:
  Cannot upgrade software on the sensor - socket error:110.
  When I tried to do the same by using these steps: IDM --> Configuration  --> Sensor Management --> Update Sensor --> choose Update is located on  this client --> choose the "IPS-K9-7.0-2-E4.pkg" file --> hit the "Update  Sensor" button, I got the following error message
  The current signature level is S480.The current signature level must be  less than s480 for this package to install.
  Here is the output for sh ver command
  AIP_SSM# sh version
  Application Partition:
  Cisco Intrusion Prevention System, Version 7.0(2)E4
  Host:
      Realm Keys          key1.0
  Signature Definition:
      Signature Update    S480.0                   2010-03-24
  OS Version:             2.4.30-IDS-smp-bigphys
  Platform:               ASA-SSM-10
  Serial Number:          JAF1514BAHS
  Licensed, expires:      07-Jun-2012 UTC
  Sensor up-time is 21 days.
  Using 695943168 out of 1032495104 bytes of available memory (67% usage)
  system is using 17.4M out of 38.5M bytes of available disk space (45% usage)
  application-data is using 45.4M out of 166.8M bytes of available disk space (29% usage)
  boot is using 41.6M out of 68.6M bytes of available disk space (64% usage)
  application-log is using 123.5M out of 513.0M bytes of available disk space (24% usage)
  MainApp            B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running
  AnalysisEngine     BE-BEAU_E4_2010_MAR_25_02_09_7_0_2   (Ipsbuild)   2010-03-25T02:11:05-0500   Running
  CollaborationApp   B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running
  CLI                B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500
  Upgrade History:
    IPS-K9-7.0-2-E4   02:00:07 UTC Thu Mar 25 2010
  Recovery Partition Version 1.1 - 7.0(2)E4
  Host Certificate Valid from: 30-May-2011 to 30-May-2013
  Any idea what could be the problem?
  Regards,

  Based on your show version, you already have E4, what is it that you are trying to do?
  Mike

• AIP-SSM-10 sensor upgrade

  I have two ASA5520's with ASA-SSM-10 modules which are running Cisco Intrusion Prevention System, Version 6.0(6)E4. These are located at two different sites (one is local and the other remote from where I am based) and so are not running failover.
  I understand there is an auto update signature option with Version 6.1 or later which I would like to set up.
  The ASA5520's are running Cisco Adaptive Security Appliance Software Version 8.2(5).
  Can anyone recommend whether I should be looking at upgrading to Version 6.2 or 7.0 and perhaps why.
  Do I also just apply the engine update and then update the latest signatures for good measure.
  I was thinking of doing the upgrade through the IDM and was a bit confused about the recovery and system images and what the correct procedure should be e.g. backup the AIP config, tftp the existing image, install the new engine image and reboot the sensor?
  Any comments or assistance would be appreciated.
  Thanks, Peter.

  Hello Peter,
  Hope you are doing fine,
  I would encourage you to go to the latest IPS image available now days whitch is : 7.1.7 Engine 4
  Why is that?
  Because you will ensure you will have a device with the latest image that will provide you fixes to previous bugs, new features, etc etc.
  So go for it.
  Now regarding the upgrade
  From the CLI
  On configuration terminal mode
  Configuration  terminal
       upgrade ftp://user:[email protected]/upgrade_file_name
  http://www.networkstraining.com/how-to-upgrade-the-cisco-ips-module-aip-ssm/
  Regards,
  Julio Carvajal

• Problems with license upgrade on AIP-SSM

  Hi guys:
  I have a problem with my AIP-SSM, recently I download the latest license and I need to install in my AIP but when I try to do this I receive this error:
  "errSystemError-idsPackageMgr: digital signature of the update file was not valid, use CCO to replace corrupted file"
  So I download the license again, because maybe was corrupted, but I receive the same error at the time I want to install it.
  Does anybody knows what this error means?
  Regards

  It sounds like you are attempting to install a .lic license-key file via the Update Sensor section (which is used for software upgrades/updates instead). If you are trying to install a .lic license-key file, you can do that from IDM or IME's Configuration > Sensor Management > Licensing section. Ensure the Update From: option is set to License File, then click the Browse Local… button and locate/select the .lic license-key file on your local client machine. Finally, click the Update License button to upload and install the license-key file onto the sensor.
  If you try to install a .lic license-key file via the Update Sensor section, then you will encounter the error message you noted.

• Failure to Upgrade the software of my AIP-SSM-20

  Dear all,
  I have failed to upgrade the software of my AIP-SSM-20 on the ASA. The AIP-SSM-20 had an Image of version IPS-K9-5.1-7-E1.pkg and I tried to upgrade it to IPS-K9-6.1-1-E2.pkg but after the upgrade the AIP-SSM-20 became unusable. I can no longer log on  to the IPS Module from the ASA. When I initiated a connection to the module with session 1 command, the systems says card in slot 1 did not respond to system request. I decided to restored the system image from the ASA by using the hw-module module 1 recover configure and hw-module module 1 recover boot commands but has so far failed.When  I issued the command hw-module module 1 boot command, the status of the IPS shows recover and would be in that state even for days.And my TFTP server shows that it is transfering the images to the IPS.
  I don't know where I have gone wrong and I would be very happy if somebody can give me a procedure that would help me to re-image the software of the IPS.
  Any help would be highly appreciated.
  Claude Fozao

  Halijen has already send you a link to reimage,let me briefly answer what a system image and upgrade files are and the difference between them
  The System Image files are meant to be used only when a complete erasing of the sensor's image is needed.  This is generally because the installed files were corrupted, or so old that it would be easier to start over and make it look like it came from the factory; than to use the standard "upgrade" files.So in case you are doing reimaging than use .img files which are system reimage files
  In more than 90% of the cases, most customers will want to "upgrade" rather than do a System Image.  The "upgrade" is done from within the sensor itself, and will both load the higher version as well as convert your current configuration to work with the newer version.it uses .pkg files
  A usual poblem with the System Re-imaging process is that the card winds up in a boot loop because of an error.  When ROMMON detects an error it reboots and tries the same steps again which usually winds up with the same error which causes a reboot, etc.....
  So determining if the card is in a reboot loop, and what the error is would be the next step in your debugging process.
  Execute "debug module-boot".  Enter "hw-module module 1 recover stop".   Wait for a few minutes, and then enter "hw-module module 1 recover boot".
  The output from ROMMON on the SSM will be seen on your ASA connection.Look at the configuration being passed to the SSM's ROMMON and look for any bad entries.Watch to see if it able to download the System Image file, or if it continuously reboots.
  If it continuously reboots, then look to see what error message is seen just prior to the reboot.
  Some common problems:
  1) Typos in IP address, gateway, tftp server IP, or system image filename.
  2) If the tftp server is on the same subnet as the SSM's IP Address, then try leaving the Gateway address blank since it is not needed.
  3) Remember that the IP Address is for the external interface of the SSM.  So be sure you are using an address that is applicable for the network where you are pluggin in the SSM's external interface.
  4) If the TFTP Server is on another subnet, then be sure there is a route to the other network.  If having to route back through the ASA, then ensure that the ASA will allow TFTP packets to pass through the ASA.  (The ASA could wind up blocking the TFTP packets depending on the ASA configuration)
  5) Be sure the file can be downloaded from the TFTP server.  Check the file permissions, and the directory where the file is located.   From your desktop try to downlaod the file from the tftp server.  This will ensure you are using the correct directory and that the file has correct permissions.  Once common problem is that the file may be /tftpboot/sensorfiles/IPS-SSM_20-K9-sys-1.1-a-6.1-1-E1.img.  But because the tftp server automatically starts in /tftpboot, you may need to NOT specify it for the file and instead just use: sensorfiles/IPS-SSM_20-K9-sys-1.1-a-6.1-1-E1.img
  6) Check to make sure the file is not corrupted by running an md5sum and checking it against the value listed on cisco's web site.

• AIP-SSM crash during S389 Signature upgrade

  Our AIP-SSM [version 6.1(2)E3] crashed during a S389 Signature upgrade on Friday. Neither a "session 1" command from its host, an ASA5520, or a "reload" command of the ASA5520 succeeded in bringing back up the AIP-SSM. Fortunately, after the ASA's power was recycled, the AIP-SSM successfully booted, albeit not to S389, but to its previously loaded S383. I established an SR and supplied the "show tech" and "show config," but the Cisco tech replied "nothing stands out" in them and said just run the S389 update again and send the same info if it crashes. I have several problems with that approach: 1) he had replied that several other customers had had the same problem; 2) our current AIP-SSM is a replacement for an RMA'ed one which had choked on the E2 engine upgrade a few months ago; 3) if another S389 upgrade attempt fails, our client's network will be down because our security policy requires the ASA's bypass mode for the AIP-SSM to be "fail-close." My questions to the forum include:
  1) If the "show tech" command is run after an AIP-SSM has rebooted after a previously-attempted S389 upgrade, can it include any information specific to the previously-attempted S389 upgrade? 2) Could the hardware components of the AIP-SSM-10 be inadequate for the combination of the E3 engine plus the cumulative signatures? 3) If the answer to question 2 is "yes" or "possibly," could Cisco modularize the signatures, eg. provide an "only-activated-signatures" (ie smaller) file for customers like us and an "everything" for others? Advice and recommendations heartily requested.

  Based on your show version, you already have E4, what is it that you are trying to do?
  Mike

• AIP-SSM-20 upgrade

  Hi,
  I wan to upgrade my SSM from 6.1 E3 package to 6.2 E4.
  Part:- ASA 5500 Series Security Services Module-20" PID: ASA-SSM-20
  Can someone help me what all files i have to upgrade while doing the upgradation it would be great. I am just confused which files to download for the upgrade.
  thanks

  Hi,
  You can use  IPS-K9-6.2-3-E4.pkg to upgrade from 6.1 E3.
  http://www.cisco.com/cisco/software/navigator.html?mdfid=282520327&flowid=24461
  Select AIP --> System upgrades
  Paps

• How to buy license? for AIP-SSM-10 ?

  Hi all
  how to buy license? for AIP-SSM-10 ?
  1. CON-SU1-AS1A1PK9 this is Cisco SMARTnet Support for AIP-SSM-10
  2. do I need smartnet for ASA ?
  3. what is part number of license ?
  ASA5510test# session 1
  Opening command session with slot 1.
  Connected to slot 1. Escape character sequence is 'CTRL-^X'.
  login: cisco
  Password:
  ***NOTICE***
  This product contains cryptographic features and is subject to United States
  and local country laws governing import, export, transfer and use. Delivery
  of Cisco cryptographic products does not imply third-party authority to import,
  export, distribute or use encryption. Importers, exporters, distributors and
  users are responsible for compliance with U.S. and local country laws. By using
  this product you agree to comply with applicable laws and regulations. If you
  are unable to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  ***LICENSE NOTICE***
  There is no license key installed on the SSM-IPS10.
  The system will continue to operate with the currently installed
  signature set.  A valid license must be obtained in order to apply
  signature updates.  Please go to http://www.cisco.com/go/license
  to obtain a new license or install a license.
  sensor#
  sensor# sh ver
  Application Partition:
  Cisco Intrusion Prevention System, Version 6.0(6)E3
  Host:
      Realm Keys          key1.0
  Signature Definition:
      Signature Update    S399.0                   2009-05-06
      Virus Update        V1.4                     2007-03-02
  OS Version:             2.4.30-IDS-smp-bigphys
  Platform:               ASA-SSM-10
  Serial Number:          ........
  No license present
  Sensor up-time is 21 min.
  Using 655507456 out of 1032499200 bytes of available memory (63% usage)
  application-data is using 39.7M out of 166.8M bytes of available disk space (25%
  usage)
  boot is using 37.6M out of 68.6M bytes of available disk space (58% usage)
  MainApp          N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500   Running
  AnalysisEngine   N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500   Running
  CLI              N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500
  Upgrade History:
    IPS-K9-6.0-6-E3   17:48:06 UTC Wed Jul 15 2009
  Recovery Partition Version 1.1 - 6.0(6)E3
  sensor#

  Hi,
  CON-SU1-AS2A10K9 contract if for ASA+IPS bundle. If AIP-SSM-10 ws purchased as a spare the contract would be CON-SU1-ASIP10K9.
  I am not sure whether or not this Cisco Service for IPS contract can be  used to cover just the AIP-SSM-10 if it was purchased as part of a  Bundle instead of a Spare.
  I would recommend that you check with your Cisco reseller or Cisco  Sales Representative.
  Sourav

• Signature Updates for AIP-SSM 10

  Hi all how can i obtain Signature Updates for AIP-SSM 10 where i am having 60 day trial license with me

  Here is the main file download page for the IPS sensors.
  Find the section for the version you are running and click on the Latest Signature Updates link to take to you to the download page for signature updates.
  You can then download which ever signature update you want.
  NOTE1: Each Signature Updates contains all signatures from previous Sig levels. So you only need to download the latest one.
  NOTE2: Each signature update has a specific E (Engine) level requirement. You can execute "show ver" on your sensor to determine if it is at an E1 or E2 level. If it is at E1 and you want the latest sigs that require E2 then you will first need to install the E2 upgrade.
  On that main download page look for the "Latest Upgrades" link for your version, and look for the IPS-engine-E2-req-X.X-X.pkg file where the X.X-X matches your sensor version.
  If there is not an X.X-X matching your sensor version, then you may need to upgrade the software version for your sensor as well.
  NOTE3: Many of these links will also require an account on cisco.com. And for some of these files that account may also need to be verified for being from a country where the USA's export restrictions allow downloads for encryption. (Most countries qualify but you do have to go through that qualification step). It has been over 10 years that I have had do this so I am not sure of the latest procedures for getting an account or validating it for encrpytion downloads.

• Monitoring AIM-IPS-K9 and AIP-SSM-10

  Does anyone have any tips on monitoring the IPS devices for being up, healthy, not-in-bypass, and running normally, I had five of them fail after the E3 upgrade (one is still tweaked due what TAC has identified as a corrupt license issue). Although CSMARS 6.0 lists some unreachable devices once daily, it has all devices in the list making it less that useful information, but that is a different question.
  AIM-IPS-K9: 19 ea.
  AIP-SSM-10: 3 ea.

  Cisco had orginally planned to add a "keep alive" signature to 6.0. but that feature got dropped. The intent was to fire off a signature every few mins as long as the sensor was seeing valid traffic. The absence of seeing this signature should trigger some attention to a downed sensor.
  You can write a custom sig, but you have to be able to detect the loss of that event to be of value.

• AIP SSM Command/control Interface is not coming up

  Hi to all,
  kindly be informed that , i have AIP SSM for ASA, i configured it and its workign fine.but its command control interface is not coming up at all, i connect my lap top direct to AIP management interface but its status is always is down.kindly look at this configuration and guide me how i can communicate with AIP using mangement inerface.
  My LapTop ip is 192.168.1.2/24
  AIP Configuration
  IPS1# sh ver
  Application Partition:
  Cisco Intrusion Prevention System, Version 6.2(1)E3
  Host:
  Realm Keys key1.0
  Signature Definition:
  Signature Update S365.0 2008-10-31
  Virus Update V1.4 2007-03-02
  OS Version: 2.4.30-IDS-smp-bigphys
  Platform: ASA-SSM-20
  Serial Number: JAF1319AJRG
  No license present
  Sensor up-time is 13 days.
  Using 1019777024 out of 2093604864 bytes of available memory (48% usage)
  application-data is using 47.1M out of 166.8M bytes of available disk space (30% usage)
  boot is using 39.7M out of 68.6M bytes of available disk space (61% usage)
  MainApp E-2008_OCT_16_16_24 (Release) 2008-10-16T16:40:57-0500 Running
  AnalysisEngine E-2008_OCT_16_16_24 (Release) 2008-10-16T16:40:57-0500 Running
  CLI E-2008_OCT_16_16_24 (Release) 2008-10-16T16:40:57-0500
  Upgrade History:
  IPS-K9-6.2-1-E3 16:24:00 UTC Thu Oct 16 2008
  Recovery Partition Version 1.1 - 6.2(1)E3
  Host Certificate Valid from: 12-Jul-2009 to 13-Jul-2011
  IPS1#sh conf
  ! Current configuration last modified Sun Jul 12 23:56:08 2009
  ! Version 6.2(1)
  ! Host:
  ! Realm Keys key1.0
  ! Signature Definition:
  ! Signature Update S365.0 2008-10-31
  ! Virus Update V1.4 2007-03-02
  service interface
  exit
  service authentication
  exit
  service event-action-rules rules0
  exit
  service host
  network-settings
  host-ip 192.168.1.3/24,192.168.1.1
  host-name Cinet-IPS1
  telnet-option enabled
  access-list 0.0.0.0/0
  exit
  time-zone-settings
  offset 0
  standard-time-zone-name UTC
  exit
  exit
  service logger
  exit
  service network-access
  exit
  service notification
  exit
  service signature-definition sig0
  exit
  service ssh-known-hosts
  exit
  service trusted-certificates
  exit
  service web-server
  exit
  service anomaly-detection ad0
  exit
  service external-product-interface
  exit
  service health-monitor
  exit
  service analysis-engine
  virtual-sensor vs0
  physical-interface GigabitEthernet0/1
  exit
  exit

  If the interface won't link Up, then it is likely a cabling problem.
  Even with a bad configuration on the AIP you should at least get link UP if your cabling is correct, so I don't think configuration is your problem here.
  If I remember right the command and control interface of the SSM is a 10/100 TX interface. When connecting from a laptop directly to the command and control interface it would require a cross over cable rather than the normal straight through cable.
  If you don't have a cross over cable, then try connecting the SSM to a switch and see if the SSM will link UP. The switch is designed to internally do the cross over.

• AIP SSM

  Hello Friends,
  Please see the attached.
  I have 2 AIP-SSM module in 2 ASA boxes, The version of 1 IPS is 7.0(2)E4 and the other is 6.2(1)E3 i want to upgrade the 6.2 to 7.0.2. But on cisco website there is no such download option for 7.0(2) OR 7.0(4)system software.
  I have a valid IPS  contract with cisco but still i can't see any option to download the version 7.0
  Thanks

  You are looking at the wrong download site, that is for IPS SSC-5 on ASA 5505.
  Here is the download site for AIP-SSM module:
  http://www.cisco.com/cisco/software/release.html?mdfid=280302728&flowid=4427&softwareid=282549759&release=7.0%284%29E4&rellifecycle=&relind=AVAILABLE&reltype=latest
  (The latest is 7.0.4(E4))
  Here is the ReadMe on the platform that is supported and AIP module on ASA uses the same file "IPS-K9-7.0-4-E4.pkg":
  http://www.cisco.com/web/software/282549709/35783/IPS-7_0-4-E4_readme.txt
  Hope this helps.

• AIP-SSM 20 questions

  Hi,
  we have this module on an ASA 5540, while the inspection load is reaching a max of 35% , the cpu is reaching 100% sometimes.
  1- how do i check the current bandwidth in Mbs being inspected ?
  2- how do i check if there is drops when cpu is reaching 100%
  3-if cpu hangs at 100% will fail-open work or will the module start dropping legitimate packets
  4- should i upgrade my card to AIP-SSM 40 allthough inspection load is still 35% ?
  Thank you

  To check if your sensor is dropping packets, get on the CLI and run
  show interface - This will show you an averaged packet loss across all interfaces since last reset and on a per-interface basis.
  show event stat past 01:00 inc missed - This will show you any peaks in your missed pckets over the last hour.

• IPS AIP-SSM

  Hi,
  What is difference between E3 and E4 system upgrade files in IPS ? Is it possible to upgrade AIP-SSM from 6.0 E3 to 7.0 E4 ?
  Regards
  Amar

  Amar;
    The E3 and E4 designation represents the version of the analysis engine installed on the sensor.  The signature developers create signatures to the most current release of the analysis engine (E4 currently).  Without the most current analysis engine (and an active license) you cannot apply signature updates to the sensor.
    It is possible to upgrade an AIP-SSM from release 6.0 to 7.0 using the current 7.0 upgrade package (.pkg file).
  Scott