AIP-SSM module hung
I have recently confgured my AIP-SSM-20 module in my firewalls (ASA 5540) which are configured in HA(Active/Standby).This implementation i have done on 13th June. It was working fine.
Now, i have observerd that the AIP-SSM-20 module in the primary firewall had gone to unresponsive state.
Below is the status of show module and show failover command.
FW1-5540# sh module
Mod Card Type Model Serial No.
0 ASA 5540 Adaptive Security Appliance ASA5540 JMX1234L11F
1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 JAF1341ADPS
Mod MAC Address Range Hw Version Fw Version Sw Version
0 0021.d871.77ab to 0021.d871.77af 2.0 1.0(11)4 8.0(3)6
1 0023.ebf6.11ce to 0023.ebf6.11ce 1.0 1.0(11)5 6.2(2)E4
Mod SSM Application Name Status SSM Application Version
1 IPS Not Applicable 6.2(2)E4
Mod Status Data Plane Status Compatibility
0 Up Sys Not Applicable
1 Unresponsive Not Applicable
FW1-5540# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
Version: Ours 8.0(3)6, Mate 8.0(3)6
Last Failover at: 09:06:14 UTC Jun 15 2010
This host:
This host: Primary - Failed
Active time: 191436 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.0(3)6) status (Up Sys)
Interface DMZ_LAN (10.192.153.13): Normal (Waiting)
Interface INTRANET (10.192.154.13): Normal (Waiting)
Interface management (0.0.0.0): Link Down (Waiting)
slot 1: ASA-SSM-20 hw/sw rev (1.0/6.2(2)E4) status (Unresponsive/Down)
IPS, 6.2(2)E4, Not Applicable
Other host: Secondary - Active
Active time: 192692 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.0(3)6) status (Up Sys)
Interface DMZ_LAN (10.192.153.5): Unknown (Waiting)
Interface INTRANET (10.192.154.5): Unknown (Waiting)
Interface management (0.0.0.0): Unknown (Waiting)
slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(2)E4) status (Up/Up)
IPS, 7.0(2)E4, Up
Stateful Failover Logical Update Statistics
Link : Unconfigured.
I have tried using the
hw-module module 1 reset
to reset the IPS module but the status is always unresponsive.
Its production environment where i cannnot expirement much. Ned help to rectify the problem.
Hi Scott,
I have almost same problem of sbgcsd in my customer. I'm deploying two ASA-5512 in failover configuration. One day, after almost 2 months testing project in a lab, when we install in customer's datacenter the systems presented following errors:
ciscoasa2(config)# failover
Detected an Active mate
ciscoasa2# Mate NOT PRESENT card in slot 1 is different from mine IPS5512
I tried to discover what was happened with IPS modulo, then I saw error in IPS status: "Unresponsive".
ciscoasa2# sh module ips
Mod Card Type Model Serial No.
ips Unknown N/A FCH1712J7UL
Mod MAC Address Range Hw Version Fw Version Sw Version
ips 7cad.746f.8796 to 7cad.746f.8796 N/A N/A
Mod SSM Application Name Status SSM Application Version
ips Unknown No Image Present Not Applicable
Mod Status Data Plane Status Compatibility
ips Unresponsive Not Applicable
Mod License Name License Status Time Remaining
ips IPS Module Disabled perpetual
According with Cisco Foruns I tried to "Reloading, Shutting Down, Resetting, and Recovering AIP-SSM" (*) using "hw-module module " command. But unfortunatelly ASA didn't accept this command. See below:
ciscoasa2# hw-module module 1 reload
^
ERROR: % Invalid input detected at '^' marker
What happened with this command (hw-module) ? Maybe is a problem in Software version ? When I entered "sh flash" command I saw that didn't exist any software for AIP-SMM module:
ciscoasa2# sh flash
--#-- --length-- -----date/time------ path
11 4096 Sep 12 2013 13:56:54 log
21 4096 Sep 12 2013 13:57:10 crypto_archive
100 0 Sep 12 2013 13:57:10 nat_ident_migrate
22 4096 Sep 12 2013 13:57:10 coredumpinfo
23 59 Sep 12 2013 13:57:10 coredumpinfo/coredump.cfg
101 34523136 Sep 12 2013 14:00:14 asa861-2-smp-k8.bin
102 17851400 Sep 12 2013 14:04:36 asdm-66114.bin
103 38191104 Apr 24 2014 12:59:58 asa912-smp-k8.bin
104 6867 Apr 24 2014 13:01:20 startup-config-jcl.txt
105 24095116 Jun 17 2014 14:54:14 asdm-721.bi
But another ASA (#1) have image:
ciscoasa1# sh flash
--#-- --length-- -----date/time------ path
11 4096 Sep 10 2013 06:42:56 log
21 4096 Apr 17 2014 03:13:12 crypto_archive
123 5276864 Apr 17 2014 03:13:12 crypto_archive/crypto_eng0_arch_1.bin
110 0 Sep 10 2013 06:43:12 nat_ident_migrate
22 4096 Sep 10 2013 06:43:12 coredumpinfo
23 59 Sep 10 2013 06:43:12 coredumpinfo/coredump.cfg
111 34523136 Sep 10 2013 06:44:24 asa861-2-smp-k8.bin
112 42637312 Sep 10 2013 06:45:46 IPS-SSP_5512-K9-sys-1.1-a-7.1-4-E4.aip <===
But I am not sure if this image is really the right image do AIP-SSM in ASA#2. But anyway I copy (through a simple TFTP server) from ASA#1 to ASA#2 , but after this, the same problem ramained !
Because I didn't applied the Failover condition to system.
What can I do now ?
Thank you very much in advance.
Leonardo_Melo.(CCAI-JCL-Brazil).
Similar Messages
-
Do I need two AIP-SSM modules if I am configuring failover?
Is it possible to use a single AIP-SSM module in two ASA's that are configured in Active/Standby mode?
I would like to configure the module in the first ASA with the fail-open setting. Then, if the first ASA fails, I could then physically remove the AIP-SSM module and place it in the second ASA.
Would there be any problems configuring it this way?
Would the active/standby ASA's complain that there is only one AIP-SSM module?
Thanks in advance.Hello Julio. My name is Rogelio, and I would appreciate your answer on a related matter, because I will have to execute the initial configuration of a failover pair, each one with its own IPS module.
Question: let´s suppose that I execute a basic setup (admin username/password, IP address, mask, gateway), on the IPS module of the active ASA firewall. ¿Will this configuration be replicated to the IPS module of the secondary unit?
Your kind answer will be greatly appreciated.
Best regards... -
Is there any architectural difference between CSC-SSM and AIP-SSM modules
Hello security gurus!
I'm wondering if there's any chance to make Content security module (CSC-SSM) work as IPS (AIP-SSM). It seems to me they are absolutely identical in terms of hardware. Is there any chance to make CSC-SSM boot with the flash from AIP-SSM and have the ASA recognize it as an IPS module ?
EugeneZheka,
This is not recommended and you will loose support, these are different devices designed for different purposes, you will also have issues with the license, I have seen it one once, and the customer did it by mistake, the module eventually crashed and we had to add the proper image.
Regards,
Felipe. -
IPS Manager Exp 7.0.3 fails to connect to AIP-SSM module
Hi, am trying to connect to my IPS module nested in a Cisco ASA 5540 appliance. Yesterday i was able to connect and do my configurations but when running the IME today i dint find my sensor module in the devices list so i tried adding it again and it gives an error. The IME systems logs are:
2010-07-22 09:29:30,092 [j_] WARN - addSource() source exists
2010-07-22 09:29:30,092 [ty] ERROR - 1
2010-07-22 09:32:06,775 [j_] WARN - addSource() source exists
2010-07-22 09:32:06,775 [ty] ERROR - 1
2010-07-22 09:33:47,753 [j_] WARN - addSource() source exists
2010-07-22 09:33:47,753 [ty] ERROR - 1
2010-07-22 09:45:16,887 [j_] WARN - addSource() source exists
2010-07-22 09:45:16,887 [ty] ERROR - 1
Kindly assist on how to overcome this.
Jerry.Its ok guys, silly Windows issues, i had to run the application as an administrator!!!!!!
-
Remote Connectivity Issues to AIP-SSM-10
Hi,
I have a ASA-5520 with AIP-SSM Module in it. I have done the basic "setup" on the module and assigned it an IP address. I am using IME to connect to the IPS module. The ASA-IPS is at a remote location and has a private IP address. I have a linux server in the same subnet as the IPS IP address. I am connecting to that server remotely through SSH and doing port forwarding to connect to IPS IP address. When I start IME and connect to the locally forwarded port it connects to my IPS module perfactly fine. Please see the attached screen capture "IME_IPS_Error-1.gif" and the column where it says "event status : connected". So far so good, now I click on "configuration" tab and I get an error, please see the "IME_IPS_Error-2.gif" for the error detail. Can anyone send me some pointers to resolve this issue?
ThanksI was able to resolve the issue. Earlier (when I had trouble) I was doing a port forwarding as localhost:10031=>IPS:443 and IME was connecting to localhost:10031. So I was getting to the IPS/IME home page and the device status was connected but when I clicked on "Configuration" tab I got error.
To resolve the issue I did the port forwarding as follows:
127.0.0.102:443=>IPS:443 and then IME was connecting to 127.0.0.102:443 and everything worked fine. Looks like earlier when I clicked on "Configuration" it tried/redirected to connect to localhost:443 intead of localhost:10031. I have attached the network diagram and the screen captures of the resolution. -
SSM MODULES and Mars events and local?
Is it possible to setup an AIP-SSM Module to log event alerts to Its local cache as well as the Mars Appliance. I say this because I ran some tests for alerts and never see them on the IPS module itself but i do see them on the Mars Appliance correctly! I dont know what setting would need to be changed to make sure that the event alerts are logged to the local IPS itself. Or is this even possible?
does anyone know how to make it log locally and to the MARS Appliance?
Thanks,Make sure Bypass mode is not enabled on IPs Module. Another workaround for this issue is to reload the Advanced Inspection and Prevention Security Services Module (AIP-SSM) IPS module with the hw-module module 1 reload command, and tune any noisy signatures in order to lighten the sensor load.
-
Hello Friends,
Please see the attached.
I have 2 AIP-SSM module in 2 ASA boxes, The version of 1 IPS is 7.0(2)E4 and the other is 6.2(1)E3 i want to upgrade the 6.2 to 7.0.2. But on cisco website there is no such download option for 7.0(2) OR 7.0(4)system software.
I have a valid IPS contract with cisco but still i can't see any option to download the version 7.0
ThanksYou are looking at the wrong download site, that is for IPS SSC-5 on ASA 5505.
Here is the download site for AIP-SSM module:
http://www.cisco.com/cisco/software/release.html?mdfid=280302728&flowid=4427&softwareid=282549759&release=7.0%284%29E4&rellifecycle=&relind=AVAILABLE&reltype=latest
(The latest is 7.0.4(E4))
Here is the ReadMe on the platform that is supported and AIP module on ASA uses the same file "IPS-K9-7.0-4-E4.pkg":
http://www.cisco.com/web/software/282549709/35783/IPS-7_0-4-E4_readme.txt
Hope this helps. -
IPS Signature DataBase - ASA IPS/IOS IPS/IPS 42xx/AIP-SSM
Hi,
Can anyone briefly tell me the signature database details (No of Signature) among the following devices,
-->ASA IPS/IOS IPS/IPS 42xx/AIP-SSM.
Thanks,IPS on ASA/PIX = just 50 or so common signatures
AIP-SSM module = same signatures as Cisco 4200 series sensors. Little minor differences exist (like IPv6 signature support etc.)
Please rate if helpful.
Regards
Farrukh -
Hello Everyone,
Some time ago we purchase a couple of ASA5510s with the IPS aip-ssm modules in them. I got them installed and got the vpns running, but never activated the IPS module on them.
I am getting ready to get the IPS modules going. But, don't I need some time of subscription so that the IPS module can download signature updates?
Does anyone know what the part number on that subscription is? I am seeing listings for "content security plus" licenses, but I think that is something different. I am also seeing licenses for Botnet traffic filter licenses. But, again, I am not sure if that's the right one.
Thanks,
BenYou will need a subscription license in order to take advantage of signature and Global Correlation updates. The official name for this license is "Cisco Services for IPS". Take a look at the following Q&A doc which covers some of the part numbers.
http://www.cisco.com/en/US/services/ps2827/ps6076/services_qa0900aecd8022e962.pdf -
Customizing signatures question on AIP-SSM
Hi all
actually our customer has an AIP-SSM module which is configured in inline mode.some users are appeared as attackers in the IPS event store .
can i deny any unwanted connection for these users without affecting on the legitimate connections of these users like internet browsing ???
i tried to make the signature action to be "deny connection inline" but when the signature fire , the user who has appeared as an attacker is totally blocked and cannot access internet.
anyone face this issue ??
please advice.
regardsHi Mohammed.
Right now I'm preparing the IPS Exam, and I have read some where that:
"deny connection inline" will stop the connection totaly. But if the same user(IP Address) has many "deny connection inline", the IPS will say that there is a problem with this PC, and I'll not lose ressource and time to block each connection, and the the IPS sensor will block the Host.
You can tune the Signature to solve this issue, but this will not solve the main problem.
But as Andy said, thier is a Sweep attack from these PCs. try to scan them with Anti-Virus, and anti-worm... because they are the source of this issues.
Sweep is a "Network Reconnaissance Attack". Please take a look at this link for more information:
http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliSgEng.html#wp1048257
I hope this helpful.
Best regards
Reda
[email protected] -
Changing time on AIP SSM 10 module.
How can i change the sensors time manually on my AIP-SSM-10 module installed in the ASA 5520 device .. ??
i tried the clock set command but apparently its not supported on AIP-SSM-10 module.
the ASA has the correnct time but the IPS does not...
any ideas ??
thanks..
zaidYou can find the complete configuration guide for the AIP-SSM-10 in the URL posted below. The configuration of the time-settings is explained in the following chapter: 'Initial Tasks > Configuring Time'.
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df9a.html#wp1035238
Please rate if the post is usefull!
Regards,
Michael -
Cisco IPS 4240 VS Cisco ASA AIP SSM-10 Modula
I'm looking to replace another vendor's IPS system we have at our company. We do have an ASA 5510 in our envionment currently.
Considering I don't need the extra bandwidth of the IPS 4240 series and the AIP SSM-10 requires an ASA 5510 what are the differences?Operationally the AIP-SSM1 and the 4240 run the same software, so they work pretty much the same.
The AIP-SSM inside the ASA is less expensive alternateive, but becuase it sits inside an ASA there is more to configure and manage (the ASA plus the sensor), The ASA also has some built in inspections that may filter some traffic/attacks from being seen at the AIP-SSM sensor.
- Bob -
Single AIP-SSM in Cisco ASA Failover Active / Standby Mode
Hi,
I can add single AIP-SSM on Cisco ASA in failover active / standby mode?No, both units need the same hardware, that includes the installed modules.
Sent from Cisco Technical Support iPad App -
Hi,
i have an ASA5520 with v 7.2(2) running.
but the IPS module spftware is 5.1
when i tried to login to the > session 1
it prompts me for a login and password.
i tried cisco and a few other combinations.. but no luck ,,
how do i reset it ?? also that reset procedure on the docs says its resets password or the user cisco ..
how can i be sure if the user cisco even exists on it or not ?
any help please ???no man it doesnt ..
the link u specified says it too..
hw-module module slot_number password-reset?This command recovers a password on a Cisco ASA 5500 Series Content Security and Control Security Services Module (CSC-SSM) or the AIP-SSM without having to re-image the device.
Note: This command starts support from IPS 6.0 (ASA 7.2 version) and is used to restore the Cisco CLI account password to the default cisco
hers my ASA and IPS details..
ASA# sh version
Cisco Adaptive Security Appliance Software Version 7.2(2)
Device Manager Version 5.2(2)
Compiled on Wed 22-Nov-06 14:16 by builders
System image file is "disk0:/asa722-k8.bin"
Config file at boot was "startup-config"
ASA up 22 days 3 hours
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
ASA# sh module 1
Mod Card Type Model Serial No.
1 ASA5500 SSM-10 ASA-SSM-10 B155670DW4
Mod MAC Add Range Hw Ver. Fw Ver. Sw Ver.
1 00xx to 001 1.0 1.0(10)0 5.0(2)S152.0
Mod SSM Apps. Name Status SSM Apps Version
1 IPS Up 5.0(2)S152.0
Mod Status Data Plane Status Compatibility
1 Up Up -
How to generate license for AIP-SSM without PAK-number?
Hello! I’m sorry for my English. I have a problem with generating license for AIP-SSM. My contract with SMARTnet service is activated, but I don’t have a PAK-number. How I can generate a license for updating my module?
Alternatively you can always write an email to [email protected] with your serial number and they should be able to provide you the license for any cisco device.
Sachin
Maybe you are looking for
-
New firefox 10.0 wont let me open mult windows, only tabs
new firefox 10.0 wont let me open mult windows, only tabs. I have looked at tools/options/tabs and the open new windows in tabs is not clicked. have rebooted computer with no better results
-
How do I copy my itunes library to my new computer?
I know this questions must have been asked and answer a million times, but here it goes... I just purchased a new MacBook, I used to have a Toshiba, so I'm new to the whole Apple thing. I've had my Ipod for over a year now, and I want to copy all tho
-
Time Machine To Be Used On New Internal Hard Drive
Hi I recently bought a new 500GB internal hard drive, on which I have copied (not migrated) my files and applications to. I have used Time Machine on the old 120GB drive with a 1TB external hard drive. I have this drive partitioned such that only 320
-
Hi Guys, I could not understand the following. Can anyone elaborate with example- " If you do not need 12 posting periods, you can use the posting periods that are not required as special periods. If you use these additional closing periods, you must
-
Hi, How to make a small selection-screen rather than default one. Thanks in advance, Rao