AIP-SSM module hung

I have recently confgured my AIP-SSM-20 module in my firewalls (ASA 5540) which are configured in HA(Active/Standby).This implementation i have done on 13th June. It was working fine.
Now, i have observerd that the AIP-SSM-20 module in the primary firewall had gone to unresponsive state.
Below is the status of show module and show failover command.
FW1-5540# sh module
Mod Card Type                                    Model              Serial No.
  0 ASA 5540 Adaptive Security Appliance         ASA5540            JMX1234L11F
  1 ASA 5500 Series Security Services Module-20  ASA-SSM-20         JAF1341ADPS
Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
  0 0021.d871.77ab to 0021.d871.77af  2.0          1.0(11)4     8.0(3)6
  1 0023.ebf6.11ce to 0023.ebf6.11ce  1.0          1.0(11)5     6.2(2)E4
Mod SSM Application Name           Status           SSM Application Version
  1 IPS                            Not Applicable   6.2(2)E4
Mod Status             Data Plane Status     Compatibility
  0 Up Sys             Not Applicable
  1 Unresponsive       Not Applicable
FW1-5540# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
Version: Ours 8.0(3)6, Mate 8.0(3)6
Last Failover at: 09:06:14 UTC Jun 15 2010
        This host:
                This host: Primary - Failed
                Active time: 191436 (sec)
                slot 0: ASA5540 hw/sw rev (2.0/8.0(3)6) status (Up Sys)
                  Interface DMZ_LAN (10.192.153.13): Normal (Waiting)
                  Interface INTRANET (10.192.154.13): Normal (Waiting)
                  Interface management (0.0.0.0): Link Down (Waiting)
                slot 1: ASA-SSM-20 hw/sw rev (1.0/6.2(2)E4) status (Unresponsive/Down)
                  IPS, 6.2(2)E4, Not Applicable
        Other host: Secondary - Active
                Active time: 192692 (sec)
                slot 0: ASA5540 hw/sw rev (2.0/8.0(3)6) status (Up Sys)
                  Interface DMZ_LAN (10.192.153.5): Unknown (Waiting)
                  Interface INTRANET (10.192.154.5): Unknown (Waiting)
                  Interface management (0.0.0.0): Unknown (Waiting)
                slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(2)E4) status (Up/Up)
                  IPS, 7.0(2)E4, Up
Stateful Failover Logical Update Statistics
        Link : Unconfigured.
I have tried using the
hw-module module 1 reset
to reset the IPS module but the status is always unresponsive.
Its production environment where i cannnot expirement much. Ned help to rectify the problem.

Hi Scott, 
I have almost same problem of sbgcsd in my customer. I'm deploying two ASA-5512 in failover configuration. One day, after almost 2 months testing project in a lab, when we install in customer's datacenter the systems presented following errors:
  ciscoasa2(config)# failover
        Detected an Active mate
  ciscoasa2# Mate NOT PRESENT card in slot 1 is different from mine IPS5512
I tried to discover what was happened with IPS modulo, then I saw error in IPS status: "Unresponsive".
  ciscoasa2# sh module ips
  Mod  Card Type                                    Model              Serial No.
   ips Unknown                                      N/A                FCH1712J7UL
  Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
   ips 7cad.746f.8796 to 7cad.746f.8796  N/A          N/A 
  Mod  SSM Application Name           Status           SSM Application Version
   ips Unknown                        No Image Present Not Applicable  
  Mod  Status             Data Plane Status     Compatibility
   ips Unresponsive       Not Applicable 
  Mod  License Name   License Status  Time Remaining
   ips IPS Module     Disabled        perpetual
According with Cisco Foruns I tried to "Reloading, Shutting Down, Resetting, and Recovering AIP-SSM" (*) using "hw-module module " command. But unfortunatelly ASA didn't accept this command. See below:
  ciscoasa2# hw-module module 1 reload
             ^
  ERROR: % Invalid input detected at '^' marker
What happened with this command (hw-module) ? Maybe is a problem in Software version ? When I entered "sh flash" command I saw that didn't exist any software for AIP-SMM module:
  ciscoasa2# sh flash
  --#--  --length--  -----date/time------  path
   11  4096        Sep 12 2013 13:56:54  log
   21  4096        Sep 12 2013 13:57:10  crypto_archive
  100  0           Sep 12 2013 13:57:10  nat_ident_migrate
   22  4096        Sep 12 2013 13:57:10  coredumpinfo
   23  59          Sep 12 2013 13:57:10  coredumpinfo/coredump.cfg
  101  34523136    Sep 12 2013 14:00:14  asa861-2-smp-k8.bin
  102  17851400    Sep 12 2013 14:04:36  asdm-66114.bin
  103  38191104    Apr 24 2014 12:59:58  asa912-smp-k8.bin
  104  6867        Apr 24 2014 13:01:20  startup-config-jcl.txt
  105  24095116    Jun 17 2014 14:54:14  asdm-721.bi
But another ASA (#1) have image:
ciscoasa1# sh flash
--#--  --length--  -----date/time------  path
   11  4096        Sep 10 2013 06:42:56  log
   21  4096        Apr 17 2014 03:13:12  crypto_archive
  123  5276864     Apr 17 2014 03:13:12  crypto_archive/crypto_eng0_arch_1.bin
  110  0           Sep 10 2013 06:43:12  nat_ident_migrate
   22  4096        Sep 10 2013 06:43:12  coredumpinfo
   23  59          Sep 10 2013 06:43:12  coredumpinfo/coredump.cfg
  111  34523136    Sep 10 2013 06:44:24  asa861-2-smp-k8.bin
  112  42637312    Sep 10 2013 06:45:46  IPS-SSP_5512-K9-sys-1.1-a-7.1-4-E4.aip <===
But I am not sure if this image is really the right image do AIP-SSM in ASA#2. But anyway I copy (through a simple TFTP server) from ASA#1 to ASA#2 , but after this, the same problem ramained ! 
Because I didn't applied the Failover condition to system. 
What can I do now ?
Thank you very much in advance.
Leonardo_Melo.(CCAI-JCL-Brazil).

Similar Messages

  • Do I need two AIP-SSM modules if I am configuring failover?

    Is it possible to use a single AIP-SSM module in two ASA's that are configured in Active/Standby mode?
    I would like to configure the module in the first ASA with the fail-open setting.  Then, if the first ASA fails, I could then physically remove the AIP-SSM module and place it in the second ASA.
    Would there be any problems configuring it this way?
    Would the active/standby ASA's complain that there is only one AIP-SSM module?
    Thanks in advance.

    Hello Julio. My name is Rogelio, and I would appreciate your answer on a related matter, because I will have to execute the initial configuration of a failover pair, each one with its own IPS module.
    Question: let´s suppose that I execute a basic setup (admin username/password, IP address, mask, gateway), on the IPS module of the active ASA firewall. ¿Will this configuration be replicated to the IPS module of the secondary unit?
    Your kind answer will be greatly appreciated.
    Best regards...

  • Is there any architectural difference between CSC-SSM and AIP-SSM modules

    Hello security gurus!
    I'm wondering if there's any chance to make Content security module (CSC-SSM) work as IPS (AIP-SSM). It seems to me they are absolutely identical in terms of hardware. Is there any chance to make CSC-SSM boot with the flash from AIP-SSM and have the ASA recognize it as an IPS module ?
    Eugene

    Zheka,
    This is not recommended and you will loose support, these are different devices designed for different purposes, you will also have issues with the license, I have seen it one once, and the customer did it by mistake, the module eventually crashed and we had to add the proper image.
    Regards,
    Felipe.

  • IPS Manager Exp 7.0.3 fails to connect to AIP-SSM module

    Hi, am trying to connect to my IPS module nested in a Cisco ASA 5540 appliance. Yesterday i was able to connect and do my configurations but when running the IME today i dint find my sensor module in the devices list so i tried adding it again and it gives an error. The IME systems logs are:
    2010-07-22 09:29:30,092 [j_] WARN - addSource() source exists
    2010-07-22 09:29:30,092 [ty] ERROR - 1
    2010-07-22 09:32:06,775 [j_] WARN - addSource() source exists
    2010-07-22 09:32:06,775 [ty] ERROR - 1
    2010-07-22 09:33:47,753 [j_] WARN - addSource() source exists
    2010-07-22 09:33:47,753 [ty] ERROR - 1
    2010-07-22 09:45:16,887 [j_] WARN - addSource() source exists
    2010-07-22 09:45:16,887 [ty] ERROR - 1
    Kindly assist on how to overcome this.
    Jerry.

    Its ok guys, silly Windows issues, i had to run the application as an administrator!!!!!!     

  • Remote Connectivity Issues to AIP-SSM-10

    Hi,
    I have a ASA-5520 with AIP-SSM Module in it. I have done the basic "setup" on the module and assigned it an IP address. I am using IME to connect to the IPS module. The ASA-IPS is at a remote location and has a private IP address. I have a linux server in the same subnet as the IPS IP address. I am connecting to that server remotely through SSH and doing port forwarding to connect to IPS IP address. When I start IME and connect to the locally forwarded port it connects to my IPS module perfactly fine. Please see the attached screen capture "IME_IPS_Error-1.gif" and the column where it says "event status : connected". So far so good, now I click on "configuration" tab and I get an error, please see the "IME_IPS_Error-2.gif" for the error detail. Can anyone send me some pointers to resolve this issue?
    Thanks

    I was able to resolve the issue. Earlier (when I had trouble) I was doing a port forwarding as localhost:10031=>IPS:443 and IME was connecting to localhost:10031. So I was getting to the IPS/IME home page and the device status was connected but when I clicked on "Configuration" tab I got error.
    To resolve the issue I did the port forwarding as follows:
    127.0.0.102:443=>IPS:443 and then IME was connecting to 127.0.0.102:443 and everything worked fine. Looks like earlier when I clicked on "Configuration" it tried/redirected to connect to localhost:443 intead of localhost:10031. I have attached the network diagram and the screen captures of the resolution.

  • SSM MODULES and Mars events and local?

    Is it possible to setup an AIP-SSM Module to log event alerts to Its local cache as well as the Mars Appliance. I say this because I ran some tests for alerts and never see them on the IPS module itself but i do see them on the Mars Appliance correctly! I dont know what setting would need to be changed to make sure that the event alerts are logged to the local IPS itself. Or is this even possible?
    does anyone know how to make it log locally and to the MARS Appliance?
    Thanks,

    Make sure Bypass mode is not enabled on IPs Module. Another workaround for this issue is to reload the Advanced Inspection and Prevention Security Services Module (AIP-SSM) IPS module with the hw-module module 1 reload command, and tune any noisy signatures in order to lighten the sensor load.

  • AIP SSM

    Hello Friends,
    Please see the attached.
    I have 2 AIP-SSM module in 2 ASA boxes, The version of 1 IPS is 7.0(2)E4 and the other is 6.2(1)E3 i want to upgrade the 6.2 to 7.0.2. But on cisco website there is no such download option for 7.0(2) OR 7.0(4)system software.
    I have a valid IPS  contract with cisco but still i can't see any option to download the version 7.0
    Thanks

    You are looking at the wrong download site, that is for IPS SSC-5 on ASA 5505.
    Here is the download site for AIP-SSM module:
    http://www.cisco.com/cisco/software/release.html?mdfid=280302728&flowid=4427&softwareid=282549759&release=7.0%284%29E4&rellifecycle=&relind=AVAILABLE&reltype=latest
    (The latest is 7.0.4(E4))
    Here is the ReadMe on the platform that is supported and AIP module on ASA uses the same file "IPS-K9-7.0-4-E4.pkg":
    http://www.cisco.com/web/software/282549709/35783/IPS-7_0-4-E4_readme.txt
    Hope this helps.

  • IPS Signature DataBase - ASA IPS/IOS IPS/IPS 42xx/AIP-SSM

    Hi,
    Can anyone briefly tell me the signature database details (No of Signature) among the following devices,
    -->ASA IPS/IOS IPS/IPS 42xx/AIP-SSM.
    Thanks,

    IPS on ASA/PIX = just 50 or so common signatures
    AIP-SSM module = same signatures as Cisco 4200 series sensors. Little minor differences exist (like IPv6 signature support etc.)
    Please rate if helpful.
    Regards
    Farrukh

  • Activating IPS AIP-SSM

    Hello Everyone,
    Some time ago we purchase a couple of ASA5510s with the IPS aip-ssm modules in them. I got them installed and got the vpns running, but never activated the IPS module on them.
    I am getting ready to get the IPS modules going. But, don't I need some time of subscription so that the IPS module can download signature updates?
    Does anyone know what the part number on that subscription is? I am seeing listings for "content security plus" licenses, but I think that is something different. I am also seeing licenses for Botnet traffic filter licenses. But, again, I am not sure if that's the right one.
    Thanks,
    Ben

    You will need a subscription license in order to take advantage of signature and Global Correlation updates. The official name for this license is "Cisco Services for IPS".  Take a look at the following Q&A doc which covers some of the part numbers.
    http://www.cisco.com/en/US/services/ps2827/ps6076/services_qa0900aecd8022e962.pdf

  • Customizing signatures question on AIP-SSM

    Hi all
    actually our customer has an AIP-SSM module which is configured in inline mode.some users are appeared as attackers in the IPS event store .
    can i deny any unwanted connection for these users without affecting on the legitimate connections of these users like internet browsing ???
    i tried to make the signature action to be "deny connection inline" but when the signature fire , the user who has appeared as an attacker is totally blocked and cannot access internet.
    anyone face this issue ??
    please advice.
    regards

    Hi Mohammed.
    Right now I'm preparing the IPS Exam, and I have read some where that:
    "deny connection inline" will stop the connection totaly. But if the same user(IP Address) has many "deny connection inline", the IPS will say that there is a problem with this PC, and I'll not lose ressource and time to block each connection, and the the IPS sensor will block the Host.
    You can tune the Signature to solve this issue, but this will not solve the main problem.
    But as Andy said, thier is a Sweep attack from these PCs. try to scan them with Anti-Virus, and anti-worm... because they are the source of this issues.
    Sweep is a "Network Reconnaissance Attack". Please take a look at this link for more information:
    http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliSgEng.html#wp1048257
    I hope this helpful.
    Best regards
    Reda
    [email protected]

  • Changing time on AIP SSM 10 module.

    How can i change the sensors time manually on my AIP-SSM-10 module installed in the ASA 5520 device .. ??
    i tried the clock set command but apparently its not supported on AIP-SSM-10 module.
    the ASA has the correnct time but the IPS does not...
    any ideas ??
    thanks..
    zaid

    You can find the complete configuration guide for the AIP-SSM-10 in the URL posted below. The configuration of the time-settings is explained in the following chapter: 'Initial Tasks > Configuring Time'.
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df9a.html#wp1035238
    Please rate if the post is usefull!
    Regards,
    Michael

  • Cisco IPS 4240 VS Cisco ASA AIP SSM-10 Modula

    I'm looking to replace another vendor's IPS system we have at our company. We do have an ASA 5510 in our envionment currently.
    Considering I don't need the extra bandwidth of the IPS 4240 series and the AIP SSM-10 requires an ASA 5510 what are the differences?

    Operationally the AIP-SSM1 and the 4240 run the same software, so they work pretty much the same.
    The AIP-SSM inside the ASA is less expensive alternateive, but becuase it sits inside an ASA there is more to configure and manage (the ASA plus the sensor), The ASA also has some built in inspections that may filter some traffic/attacks from being seen at the AIP-SSM sensor.
    - Bob

  • Single AIP-SSM in Cisco ASA Failover Active / Standby Mode

    Hi,
    I can add single AIP-SSM on Cisco ASA in failover active / standby mode?

    No, both units need the same hardware, that includes the installed modules.
    Sent from Cisco Technical Support iPad App

  • Password Reset for AIP-SSM 10

    Hi,
    i have an ASA5520 with v 7.2(2) running.
    but the IPS module spftware is 5.1
    when i tried to login to the > session 1
    it prompts me for a login and password.
    i tried cisco and a few other combinations.. but no luck ,,
    how do i reset it ?? also that reset procedure on the docs says its resets password or the user cisco ..
    how can i be sure if the user cisco even exists on it or not ?
    any help please ???

    no man it doesnt ..
    the link u specified says it too..
    hw-module module slot_number password-reset?This command recovers a password on a Cisco ASA 5500 Series Content Security and Control Security Services Module (CSC-SSM) or the AIP-SSM without having to re-image the device.
    Note: This command starts support from IPS 6.0 (ASA 7.2 version) and is used to restore the Cisco CLI account password to the default cisco
    hers my ASA and IPS details..
    ASA# sh version
    Cisco Adaptive Security Appliance Software Version 7.2(2)
    Device Manager Version 5.2(2)
    Compiled on Wed 22-Nov-06 14:16 by builders
    System image file is "disk0:/asa722-k8.bin"
    Config file at boot was "startup-config"
    ASA up 22 days 3 hours
    Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
    ASA# sh module 1
    Mod Card Type Model Serial No.
    1 ASA5500 SSM-10 ASA-SSM-10 B155670DW4
    Mod MAC Add Range Hw Ver. Fw Ver. Sw Ver.
    1 00xx to 001 1.0 1.0(10)0 5.0(2)S152.0
    Mod SSM Apps. Name Status SSM Apps Version
    1 IPS Up 5.0(2)S152.0
    Mod Status Data Plane Status Compatibility
    1 Up Up

  • How to generate license for AIP-SSM without PAK-number?

    Hello! I’m sorry for my English. I have a problem with generating license for AIP-SSM. My contract with SMARTnet service is activated, but I don’t have a PAK-number. How I can generate a license for updating my module?

    Alternatively you can always write an email to [email protected] with your serial number and they should be able to provide you the license for any cisco device.
    Sachin

Maybe you are looking for

  • New firefox 10.0 wont let me open mult windows, only tabs

    new firefox 10.0 wont let me open mult windows, only tabs. I have looked at tools/options/tabs and the open new windows in tabs is not clicked. have rebooted computer with no better results

  • How do I copy my itunes library to my new computer?

    I know this questions must have been asked and answer a million times, but here it goes... I just purchased a new MacBook, I used to have a Toshiba, so I'm new to the whole Apple thing. I've had my Ipod for over a year now, and I want to copy all tho

  • Time Machine To Be Used On New Internal Hard Drive

    Hi I recently bought a new 500GB internal hard drive, on which I have copied (not migrated) my files and applications to. I have used Time Machine on the old 120GB drive with a 1TB external hard drive. I have this drive partitioned such that only 320

  • Special Periods

    Hi Guys, I could not understand the following. Can anyone elaborate with example- " If you do not need 12 posting periods, you can use the posting periods that are not required as special periods. If you use these additional closing periods, you must

  • Sizing of selection screen

    Hi, How to make a small selection-screen rather than default one. Thanks in advance, Rao