ASA-SSM-10 7.0(5)E4 Error

Similar Messages

• Seeing errors & FIFO Overruns on the ASA-SSM-10

  Hello,
  A few of my customers are utilizing ASA-SSM-10 module running under ASA5510/20 hardware. The FW?s is part of the Failover configuration.
  The module is running in "promiscuous fail-open" mode and the class-map for the IPS is applied as global_policy with access-list monitoring all the interfaces and all protocols.
  In two independent cases, we are seeing errors on the Sensing interface GigabitEthernet0/1
  Total Receive Errors = 772089
  Total Receive FIFO Overruns = 3832
  I've already verified speed/duplex settings on the FW side and I don't see any errors that would probably be causing this behavior. The bandwidth on the all interfaces is also nowhere close to the rated 150Mbps/s inspection.
  Here is the scenario:
  Client1 - HA
  ASA 5510 Adaptive Security Appliance v7.2(2)19
  ASA 5500 Series Security Services Module-10 v5.1(6)E1
  Client2 - HA
  ASA 5520 Adaptive Security Appliance v7.2(2)10
  ASA 5500 Series Security Services Module-10 v5.1(6)E1
  Wondering if anyone has seen the behavior in their environment and what might be causing it?

  Hello Giorgi,
  Sometimes it may be server saturation, other connection problems proxy and so on. I recommend you to not put the hour for auto update to an exact time ie 2:00 PM or 1:00 AM try putting not even numbers like 9:17 or 10:41, and see if you continue getting these errors.
  Mike

• ASA-SSM-10 Signature Update Errors Messages

  Hello,
  I am getting error messages on ASA-SSM-10 IPS. It has following configuration:
  Model:   ASA-SSM-10
  Hardware version:   1.0
  Firmware version:   1.0(11)5
  Software version:   7.0(7)E4
  App. version:       7.0(7)E4
  Here are error messages:
  evError: eventId=1334244240891143986  vendor=Cisco  severity=error  
    originator:  
      hostId: sensor 
      appName: mainApp 
      appInstanceId: 357 
    errorMessage: No installable auto update package found on server  name=errSystemError 
  evError: eventId=1334244240891141857  vendor=Cisco  severity=error 
    originator:  
      hostId: sensor 
      appName: mainApp 
      appInstanceId: 357 
    errorMessage: could not parse cisco-locator-server response  name=errSystemError 
  evError: eventId=1334244240891142089  vendor=Cisco  severity=error 
    originator:  
      hostId: sensor 
      appName: collaborationApp 
      appInstanceId: 489 
    errorMessage: A global correlation update failed: Receive HTTP response failed [3,212]
  Messages, like this one, in the category - Reputation update failure - were logged 1 times in the last 105245 seconds.  name=errUnclassified 
  evError: eventId=1334244240891141325  vendor=Cisco  severity=error 
    originator:  
      hostId: sensor 
      appName: mainApp 
      appInstanceId: 357 
    errorMessage: could not parse cisco-locator-server response  name=errSystemError 
  Actually IPS is doing signature and Global Correlation updates, but form time to time I see  these error messages. Do you have any information what could it indicate.

  Hello Giorgi,
  Sometimes it may be server saturation, other connection problems proxy and so on. I recommend you to not put the hour for auto update to an exact time ie 2:00 PM or 1:00 AM try putting not even numbers like 9:17 or 10:41, and see if you continue getting these errors.
  Mike

• ASA SSM IPS module upgrade won't work

  Hello all,
  I'm trying to upgrade the IPS sig's on an ASA5520 with a SSM IPS module. I'm trying to upgrade the system to 5.1.1 to further upgrade the device with no luck.
  I followed these steps provided by Cisco.com:
  1. Log in to the ASA.
  2. Enter enable mode:
  asa# enable
  3. Configure the recovery settings for ASA-SSM:
  asa (enable)# hw-module module 1 recover configure
  NOTE: If you make an error in the recovery configuration, use the
  hw-module module 1 recover stop command to stop the system reimaging
  and then you can correct the configuration.
  4. Specify the TFTP URL for the system image:
  Image URL [tftp://0.0.0.0/]:
  Example:
  Image URL [tftp://0.0.0.0/]: tftp://10.20.30.40/IPS-SSM-K9-sys-1.1-a-5.1-1.img
  5. Specify the command and control interface of ASA-SSM:
  Port IP Address [0.0.0.0]:
  Example:
  Port IP Address [0.0.0.0]: 11.21.31.41
  6. Leave the VLAN ID at 0.
  VLAN ID [0]:
  7. Specify the default gateway of the ASA-SSM:
  Gateway IP Address [0.0.0.0]:
  Example:
  Gateway IP Address [0.0.0.0]: 11.22.33.44
  8. Execute the recovery:
  asa# hw-module module 1 recover boot
  9. Periodically check the recovery until it is complete.
  NOTE: The status reads "Recovery" during recovery and reads "Up" when
  reimaging is complete.
  AFter #8 it just goes back to the enable prompt. A 'sh module' lists the device as 'recover' and hangs FOREVER.... I tested the TFTP server which the new image resides on, and the TFTP is working fine. I don't see any attempts or downloads from the TFTP server for over an hour.
  I opened a Ciscop TAC on this and not receiving alot of help...
  Please help!!!:)
  Thanks
  Chris Serafin
  [email protected]

  The recovery using this method can takes upwards of 30 minutes, and in some cases even longer.
  How long have you left the SSM in the "recovery" state?
  There may be something wrong in the config you entered. when that happens the SSM can go into a continuous reboot cycle trying to do the recovery.
  Execute "debug module-boot" on the console of the ASA.
  The debug output will show you the ROMMON output of the SSM itself. (The SSM has it's own ROMMON. The recovery boot command sends the settings made during the recover configure command to the SSM's ROMMON).
  If the ROMMON is experiencing a problem in trying to download the tftp image you should now see that ROMMON error message.
  Some typical problems I have seen:
  1) Wrong IP given for the sensor.
  2) Wrong IP given for the gateway (the gateway must exist on the same network as the sensor) this problem usually happens when using a non-standard netmasked network.
  3) Not having the sensor's command and control port plugged into the right network. The external port of the SSM itself is where the IP is being applied. You need to ensure that the extenral port of the SSM is plugged into the right network for that IP.
  4) The tftp server is not reachable from the network where the sensor's command and control port is attached. Some users think that if the ASA itself can reach the tftp server that the SSM will also be able to. This is not always the case. It is best to use a tftp server on the same network as the IP provided to the SSM. Or to test the tftp server from another machine on the same network as the SSM.
  5) The file name is wrong. Check the captialization especially.
  6) The file is not in the default directory on the tftp server. If the file is in a subdirectory you will need to add that subdirectory to the URL:
  tftp://10.20.30.40/subdirectoryname/filename
  7) The tftp is timing out.
  There are 2 things that can cause this:
  a) The tftp server is remote, and it takes too long to download the file. The ROMMON does have limits on the number of retries and per packet timeouts (but they are not user configurable). Try using a tftp server local to the SSM.
  b) The switch that the SSM connects to has spanning-tree running and spanning-tree does not complete before the SSM ROMMON times out for the tftp attempt. The tftp attempt happens immediately upon ROMMON startup and link up. But with a switch the switch port may be in a "Listen" or "Learn" state for 40 seconds before the box can actually talk on the network. In some cases the tftp download attempts started as soon as link up, and may timeout even before the spanning-tree completes. To work around this configure "spanning-tree portfast" on the switchport. Spanning-tree will connect the port into the vlan immediately rather than 40 seconds later.
  If it was a config problem when configuring the recovery settings, then there is a "recover stop" command on the ASA.
  It will stop the reboot cycle from happening.
  Let the module come up with the old image.
  Then correct your "recover configure" settings, and try the "recover boot" again.
  Another alternative:
  Stop the recovery "recover stop"
  Let it boot into the old image.
  If it was a 5.0 version, then you can actually upgrade to 5.1 using the sensor's own CLI "upgrade" command. It is actually the preferred method.
  The "recover" from the ASA will wipe the box clean and load a fresh image.
  The "upgrade" from the sensor will convert your 5.0 config into a 5.1 config while installing 5.1.
  5.1 upgrade file:
  IPS-K9-min-5.1-1g.pkg
  http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
  It can be applied through the sensor's CLI upgrade command, or pushed directly through IDM, or applied by CSM.
  The "recover" should be limited to disaster recovery. When you can't access the SSM at all, or the files on the SSM have been corrupted.
  For normal upgrades you want to use "upgrade" files done through the sensor itelf (CLI, IDM, or CSM).

• Will ASA-SSM-20 reload affect ASA failover?

  I have 2 ASA 5520s with an ASA-SSM-20 installed in each. The ASA-SSM-20 in the primary ASA is not working correctly:
  Error: Cannot communicate with mainApp (getVersion). Please contact your system administrator.
  Would you like to run cidDump?[no]:
  I would like to reload the module, but I don't know if that will cause the whole ASA to failover. The ASAs are running 7.2(3).
  Any thoughts?

  Thanks Brett.
  We are using stateful failover. Not all sessions get dropped, just enough Telnet and application interface links that we start getting calls and people show up at my door. This is on a new ASA5520 that normally runs <5% CPU utilization. I just checked the failover link is set to 1000FULL so there should not be any delay updated state information.
  Am I missing something in the config?
  Portcullis# sho run failover
  failover
  failover lan unit primary
  failover lan interface heartbeat GigabitEthernet0/2
  failover polltime unit 3 holdtime 9
  failover replication http
  failover link heartbeat GigabitEthernet0/2
  failover interface ip heartbeat 172.31.0.201 255.255.255.0 standby 172.31.0.202
  Portcullis# sho run interface g0/2
  interface GigabitEthernet0/2
  description LAN/STATE Failover Interface
  speed 1000
  duplex full
  Portcullis#
  -Roy-

• ErrSystemError-ct-sensorApp.463 not responding on ASA-SSM-10

  Hello,
  I got following error message when login into IPS over IDM, after error is displayed IDM is closing.
  errSystemError-ct-sensorApp.463 not responding, please check system processes
  - The connect to the specified Io::ClientPipe failed.
  SSH login works, when using CLI following health statistics are available:
  sensor# show health
  Overall Health Status                                               Red
  Health Status for Failed Applications                         Red
  Health Status for Signature Updates                         Yellow
  Health Status for License Key Expiration                   Green
  Health Status for Running in Bypass Mode                Red
  Health Status for Interfaces Being Down                   Green
  Health Status for the Inspection Load                      Green
  Health Status for the Time Since Last Event Retrieval   Green
  Health Status for the Number of Missed Packets          Green
  Health Status for the Memory Usage                      Not Enabled
  Health Status for Global Correlation                    Green
  Health Status for Network Participation                 Not Enabled
  Security Status for Virtual Sensor sensor-int    Green
  Security Status for Virtual Sensor vs0           Green
  Do you have any idea why IPS crashed ?
  ASA-SSM-10 is installed into ASA 5510.

  Hello,
  I have the sem problem since sveral days, I found the following workaround on our environement. Working since 5hours.
  Hope it helps.
  Regards.
  IDSM-2 Sensor Module - errSystemError -ct-sensorApp.XXX not responding, please check system processes - The connect to the specified Io::ClientPipe failed.
  Symptom:
  When attempting to access an IDSM-2 sensor via its GUI (IDM) or via IME (IPS Manager Express), an error such as the following is encountered:
  "errSystemError -ct-sensorApp.XXX not responding, please check system processes - The connect to the specified Io::ClientPipe failed."
  Additionally, review of the 'show version' command output indicates the AnalysisEngine (sensorApp process) to be "Not Running".
  Conditions:
  IDSM-2 sensor module running 7.0(x) software release. Global Correlation Inspection feature enabled (On). A 'show tech' command output includes a sensorApp process core containing lines similar to the following:
  cat /usr/cids/idsRoot/core/sensorApp/core.txt
  /usr/cids/idsRoot/bin/sensorApp(_ZN3Cid3Rep9RepIpData13ApplyIpUpdateEPKcPNS0_8RepScoreE+)
  Solution:
  This problem is tracked as defect CSCti79423. It can be encountered on the IDSM-2 platform when a Global Correlation Update occurs. A fix for this is currently planned for inclusion in the next 7.0 release (7.0(6)).
  In the interim, the only workaround to ensure that the sensor does not re-encounter this defect is to disable Global Correlation Inspection (Updates) as such:
  sensor# conf t
  sensor(config)# service global-correlation
  sensor(config-glo)# global-correlation-inspection off
  sensor(config-glo)# exit
  Apply Changes?[yes]: yes
  After making the above configuration change, a reboot of the affected IDSM-2 sensor module should restore it to service:
  sensor# reset

• Updating License & Signatures on ASA-SSM-10

  Hi,
  Does the same options are used to:
  updating IPS License and updating signatures on ASA-SSM-10?
  Actually i updated license file received from cisco licensing team:
  using IDM 6.0 > licensing option > update license > file location:
  and I was trying to update signatures using same options (as i dont find seprate options to update signatuers) but it gives error:
  Invalid license etc.,
  could anyone guide.
  Thank you.

  In the Update Sensor pane, you can immediately apply service pack and signature updates.
  Update Sensor Pane Field Definitions
  The following fields are found in the Update Sensor pane:
  •Update is located on a remote server and is accessible by the sensor—Lets you specify the following options:
  –URL—Identifies the type of server where the update is located. Specify whether to use FTP, HTTP, HTTPS, or SCP.
  –://—Identifies the path to the update on the remote server.
  –Username—Identifies the username corresponding to the user account on the remote server.
  –Password—Identifies the password for the user account on the remote server.
  •Update is located on this client—Lets you specify the following options:
  –Local File Path—Identifies the path to the update file on this local client.
  –Browse  Local—Opens the Browse dialog box for the file system on this local  client. From this dialog box, you can navigate to the update file.

• No AutoUpdate feature working on ASA-SSM-20

  Hi!
  Autoupdate feature is not working on ASA-SSM-20 module.
  We have configure:
  https://www.cisco.com//cgi-bin/front.x/ida/locator/locator.pl
  And/Or:
  https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
  And/Or:
  https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl
  And/Or:
  https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
  We get this errors on the ASA-SSM-20 module:
  evError: eventId=1280563964539644086  vendor=Cisco  severity=error 
    originator:  
      hostId: sensor1 
      appName: mainApp 
      appInstanceId: 356 
    time: nov 17, 2010 08:15:45 UTC  offset=60  timeZone=GMT+01:00 
    errorMessage: AutoUpdate exception: Receive HTTP response failed [3,212]  name=errSystemError
  evError: eventId=1280563964539644079  vendor=Cisco  severity=error 
    originator:  
      hostId: sensor1 
      appName: mainApp 
      appInstanceId: 356 
    time: nov 17, 2010 08:10:02 UTC  offset=60  timeZone=GMT+01:00 
    errorMessage: http error response: 400  name=errSystemError
  Any Ideas?

  I am experiencing a similar issue currently with a new SSC-5 module.  I am working with TAC, however reposne has been slow.  I can see traffic with Wireshark for 198.133.219.25 but I never see the traffic for 198.133.219.243 that I was told to allow on the firewall.  I also found it confusing that I need to create exceptions on the firewall for outbound traffic to these two IP addresses when I do not have to make any exceptions for any other outbound traffic.
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Here is what I see:
  IPS_Sensor# show stat host
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Auto Update Statistics
     lastDirectoryReadAttempt = 09:03:09 GMT-06:00 Wed Jan 19 2011
      =   Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
      =   Error: AutoUpdate exception: HTTP connection failed [1,110]
     lastDownloadAttempt = N/A
     lastInstallAttempt = N/A
     nextAttempt = 11:00:00 GMT-06:00 Wed Jan 19 2011 Auxilliary Processors Installed
  IPS_Sensor# show clock
  .09:24:05 GMT-06:00 Wed Jan 19 2011
  I know this thread is a few months old, but am hoping to spark an interest here.
  Thanks.

• LMS 4.0 ASA-SSM-10 Sync archive

  Hello.
  During Sync archive for ASA-SSM-10 which is installed in ASA 5505 device I received the error:
  *** Device Details for Cisco ASA IPS ***
  Protocol ==> Unknown / Not Applicable
  Selected Protocols with order ==> Telnet,SSH
  Execution Result:
  RUNNING
  CM0151 PRIMARY RUNNING Config fetch failed for Cisco ASA IPS Cause: TELNET: Failed to establish TELNET connection to 172.26.22.32 - Cause: Authentication failed on device 3 times.
  SSH: Failed to establish SSH connection to 172.26.22.32 - Cause: Authentication failed on device 3 times.
  Action: Check if protocol is supported by device and required device package is installed. Check device credentials. Increase timeout value, if required.
  The connection to this device (ASA-SSM-10) is possible with SSH protocol with Putty and with SecureCRT. What has to be change in the LMS to sucess with Sync archive and later with changing the archive with the LMS 4.0. Thank you.

  Post the show ver of the device and we can verify if its supported or not and the OID as well.

• Upgrade ASA-SSM-10 via FTP

  Hi all,
  I am trying to upgrade an ASA-SSM-10 running version 5.1 software.
  I have set up an FTP server using Serv-u and can connect to it successfully.
  When I attempt to upgrade using the following command, I get the error below.
  sensor(config)# upgrade ftp://[email protected]//IPS/IPS-K9-6.0-3-E1.pkg
  The filename IPS-K9-6.0-3-E1.pkg is not a valid upgrade file type.
  Continue with upgrade? []: yes
  Error: execUpgradeSoftware : Connect failed
  I have tried 2 FTP servers and receive the same error I have tried 4 upgrade packages and receive the same error.
  Does anyone have any advice on how to fix this issue.
  Thank you
  Greg

  Your upgrade commands look correct. http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliImage.html#wp1243115
  I've had some problems with Serv-U in the past year or so. I had to switch to FileZilla to perform my last upgrade.
  http://filezilla-project.org/
  - Bob

• Image recovery on 5520 IDS Module (ASA-SSM-10) TFTP timeout failure

  I have an ASA 5520 with an ASA-SSM-10 module in it for IDS.  It has (from what I can tell) never been used or configured.  In fact, I only recently found that it existed!  I would like to begin using it, starting with replacing the software image with the latest (I do NOT need any configuration from it now).
  Details ...
  KCH-ASA-Primary# sh module 1 details
  Getting details from the Service Module, please wait...
  ASA 5500 Series Security Services Module-10
  Model:              ASA-SSM-10
  Hardware version:   1.0
  Serial Number:      JAF10422581
  Firmware version:   1.0(11)2
  Software version:   6.0(1)E1
  MAC Address Range:  0018.b91b.69f1 to 0018.b91b.69f1
  App. name:          IPS
  App. Status:        Up
  App. Status Desc:
  App. version:       6.0(1)E1
  Data plane Status:  Up
  Status:             Up
  Mgmt IP addr:       172.17.1.20
  Mgmt web ports:     443
  Mgmt TLS enabled:   true
  The problem that I am having is that when I set it up to pull down the new software through TFTP, it just hangs and times out.
  KCH-ASA-Primary# hw module 1 recover config
  Image URL [tftp://10.10.10.9/IPS-sig-S789-req-E4.pkg]:
  Port IP Address [172.17.1.20]:
  VLAN ID [950]:
  Gateway IP Address [172.17.1.1]:
  KCH-ASA-Primary#
  And then ...
  KCH-ASA-Primary# debug module-boot
  debug module-boot  enabled at level 1
  KCH-ASA-Primary# hw module 1 recover boot
  The module in slot 1 will be recovered.  This may
  erase all configuration and all data on that device and
  attempt to download a new image for it.
  Recover module in slot 1? [confirm]
  Recover issued for module in slot 1
  KCH-ASA-Primary# Slot-1 215> Cisco Systems ROMMON Version (1.0(11)2) #0: Thu Jan                             26 10:43:08 PST 2006
  Slot-1 216> Platform ASA-SSM-10
  Slot-1 217> GigabitEthernet0/0
  Slot-1 218> Link is UP
  Slot-1 219> MAC Address: 0018.b91b.69f1
  Slot-1 220> ROMMON Variable Settings:
  Slot-1 221>   ADDRESS=172.17.1.20
  Slot-1 222>   SERVER=10.10.10.9
  Slot-1 223>   GATEWAY=172.17.1.1
  Slot-1 224>   PORT=GigabitEthernet0/0
  Slot-1 225>   VLAN=950
  Slot-1 226>   IMAGE=IPS-sig-S789-req-E4.pkg
  Slot-1 227>   CONFIG=
  Slot-1 228>   LINKTIMEOUT=20
  Slot-1 229>   PKTTIMEOUT=4
  Slot-1 230>   RETRY=20
  Slot-1 231> tftp [email protected] via 172.17.1.1
  KCH-ASA-Primary# Slot-1 232> TFTP failure: Packet verify failed after 20 retries
  Slot-1 233> Rebooting due to Autoboot error ...
  Slot-1 234> Rebooting....
  I know that I can reach 10.10.10.9 from 172.17.1.x.  And this is the present port IP of the device.  If I do a 'session1' and ping 10.10.10.9, I get replies.  I know my TFTP is working ... I use it for all of my switches for config backups and installing new IOS.  And watching my TFTP server window, I am not seeing any connection attempts.
  What am I doing wrong here?  :-(

  Thanks for your response. As I mentioned earlier in my email, I tried 2 different images (IPS-SSC_5-K9-sys-1.1-a-6.2-2-E4.img and IPS-SSM_10-K9-sys-1.1-a-7.1-5-E4.img) without any success. Since there are no packets coming from IPS on the TFTP server, I think the problem is something else.
  When I run the "debug cplane 255" command, I see some errors mentioned below:
  asa(config)# debug cplane 255
  debug cplane  enabled at level 255
  asa(config)#
  cp_connect: Connecting to card 1, socket 3, port 7000
  cp_connect: Error - cp_connect() returned -1
  cp_check_connection: handle -1, conflicts with connection 1 (-1)
  cp_check_connection: handle -1, conflicts with connection 2 (-1)
  cp_check_connection: handle -1, conflicts with connection 3 (-1)
  cp_update_connection: Error updating connection_id 0
  Is this a hardware issue?

• Upgrading IPS strings, ASA SSM-10 module

  I am having a challenging time upgrading the ASA SSM-10 IPS module. I down loaded the IPS-sig-s327-req-e1.pkg to Win XP ftp server (my workstation). The instructions in following does not work: http://download-sj.cisco.com/cisco/ciscosecure/ips/6.x/sigup/IPS-sig-S327.readme.txt
  "error: execUpgradeSoftware : Connect failed". Any suggestion would be appreciated.

  I can connect the LAN switch directly to the inside interface of the ASA5510 firewall. Hosts can get Internet connectivity while cabled to the switch. However, when the LAN switch is connected to the port on the IPS module, there is no Internet connectivity. Any suggestions would be appreciated. The following is the sh configuration and sh int output.
  sh con_[Jfiguration
  Version 5.1(6)
  ! Current configuration last modified Sat Apr 05 12:28:11 2008
  service interface
  exit
  service analysis-engine
  virtual-sensor vs0
  physical-interface GigabitEthernet0/1
  exit
  exit
  service authentication
  exit
  service event-action-rules rules0
  exit
  service host
  network-settings
  host-ip 192.168.1.36/24,192.168.1.10
  host-name ips
  telnet-option enabled
  --MORE--
  access-list 0.0.0.0/0
  exit
  time-zone-settings
  offset 0
  standard-time-zone-name UTC
  exit
  exit
  service logger
  exit
  service network-access
  exit
  service notification
  exit
  service signature-definition sig0
  exit
  service ssh-known-hosts
  exit
  service trusted-certificates
  --MORE--
  exit
  service web-server
  exit
  ips# sh inter_[Jfaces _[2C
  Interface Statistics
  Total Packets Received = 6806
  Total Bytes Received = 2001784
  Missed Packet Percentage = 0
  Current Bypass Mode = Auto_off
  MAC statistics from interface GigabitEthernet0/1
  Interface function = Sensing interface
  Description =
  Media Type = backplane
  Missed Packet Percentage = 0
  Inline Mode = Unpaired
  Pair Status = N/A
  Link Status = Up
  Link Speed = Auto_1000
  Link Duplex = Auto_Full
  Total Packets Received = 6807
  Total Bytes Received = 2001866
  Total Multicast Packets Received = 0
  Total Broadcast Packets Received = 0
  Total Jumbo Packets Received = 0
  Total Undersize Packets Received = 0
  Total Receive Errors = 0
  Total Receive FIFO Overruns = 0
  Total Packets Transmitted = 6807
  --MORE--
  Total Bytes Transmitted = 2017118
  Total Multicast Packets Transmitted = 0
  Total Broadcast Packets Transmitted = 0
  Total Jumbo Packets Transmitted = 0
  Total Undersize Packets Transmitted = 0
  Total Transmit Errors = 0
  Total Transmit FIFO Overruns = 0
  MAC statistics from interface GigabitEthernet0/0
  Interface function = Command-control interface
  Description =
  Media Type = TX
  Link Status = Down
  Link Speed = N/A
  Link Duplex = N/A
  Total Packets Received = 126
  Total Bytes Received = 14255
  Total Multicast Packets Received = 0
  Total Receive Errors = 0
  Total Receive FIFO Overruns = 0
  Total Packets Transmitted = 1
  Total Bytes Transmitted = 64
  Total Transmit Errors = 0
  Total Transmit FIFO Overruns = 0

• ASA-SSM-10 Unresponsive

  Hi,
  I've installed an ASA-SSM-10 module into my ASA 5510 firewall but it's in "Unresponsive" state. I tried to reset and recover the module but nothing seems to work. Below you may find information about the system and details about what I did. Any help is greatly appreciated.
  Firewall:
  ASA5510-K8, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
  Internal ATA Compact Flash, 256MB
  System image file is "disk0:/asa843-k8.bin"
  Device Manager Version 6.4(3)
  IPS Module:
  ASA 5500 Series Security Services Module-10  ASA-SSM-10
  Hw Version: 1.0
  Sw Version: 6.2(2)E4
  SSM Application Version: 6.2(2)E4
  I have 2 IPS images at my TFTP server:
  IPS-SSC_5-K9-sys-1.1-a-6.2-2-E4.img
  IPS-SSM_10-K9-sys-1.1-a-7.1-5-E4.img
  I tried the command: hw-module module 1 reset
  At first module status changes to "Inıt" but after then it goes back to "Unresponsive"
  I used the command "hw-module module 1 recover configure" for 2 different images mentioned above by the same order and then tried:
  "hw-module module 1 recover boot"
  Module status changes to "Recover" and stays like that for hours. I've waited for 2 hours for 2 different images. And then I issued the command: hw-module module 1 recover stop and the module goes back to "Unresponsive" state.
  The Module's network interface is connected to the same switch where the TFTP server is connected. When I run a sniffer on the TFTP server (Linux, tcpdump), there's no TFTP activity. But I can use this TFTP server from ASA (Connected to the Inside interface).
  ASA Inside interface IP Address: X.X.X.1
  TFTP Server IP Address: X.X.X.8
  "show module 1 recover" command output:
  Module 1 recover parameters...
  Boot Recovery Image: Yes
  Image URL:           tftp://X.X.X.8/IPS-SSC_5-K9-sys-1.1-a-6.2-2-E4.img
  Port IP Address:     X.X.X.2
  Gateway IP Address:  X.X.X.1
  VLAN ID:             0
  (There are no VLANs used on this network.)

  Thanks for your response. As I mentioned earlier in my email, I tried 2 different images (IPS-SSC_5-K9-sys-1.1-a-6.2-2-E4.img and IPS-SSM_10-K9-sys-1.1-a-7.1-5-E4.img) without any success. Since there are no packets coming from IPS on the TFTP server, I think the problem is something else.
  When I run the "debug cplane 255" command, I see some errors mentioned below:
  asa(config)# debug cplane 255
  debug cplane  enabled at level 255
  asa(config)#
  cp_connect: Connecting to card 1, socket 3, port 7000
  cp_connect: Error - cp_connect() returned -1
  cp_check_connection: handle -1, conflicts with connection 1 (-1)
  cp_check_connection: handle -1, conflicts with connection 2 (-1)
  cp_check_connection: handle -1, conflicts with connection 3 (-1)
  cp_update_connection: Error updating connection_id 0
  Is this a hardware issue?

• How to do a factory reset ASA-SSM-10?

  Hi.
  I forgot the user for management a IPS SSM-10, when i follow the procedure to reset the password for cisco user, i can get into the module, i change the password and every thing is OK, but when i tried to configure y don´t have rights to do anything.
  if i see the privileges for the user cisco this is the result
  EDGE-IPS2# sh user
      CLI ID   User    Privilege
  *   4143     cisco   viewer
  Application Partition:
  Cisco Intrusion Prevention System, Version 6.1(1)E2
  Host:
      Realm Keys          key1.0
  Signature Definition:
      Signature Update    S364.0                   2008-10-24
      Virus Update        V1.4                     2007-03-02
  OS Version:             2.4.30-IDS-smp-bigphys
  Platform:               ASA-SSM-10
  Serial Number:          JAF1208BNPP
  License expired:        20-Jun-2009 UTC
  Sensor up-time is 1:09.
  Using 657850368 out of 1032495104 bytes of available memory (63% usage)
  system is using 17.7M out of 29.0M bytes of available disk space (61% usage)
  application-data is using 41.5M out of 166.8M bytes of available disk space (26% usage)
  boot is using 40.5M out of 68.6M bytes of available disk space (62% usage)
  MainApp          M-2008_APR_24_19_16    (Release)   2008-04-24T19:49:05-0500   Running
  AnalysisEngine   ME-2008_JUN_05_18_26   (Release)   2008-06-05T18:55:02-0500   Running
  CLI              M-2008_APR_24_19_16    (Release)   2008-04-24T19:49:05-0500
  Upgrade History:
  * IPS-K9-6.1-1-E2           22:40:50 UTC Tue Feb 26 2013
    IPS-sig-S364-req-E2.pkg   18:43:20 UTC Wed Nov 12 2008
  Recovery Partition Version 1.1 - 6.1(1)E2
  Host Certificate Valid from: 17-Nov-2008 to 18-Nov-2010
  What can i do in this case?
  IPS Info
  Getting details from the Service Module, please wait...
  ASA 5500 Series Security Services Module-10
  Model:              ASA-SSM-10
  Hardware version:   1.0
  Serial Number:      JAF1208BNPP
  Firmware version:   1.0(11)4
  Software version:   6.1(1)E2
  MAC Address Range:  001e.f710.5b6c to 001e.f710.5b6c
  App. name:          IPS
  App. Status:        Up
  App. Status Desc:
  App. version:       6.1(1)E2
  Data plane Status:  Up
  Status:             Up
  Mgmt IP addr:       X.X.X.X
  Mgmt web ports:     443
  Mgmt TLS enabled:  

  The process will normally use the following command:
  hw-module module 1 password-reset
  It will reload the ASA and when loggin back the "Cisco" username will have admin rights.
  If this is not your case, a re-image of the unit will be the next step, keep in mind that this will remove all the custom config.

• Monitor Inspection Load IPS ASA-SSM-20

  All,
    I am aware there is a feature request but don't see any updates.  Taking the chance here that its fallen through the cracks and someone has figured out another way to monitor inspection load on ASA-SSM-20 IPS.  We are currently running 7.0(5a)E4.  I want to be able to use Solarwinds Orion to monitor Inspection Load on our IPS devices.  Does anyone know if that is yet possible...if so how?
  Thanks!

  Bump +1