ASA IPS/ASA-SSM-10 Password Lost

Similar Messages

• Evet Store on IPS ASA-SSM-10

  Hi Guys.
  I'm trying to find out the size of the evnet store for the IPS ASA-SSM-10 and if it's possible to configure how it will be overwritten.
  I can't find any information about it.
  Does anyone konw anything?
  Best Regards

  Ernesto
  I found this in the configuration manual for the IPS:
  The following password recovery options exist:
  ?If another Administrator account exists, the other Administrator can change the password.
  ?If a Service account exists, you can log in to the service account and switch to user root using the command su - root. Use the password command to change the CLI Administrator account's password. For example, if the Administrator username is "adminu," the command is password adminu. You are prompted to enter the new password twice. For more information, see Creating the Service Account.
  You can reimage the sensor using either the recovery partition or a system image file.
  If you want to see more detail here is the URL:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055dfcd.html
  HTH
  Rick

• IPS(ASA moduel) signature upgrade cause users lost connectivity to outside

  Hi All:
  need you adivse.
  i have two ASA running A/S mode, both ASA have ASA-SSM-AIP-20-K9 inside with fail-open option and identical configuration
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:宋体;
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Any time i upgrade IPS signature/OS, users will experience around 1 minute downtime to outside.
  Is this a correct behavior?
  Thanks

  Jason;
    That is not expected behavior for signature updates.  On the AIP-SSM's configuration, have you changed the bypass mode to off?
    For software upgrades, which require the AIP-SSM to reboot, a failover of the ASA is expected if you have not disabled the IPS inspection service policy prior to performing the upgrade.
  Scott

• IPS Signature DataBase - ASA IPS/IOS IPS/IPS 42xx/AIP-SSM

  Hi,
  Can anyone briefly tell me the signature database details (No of Signature) among the following devices,
  -->ASA IPS/IOS IPS/IPS 42xx/AIP-SSM.
  Thanks,

  IPS on ASA/PIX = just 50 or so common signatures
  AIP-SSM module = same signatures as Cisco 4200 series sensors. Little minor differences exist (like IPv6 signature support etc.)
  Please rate if helpful.
  Regards
  Farrukh

• Cisco ASA IPS SSM-10

  Hello,
  I just upgraded one of my Cisco ASA IPS SSM-10 from version 7.0 (6) E4 to version 7.0 (7) E4 and the Radius authentication stopped working. I use Microsoft 2008 Radius and I still have 10 more of these working with version 7.0 (6) E4.
  I used to have the same Radius authentication issue with version 6 until we upgraded to ver 7.0 (6) E4 and this latest version screwed up again.
  Does anyone know if there is a Radius authentication bug in this latest version 7.0 (7) E4?
  Thank you
  Si

  There is a known issue CSCty46104. However a show-tech log can give more details as to why there was a failure in your case.
  Regards
  Sawan Gupta

• Cisco ASA IPS vs Bruteforce

  Who can help me, I need device that will block bruteforce attack to our webmail servers, 5 wrong password input = block for 10 min, for example.
  Can I use for this Cisco ASA IPS?

  Depending on how your specific webmail server works, perhaps you could use/tune:
  SIG 6256.0 (HTTP Authorization Failure)
  -or-
  SIG 20020.0 (HTTP Authentication Brute Force Attempt)
  Or, create a custom signature based off of one of the above.

• Websockets TCP RST through ASA+IPS and ACE

  Hello,
  We recently deployed a new websockets project within our existing web infrastructure. The websockets traffic (as all the rest of normal web traffic) is crossing an ASA + IPS module  where I do NAT and and then is forwarded to an ACE load balancer where two real server are configured in the server farm in active/standby mode (not load balancing) due the websockets nature. Everything seems to work fine but sometimes (once every 4 days or so) and based upon the server logs a TCP Reset gets the application server and bring down the whole application.
  It's clear that this application as a bug but I would like to avoid that TCP reset as a workaround while application team fix the ibug as the go-live is soon. Anybody faced this issue and can help me to find where that supposed TCP reset comes from? I didn't get IPS alerts.
  Server log:
  "Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.    at System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult)"
  Thanks,
  Miquel

  Hi Miquel,
  A packet capture on the server shall show the origin of TCP RST. If you are natting the source traffic then take front end pcaps at front end of firewall as well as at backend and similarly for ACE, to see what is the origin of TCP RST. Normally, it should be from client if it is received on the server. LB's just forward the traffic to the server but it depends and it could be loadbalancer resetting the connection. But we don't have any details to be sure. So packet captures would be our best friend here.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Need help with LAN Architecture - ASA/IPS, and ISR placement

  Dear friends, I am new to Cisco community, had no previous experience with managed networks and desperately need an advice setting up a LAN for my small business. Here is what I did so far:
  ASA w IPS is facing internet, has a webserver connected to DMZ and then ISR on the inside interface. ISR is used for running CCME/CUE VOIP and VLAN NAT. Switch is connected to the ISR with a trunk interface. I setup multiple VLANs with ACL to separate engineering/management/sales/fileserver. Inter VLAN routing is enabled on the switch to allow Gigabit routing from the Fileserver VLAN to the Engineering VLAN.
  I know this is probably overkill for a 4 people company, but my objective is to be ready for possible attacks form both outside and inside and to ensure business continuity and minimal service interruptions.
  My question, would it be more practical to connect ASA directly to the switch and do VLAN NAT on the ASA instead of the router? This way if router fails, I loose VOIP but not Internet and if ASA fails, I only loose internet, while phones will stay operational. This approach should also let me use ASA IPS to monitor inter VLAN traffic, so if 1 of the user PCs gets infected, hopefully IPS will contain the damage to a single VLAN.
  What would experienced network architect do in my case? Any suggestions?
  Please, forgive me if I misunderstood something or did something silly, as this is my first network setup (not including household grade routers)
  Thank you very much in advance!

  Thank you for your response!
  I still keep debating if it has any advantages to use a Router in between ASA and the switch, or should I connect switch directly to
  ASA, so the only function of the router is to run VOIP?
  I saw multiple network diagrams which all had a border router, then ASA then switches. In my case router runs VOIP and I would want it to be behind ASA. Any benefits of running internet traffic through both ASA and a router?
  For redundancy, we can’t really afford 2nd ASA at this time, for now I would want to make sure there is as little chance as possible that both phones and internet go out simultaneously. 

• CSM / ASA IPS -- upstream signature package includes hundreds of retired signatures

  CSM / ASA IPS -- upstream signature package includes hundreds of retired signatures
  When I push new signatures that CSM downloads and applies for me, I get hundreds of retired signatures.  I have tried to wipe signature policy and create fresh and anew - it seems as if CSM isn't marking 'new' signatures for application to existing signature configuration files.  The deltas betwen previous versions do not get applied.
  Is this a common occurance for other people running CSM?

  Hi JP,
  The signatures need to be enabled and unretired for them to function.
  The following FAQ described this process in detail:
  http://www.cisco.com/web/about/security/intelligence/ips_sig_faq.html#2
  Hope this is helpful.
  Regards
  Neil Archibald
  IPS Signature Development Team

• CSM to update IPS AIP -SSM

  Hi all,
  I need some help. I am configuring my CSM 3.1 to apply update on my IPS AIP-SSM.
  I went to the apply IPS Tab and choose to update from cisco.com. But it is always like processing for a long time.
  I tried to enter my username and password for the sensors or the CCO account but still no improvement. Does anyone knows how to configure this. I tried reading the user guide there is no examples.
  Thanks

  The IPS-engine-E2-req-5.1-7.pkg Engine Update file is just to upgrade an existing 5.1(7)E1 sensor to 5.1(7)E2.
  It only changes the "engine" features of the sensor that are necessary for installing signature updates requiring E2. It does not change other files on the sensor.
  The IPS-K9-5.1-8-E2.pkg Service Pack file is for upgrading the entire image to the next service pack level as well as upgrading the "engine" features. So you get all of the latest bug fixes.
  So which to use?
  If you are running 5.1(7)E1 then you will eventually want to get to 5.1(8)E2. But the upgrade to 5.1(8)E2 WILL require a reboot and so if running in an inline mode it should only be done during a scheduled network downtime. For most networks this could be a week or even a month before the downtime can be scheduled to do this type of upgrade. So the IPS-engine-E2-5.1-7.pkg file is a short term solution to get you to the E2 level required for signature updates, until you can schedule the upgrade to 5.1(8)E2.
  The IPS-engine... file will NOT reboot the sensor. It will temporarilly stop analysis and if Software ByPass is set to auto then traffic will be allowed to pass through the sensor unanalyzed while the engine update takes place. Because the traffic will continue to flow with Software ByPass most companies will allow an Engine update to be installed without having to schedule network downtime.
  Of course, the above discussion was really only applicable when E2 was the latest Engine release. Now that E3 is out, the discussion really becomes how to get to E3.
  There is Not an IPS-engine-E3-req-5.1-7.pkg engine update file.
  So you must get to 5.1(8)E3 if you want to keep getting recent signature updates.
  So then it just depends on your current IPS version.
  If you are running 5.1(7)E2 or earlier version then you must schedule a downtime and install the IPS-K9-5.1-8-E3.pkg file in order to install the latest E3 required signature updates.
  If you are running 5.1(8)E2 already, then you need to install the IPS-engine-E3-req-5.1-8.pkg file because the only thing needing to be upgraded is the Engine level to E3.
  General Rules of Thumb:
  Always ensure you are at the latest Service Pack level for the major/minor version train you are using. (5.1(8) in this case)
  If you are running the latest Service Pack then you will be able to simply install an Engine Update when the next Engine Update comes out without having to schedule downtime.
  If you are not at the latest Service Pack level then you will want to schedule a network downtime to do that upgrade within 60 days of the Service Pack being released.
  If an Engine Update comes out before you get a chance to upgrade to the next Service Pack, then install the Engine Update for the prior Service Pack (that you should at least be at) as a temporary measure to keep getting signature updates. And schedule a Service Pack upgrade as soon as possible.
  Why 60 days?
  If a new Engine Update is released within 60 of a Service Pack release, then the Engine Update will be released for both the latest Service Pack AND the one prior. But if the new Engine Update is longer than 60 days after the latest Service Pack, then an Engine Update will be created only for the latest Service Pack and not for the prior. This is why E3 was only released for 5.1(8). E3 was released more than 60 days after 5.1(8) so there was not an E3 for the prior 5.1(7).
  So you see that an Engine Update for a prior Service Pack should be considered a temporary measure until you can get the next Service Pack installed.
  If you wait too long another Engine Update might come out, and you might be forced into an immediate network downtime to get to the latest Service Pack.
  As for do you HAVE to install IPS-engine-E2-req-5.1-7.pkg before installing IPS-K9-5.1-8-E2.pkg (or more importantly IPS-K9-5.1-8-E3.pkg).
  The answer is NO.
  You can go directly from any 5.0 or 5.1 version directly to IPS-K9-5.1-8-E3.pkg.

• Activating IPS AIP-SSM

  Hello Everyone,
  Some time ago we purchase a couple of ASA5510s with the IPS aip-ssm modules in them. I got them installed and got the vpns running, but never activated the IPS module on them.
  I am getting ready to get the IPS modules going. But, don't I need some time of subscription so that the IPS module can download signature updates?
  Does anyone know what the part number on that subscription is? I am seeing listings for "content security plus" licenses, but I think that is something different. I am also seeing licenses for Botnet traffic filter licenses. But, again, I am not sure if that's the right one.
  Thanks,
  Ben

  You will need a subscription license in order to take advantage of signature and Global Correlation updates. The official name for this license is "Cisco Services for IPS".  Take a look at the following Q&A doc which covers some of the part numbers.
  http://www.cisco.com/en/US/services/ps2827/ps6076/services_qa0900aecd8022e962.pdf

• Why my IPS - aip-ssm send requests to 80.53.146.82 port 80

  I have a web proxy ..tunnel filters...and AIP-SSM....inside of the network...i configure host service, network setting and hhtp-proxy to use my proxy when updating global corelation ...
  On proxy I allow hhtps to 204.15.82.17 ---ironport service.
  In proxy log I see that https to 204.15.82.17 is allowed and after that ips try to sending http packets to 80.53.146.82 -----I SEE in the RIPE that is AKAMAI technologies IP..address.
  What is this?
  Why my IPS - aip-ssm send requests to 80.53.146.82 port 80

  This is the new 7.x Global Correlation feature, and it is documented here:
  http://www.cisco.com/en/US/docs/security/ips/7.0/release/notes/18483_01.html#wp1161779
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html
  AFAIK, you can turn off this feature as per your discretion. Cisco has adapted the Ironport senderbase technology to their IPS as well. Its a pretty interesting feature, I hope it becomes as successful as the one for mail traffic.
  Please rate if helpful.
  Regards
  Farrukh

• I search my password lost in the aol mail

  dear friends, I ask how to recover my password lost in AOL mail. because I tried the Keychain iCloud and I changed  it with suggest .. Keychain

  Locked Out, Forgot Lock or Restrictions Passcode, or Need to Restore Your Device: Several Alternative Solutions
  1. iOS- Forgotten passcode or device disabled after entering wrong passcode
  2. iPhone, iPad, iPod touch: Wrong passcode results in red disabled screen
  3. Restoring iPod touch after forgotten passcode
  4. What to Do If You've Forgotten Your iPhone's Passcode
  5. iOS- Understanding passcodes
  6. iTunes 10 for Mac- Update and restore software on iPod, iPhone, or iPad
  Forgotten Restrictions Passcode Help
  You will need to restore your device as New to remove a Restrictions passcode. Go through the normal process to restore your device, but when you see the options to restore as New or from a backup, be sure to choose New.
  Also, see iTunes- Restoring iOS software.

• Monitor Inspection Load IPS ASA-SSM-20

  All,
    I am aware there is a feature request but don't see any updates.  Taking the chance here that its fallen through the cracks and someone has figured out another way to monitor inspection load on ASA-SSM-20 IPS.  We are currently running 7.0(5a)E4.  I want to be able to use Solarwinds Orion to monitor Inspection Load on our IPS devices.  Does anyone know if that is yet possible...if so how?
  Thanks!

  Bump +1

• Cisco IPS ASA SSM-10

  I am using an ASA SSM-10 IPS. Currently it keeps logging those event of alerts.
  Where does the IPS keeps all those event logs? In the disk space?
  Where can i see how much space i left?
  Will it went down if the space is full?

  This is from the post I linked earlier, and you don't have to worry the sensor will definitely not go 'down', the event-log data structure is circular and is over-written every time it is full.
  "The eventStore size starting at version 5.0(1) is a fixed 30 Meg. Its a *circular* eventStore that is intended to wrap (new events overwriting oldest events). The usual sensor deployment includes some sort of remote event monitor application (like IEV,IME etc.) that pulls events from the sensor. The eventStore acts as a buffer to allow the remote monitoring app to keep up with busy sensors. If your eventStore wraps every few hours then the monitoring app should be able to keep up with all the events being generated. The concern would be if the eventStore continuously wrapped in less than 10 or 15 minutes. At that point you may be loosing events and would need to tune the sensor signature config to only alarm on meaningful events."
  I'm assuming since the event-store is only 30 MB, its a 'part' of one of the following parititions:
  application-data OR application-log
  Most probably the first one.
  Regards
  Farrukh