Cisco IPS 4240 VS Cisco ASA AIP SSM-10 Modula

I'm looking to replace another vendor's IPS system we have at our company. We do have an ASA 5510 in our envionment currently.
Considering I don't need the extra bandwidth of the IPS 4240 series and the AIP SSM-10 requires an ASA 5510 what are the differences?

Operationally the AIP-SSM1 and the 4240 run the same software, so they work pretty much the same.
The AIP-SSM inside the ASA is less expensive alternateive, but becuase it sits inside an ASA there is more to configure and manage (the ASA plus the sensor), The ASA also has some built in inspections that may filter some traffic/attacks from being seen at the AIP-SSM sensor.
- Bob

Similar Messages

  • Block P2P software using ASA-AIP-SSM-20 module

    Hello,
    I have got a question about blocking P2P traffic on ASA AIP module. I have searched the forums and all I could find were solutions using regex, port block, MPF, but no AIP implementation example.
    Could anyone point me in the right direction please ?
    Many thanks,
          Martin

    Hello Paps,
    Many thanks for your reply. I was searching the web like crazy for some solutions using IPS and it never occured to me that I could just simply look for the signature files on Cisco website.
    Thank you very much again
    With regards,
               Martin

  • TCP RESET - CISCO IPS 4240 in IDS Mode - Block Teamviewer

    I would like to block teamviewer in my network. we are using CISCO IPS 4240 in IDS Mode. I found that there are signatures for teamviewer in latest Signatures.
    We have only configured promiscuous interface, I read that we can issue TCP resets thru promiscuous interface as well (recommended is dedicated tcp reset interface).
    However in my case, I found that Signatures for teamviewer is not getting fired even after getting successful teamviewer connections.
    I am a beginner is IPS, Any inputs will be valuable for me.

    We're talking about sigs 15002-0, -1, -2 here. They are by default shipped disabled and retired, so you'll want to enable and activate them.
    For these, the signature settings are not hidden and what they look for is pretty clearly documented in the sig description.
    -0 looks for some specific DNS requests on TeamViewer's startup. TCP resets will have no effect on this.
    -1 looks for specific traffic to tcp port 5938 which would indicate Teamviewer's direct-connection method
    -2 looks for traffic indicating use over http when teamviewer is configured to use a proxy
    TCP resets are a best effort response, they aren't going to be a 100% effective stop

  • Cisco IPS 4240 stops file downloads at 90%

    Hi everybody. I have a Cisco IPS 4240 with version 7.0.4 installed and upgraded to the last signature. But since it was installed i have the issue with some file downloads because the IPS stops the file at 90-99% of download percentage (in some cases, not all), The ips is inline in front of firewall, some partner say me that i have to change the mode to promiscuous for the solution of the issue, but i think that if the IPS was designed for work inline, i dont have to change anything and maybe some expert of the forum have the correct answer.  Or this issue have solution with configuration changes.
    Sorry by my write english.... I try to find some signature that causes the issue but if i disabled the sensor, the issue occurs. The firewall is not the problem because if i connect a laptop in front of the firewall and behind of IPS the issue occurs too. Well i have now some months trying of find a solution. In the page of Cisco not find some similar.... [:-(
    Pd. An example of files that stop when downloads is Apple Itunes... or Microsoft Patch, or Vmware software by example.
    Thanks for your response are greatly appreciated.

    Thnaks for your help this is the last packets before freeze the download:
    The size of the download with problems is random, sometimes ocurrs with small size downloads sometimes ocurrs with large downloads. The download of the example have 47 MB, I think that the traffic is dropped and the tcp conn timeout. Do you see some anomalies in this traffic portion?.
    14:55:20.536119 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.536122 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.536420 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.536718 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.536820 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537123 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537125 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537517 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537520 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537522 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537821 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537823 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.538116 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.538118 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.538415 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.538418 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.544207 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.544307 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638362 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638365 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638463 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638562 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638862 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638864 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638866 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639164 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639166 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639560 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639562 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639564 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639960 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.640260 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.640263 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.640568 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.641958 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.641960 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.642158 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742304 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742603 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742605 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742607 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742903 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.743202 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.743302 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.743601 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.745000 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.745100 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845347 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845548 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845550 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845647 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845845 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.846245 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.846247 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.846544 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.849040 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48010926 win 65335
    14:55:20.849439 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48012386 win 65335
    14:55:20.948787 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48015306 win 65335
    14:55:20.948789 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48018226 win 65335
    14:55:20.952982 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48021146 win 65335
    14:55:20.953679 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48024066 win 65335
    14:55:21.055723 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48029906 win 65335
    14:55:21.055725 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48032826 win 65335
    14:55:21.055930 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48035746 win 65178
    14:55:21.058919 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48037206 win 65335
    14:55:21.068809 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48040126 win 65335
    14:55:21.068812 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48043046 win 65335
    14:55:21.069006 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48045966 win 65335
    14:55:21.070103 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48048886 win 65335
    14:55:21.158967 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48051806 win 65335
    14:55:21.159265 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48054726 win 65335
    14:55:21.159465 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48057646 win 65335
    14:55:21.159864 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48060566 win 65335
    14:55:21.159867 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48063486 win 64605
    14:55:21.162162 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48066406 win 63875
    14:55:21.162260 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48066406 win 65335
    14:55:21.172245 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48069326 win 65335
    14:55:21.172248 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48072246 win 65335
    14:55:21.172545 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48075166 win 65335
    14:55:21.172645 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48078086 win 64605
    14:55:21.172744 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48078086 win 65335
    14:55:21.172844 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48081006 win 65335
    14:55:21.173144 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48083926 win 64605
    14:55:21.185225 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48083926 win 65335
    14:55:21.572333 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48116046 win 65335
    14:55:21.585313 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.585315 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.585414 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.585417 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.585512 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.677172 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.688654 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.688657 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48158386 win 65335
    14:55:21.688757 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48158386 win 65335
    14:55:21.780613 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335
    14:55:21.883755 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335
    14:55:21.986998 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335
    14:55:22.090639 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335

  • Bitcoin generator and Cisco IPS 4240

    I have a problem with Bitcoin generator installed somewhere in local network.
    I have IPS 4240 what connected as IPS (All traffic to internet passes through IPS.
    The software on IPS is very old.. and I can not upgade it.
    Version 6.0(6)E4
    Can I configure IPS tj detect and prevent bitcoin?

    Please any one can answer these questions...Your help is appreciable...Thse are blocking me...
    We have purchased Cisco IPS 4240 sensor, installed the license and that device is communicating with other computers in the network. The version installed is IPS 6.1(1)E1. Please can you answer me below questions.
    1) Please can you provide me the Document or link, that lists all the possible events that can be generated by Cisco IPS 4240 sensor.
    2)Where this IPS 4240 sensor will store all the generated events, Pls can u provide me the File names,location of that files and can you tell me how to acces that files?
    3) How many types of events will be generated by this IPS 4240 sensor.
    4) How to send all types of events to Syslog server (Windows Kiwi syslog OR Linux syslog) present on another system in the network through CLI,IDM and IME.
    5) Can you provide me some Examples to generate different events.
    6) What is the difference between CLI, IDM and IME?
    7) How we can know that configured IPS system is in Inline mode?

  • Deployment of Cisco IPS 4240 devices

    I can't seem to find any information regarding mass rollouts of Cisco IPS 4240 devices. I have 6 devices I intend to roll out to several remote offices and tie into a centralized Cisco MARS appliance. Without using any CSM/LMS software, is there an quick and dirty way to pull this off? I'm thinking to configure a single IPS device then pull and distribute its configuration file to the remaining devices. Would like to see how others have accomplished this...

    If all of your sensors are the same type (all 4240s in your situation) and will all run the extact same configuration, then the copy command will help you out.
    There was a new feature added into the copy command in IPS 6.1 that will help you in copying config from one sensor to another.
    You full configure one sensor (use IME, IDM, or CLI). When you are happy with the configuration then use the copy command to copy it TO an SCP server.
    Now bringup a second sensor and configure the basic networking parameters through setup (ip address, gateway, etc...).
    Now use the copy command on the second to copy the first sensors configuration FROM the SCP server into the running config of the second sensor.
    It will prompt you whether to overwrite the second sensor's networking parameters.
    Answer NO.
    The rest of the first sensor's configuration will copied into the second sensor.
    The second sensor will keep it's own unique IP but will gain the rest of the configuration from the first sensor's config.
    Continue doing this with any additional sensors.
    The process can then be repeated anytime additional changes are made to the first sensor.
    Keep in mind though that this only works if the sensor's configuration will be exactly duplicated (including what interfaces would be monitored and how).
    If each sensor will have some unique tunings then you will need to either manage each sensor on it's own, or purchase CSM that can be used to share only certain portions of the configuration across multiple sensors.

  • Changing time on AIP SSM 10 module.

    How can i change the sensors time manually on my AIP-SSM-10 module installed in the ASA 5520 device .. ??
    i tried the clock set command but apparently its not supported on AIP-SSM-10 module.
    the ASA has the correnct time but the IPS does not...
    any ideas ??
    thanks..
    zaid

    You can find the complete configuration guide for the AIP-SSM-10 in the URL posted below. The configuration of the time-settings is explained in the following chapter: 'Initial Tasks > Configuring Time'.
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df9a.html#wp1035238
    Please rate if the post is usefull!
    Regards,
    Michael

  • Cisco IPS 4240

    Hi,
    Why again and again IPS inspection load in going high. High IPS inspection load causing Latency in network. how to overcome from this. 
    Thanks in advance..
    Regards,
    Usman  

    Operationally the AIP-SSM1 and the 4240 run the same software, so they work pretty much the same.
    The AIP-SSM inside the ASA is less expensive alternateive, but becuase it sits inside an ASA there is more to configure and manage (the ASA plus the sensor), The ASA also has some built in inspections that may filter some traffic/attacks from being seen at the AIP-SSM sensor.
    - Bob

  • What to expect when ASA AIP SSM reaches maximum throughput?

    Hi,
    I'm just curious what happens to traffic when you have an IPS module in an ASA and it reaches the maximum throughput?
    Does it allow the traffic & only inspects what it can handle? Or does it "fail" and then either allows all the traffic or block based on "fail-open" or "fail-close" configuration?
    Thanks,
    Brad

    When the sensor (SSM or any other sensor) is oversubscribed and the sensor is monitoring Inline, then a portion of the traffic will be Dropped.
    The traffic will not be allowed through if it has not been inspected.
    The "fail-open", "fail-close", and "bypass" are not relevant when talking about over subscription.
    The only time the "fail-open", "fail-close", or "bypass" configurations comes into play is if the sensor can not do ANY analysis (either a failure, or an upgrade in progress).

  • How ASA forwarding traffic to AIP-SSM

    Hi All,
    Can someone help how ASA device forwarding traffic to AIP-SSM? I'm not taking abt Configuration part like Class-map, policy-map and service policy....want to understand the traffic flow from ASA once traffic matched with ACL to AIP-SSM.
    From one of Cisoc document, understood that the module using a Cisco Propietary protocol for communicating with ASA appliance.
    ================================================================================================================
    FYR from Cisco Website:
    Q. How does the Cisco ASA AIP-SSM plug into and communicate with the appliance?
    A. The Cisco ASA AIP-SSM plugs directly into the SSM slot in the Cisco ASA appliance's chassis. This provides a direct connection to the appliance's backplane. Once the module is installed, a proprietary protocol runs over the bus and controls data flow and messaging between the module and appliance.
    ================================================================================================================
    Regards,
    S.Vinoth

    Hey ,
    as you mentioned above , it uses a cisco Probietary protocol for that communication , there are two interfaces , control channel and data channnel , data channel is where the traffic being forwarded , the backplane is the connection between the ASA and the IPS interface .
    Hope that this helps .
    Mohammad.

  • Monitoring AIM-IPS-K9 and AIP-SSM-10

    Does anyone have any tips on monitoring the IPS devices for being up, healthy, not-in-bypass, and running normally, I had five of them fail after the E3 upgrade (one is still tweaked due what TAC has identified as a corrupt license issue). Although CSMARS 6.0 lists some unreachable devices once daily, it has all devices in the list making it less that useful information, but that is a different question.
    AIM-IPS-K9: 19 ea.
    AIP-SSM-10: 3 ea.

    Cisco had orginally planned to add a "keep alive" signature to 6.0. but that feature got dropped. The intent was to fire off a signature every few mins as long as the sensor was seeing valid traffic. The absence of seeing this signature should trigger some attention to a downed sensor.
    You can write a custom sig, but you have to be able to detect the loss of that event to be of value.

  • Cisco IPS OID specific log fields

    I am setting up a third-party log server checkpoint smartevent server to log events from Cisco IPS 4240. The setup requires to configure the OID specific log fields of the IPS. Where do i get the information. Will appreciate your assistance.

    I believe what you are looking for is available here:
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_snmp.html#wp1042408
    http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=1.3.6.1.4.1.9.9.383
    Let us know if you need more info.
    Regards,
    Sawan Gupta

  • Reg. Cisco IPS Inline VLAN Mode

    Hi
    Currently my Cisco IPS 4240 version 5.1(5) , is in Promiscous mode.Soon i will be configuring it in Inline mode .i will be using only 1 IPS Interface and will be configuring VLANs in the switch and connect the trunk port to the Gig0/0 of the IPS .The issue is that if the IPS goes down , will the packet flow continue to run smoothly i.e will the "Auto bypass mode" will be applicable for this scenario too and let the traffic goes without inspection ?
    Ankur

    Perfectly normal. Your test does not test the Software ByPass feature.
    The confusion is in how Software ByPass and Virtual Sensor assignment are related.
    If ByPass is set ON (Not Auto, but specifcally ON) then the traffic will be software bypassed regardless of whether or not analysis engine is running or whether the inline pair is assigned to any virtual sensors.
    The driver does the bypass, and never even attempts to send it to the analysis engine.
    If Software ByPass is set to Auto OR Off, the driver will always attempt to send the packets to the analysis engine.
    The only difference between Auto and Off is what happens when the analysis engine STOPS pulling new packets from the driver.
    With Software ByPass Auto, the driver will start passing the packets straight through and not send them to analysis engine.
    With Software ByPass Off, the driver will bring the link down on the NICs until analysis engine is able to start receiving packets again.
    So you see that Software ByPass is a function of the NIC driver.
    Whether or not the pair is actually assigned to a virtual sensor is UNKNOWN by the NIC driver itself.
    Whether or not the inline pair is assigned to a virtual sensor is solely a function of the analysis engine. If the analysis engine is functioning is running then the driver is always going to send it the packets. The analysis engine then checks to see if the packets should be monitored. If the inline pair is assigned to a virtual sensor then it is monitored before being passed back to the driver for transmit.
    IF the inline pair is NOT assigned to a virtual sensor, then the packet is STILL passed back to the driver for transmit.
    So an inline pair that is NOT assigned to a virtual sensor will STILL have packets passed through if analysis engine is Running. So long as analysis engine is runninng the NIC driver in Software ByPass Auto or Off does not care whether or not it is actually monitored. The driver only knows that it must pass the packet to the analysis engine and the analysis engine will send the packet back for transmit.
    So adding and removing inline pairs from virtual sensors does NOT test the Software ByPass feature. The packets will always be passed through so long as analysis engine is running.
    If analysis engine stops passing traffic, then software bypass kicks in and all inline pairs (whether monitored or not) will be treated the same depending on whether bypass is Auto or Off.
    The only way to really test Software ByPass is to simulate an actual failure of the analysis engine.
    To do this:
    create a service account
    login with service account
    switch to user roor (su - root)
    The root password is the same as the service account password.
    Execute "ps -ef" to find the pid of the sensorApp process (which is the analysis engine)
    Now execute "kill -9 ###" replacing the ### with the pid of the sensorApp process.
    Now the Software ByPass functionality should kick in.
    You can always run "show int" to see the current running status of the Software ByPass feature in the driver.
    It will be either On, Off, or Auto_On or Auto_Off
    The Auto_On and Auto_Off are the 2 running states for the Auto configuration. Auto_Off is when analysis engine is working, and auto_on is when the analysis engine is not working.

  • AIP-SSM (Not Applicable)

    Hi Experts,
                 We have 2ASA and each one have AIP-SSM,with 2nd ASA AIP-SSM I tried to upload latest image for AIP-SSM 20 but didnt worked and now i see module is dead...pls check the detials below.....pls help me out how to make it up or work properly so that i can config other stuff.Pls its very imp and urgent help me out....
    ASA-A:
    251-DBSi-ASA5540# sh module 1
    Mod Card Type                                    Model              Serial No.
      1 ASA 5500 Series Security Services Module-20  ASA-SSM-20         JAF11370608
    Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
      1 0007.0e11.e13b to 0007.0e11.e13b  1.0          1.0(11)2     5.1(6)E1
    Mod SSM Application Name           Status           SSM Application Version
      1 IPS                            Up               5.1(6)E1
    Mod Status             Data Plane Status     Compatibility
      1 Up                 Up
    ASA-B:
    251-DBSi-ASA5540# sh module 1
    Mod Card Type                                    Model              Serial No.
      1 ASA 5500 Series Security Services Module-20  ASA-SSM-20         JAF1137060C
    Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
    1 001d.4524.a414 to 001d.4524.a414  1.0          1.0(11)2     5.1(6)E1
    Mod SSM Application Name           Status           SSM Application Version
      1 IPS                            Not Applicable   5.1(6)E1
    Mod Status             Data Plane Status     Compatibility
      1 Recover            Not Applicable

    Please try rebooting the module, if it does not work recovery it using the following procedure
    http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/cli/cliimage.html#wpxref68481
    Regards
    Farrukh

  • AIP-SSM module hung

    I have recently confgured my AIP-SSM-20 module in my firewalls (ASA 5540) which are configured in HA(Active/Standby).This implementation i have done on 13th June. It was working fine.
    Now, i have observerd that the AIP-SSM-20 module in the primary firewall had gone to unresponsive state.
    Below is the status of show module and show failover command.
    FW1-5540# sh module
    Mod Card Type                                    Model              Serial No.
      0 ASA 5540 Adaptive Security Appliance         ASA5540            JMX1234L11F
      1 ASA 5500 Series Security Services Module-20  ASA-SSM-20         JAF1341ADPS
    Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
      0 0021.d871.77ab to 0021.d871.77af  2.0          1.0(11)4     8.0(3)6
      1 0023.ebf6.11ce to 0023.ebf6.11ce  1.0          1.0(11)5     6.2(2)E4
    Mod SSM Application Name           Status           SSM Application Version
      1 IPS                            Not Applicable   6.2(2)E4
    Mod Status             Data Plane Status     Compatibility
      0 Up Sys             Not Applicable
      1 Unresponsive       Not Applicable
    FW1-5540# sh failover
    Failover On
    Failover unit Primary
    Failover LAN Interface: FAILOVER GigabitEthernet0/2 (up)
    Unit Poll frequency 1 seconds, holdtime 15 seconds
    Interface Poll frequency 5 seconds, holdtime 25 seconds
    Interface Policy 1
    Monitored Interfaces 3 of 250 maximum
    Version: Ours 8.0(3)6, Mate 8.0(3)6
    Last Failover at: 09:06:14 UTC Jun 15 2010
            This host:
                    This host: Primary - Failed
                    Active time: 191436 (sec)
                    slot 0: ASA5540 hw/sw rev (2.0/8.0(3)6) status (Up Sys)
                      Interface DMZ_LAN (10.192.153.13): Normal (Waiting)
                      Interface INTRANET (10.192.154.13): Normal (Waiting)
                      Interface management (0.0.0.0): Link Down (Waiting)
                    slot 1: ASA-SSM-20 hw/sw rev (1.0/6.2(2)E4) status (Unresponsive/Down)
                      IPS, 6.2(2)E4, Not Applicable
            Other host: Secondary - Active
                    Active time: 192692 (sec)
                    slot 0: ASA5540 hw/sw rev (2.0/8.0(3)6) status (Up Sys)
                      Interface DMZ_LAN (10.192.153.5): Unknown (Waiting)
                      Interface INTRANET (10.192.154.5): Unknown (Waiting)
                      Interface management (0.0.0.0): Unknown (Waiting)
                    slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(2)E4) status (Up/Up)
                      IPS, 7.0(2)E4, Up
    Stateful Failover Logical Update Statistics
            Link : Unconfigured.
    I have tried using the
    hw-module module 1 reset
    to reset the IPS module but the status is always unresponsive.
    Its production environment where i cannnot expirement much. Ned help to rectify the problem.

    Hi Scott, 
    I have almost same problem of sbgcsd in my customer. I'm deploying two ASA-5512 in failover configuration. One day, after almost 2 months testing project in a lab, when we install in customer's datacenter the systems presented following errors:
      ciscoasa2(config)# failover
            Detected an Active mate
      ciscoasa2# Mate NOT PRESENT card in slot 1 is different from mine IPS5512
    I tried to discover what was happened with IPS modulo, then I saw error in IPS status: "Unresponsive".
      ciscoasa2# sh module ips
      Mod  Card Type                                    Model              Serial No.
       ips Unknown                                      N/A                FCH1712J7UL
      Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
       ips 7cad.746f.8796 to 7cad.746f.8796  N/A          N/A 
      Mod  SSM Application Name           Status           SSM Application Version
       ips Unknown                        No Image Present Not Applicable  
      Mod  Status             Data Plane Status     Compatibility
       ips Unresponsive       Not Applicable 
      Mod  License Name   License Status  Time Remaining
       ips IPS Module     Disabled        perpetual
    According with Cisco Foruns I tried to "Reloading, Shutting Down, Resetting, and Recovering AIP-SSM" (*) using "hw-module module " command. But unfortunatelly ASA didn't accept this command. See below:
      ciscoasa2# hw-module module 1 reload
                 ^
      ERROR: % Invalid input detected at '^' marker
    What happened with this command (hw-module) ? Maybe is a problem in Software version ? When I entered "sh flash" command I saw that didn't exist any software for AIP-SMM module:
      ciscoasa2# sh flash
      --#--  --length--  -----date/time------  path
       11  4096        Sep 12 2013 13:56:54  log
       21  4096        Sep 12 2013 13:57:10  crypto_archive
      100  0           Sep 12 2013 13:57:10  nat_ident_migrate
       22  4096        Sep 12 2013 13:57:10  coredumpinfo
       23  59          Sep 12 2013 13:57:10  coredumpinfo/coredump.cfg
      101  34523136    Sep 12 2013 14:00:14  asa861-2-smp-k8.bin
      102  17851400    Sep 12 2013 14:04:36  asdm-66114.bin
      103  38191104    Apr 24 2014 12:59:58  asa912-smp-k8.bin
      104  6867        Apr 24 2014 13:01:20  startup-config-jcl.txt
      105  24095116    Jun 17 2014 14:54:14  asdm-721.bi
    But another ASA (#1) have image:
    ciscoasa1# sh flash
    --#--  --length--  -----date/time------  path
       11  4096        Sep 10 2013 06:42:56  log
       21  4096        Apr 17 2014 03:13:12  crypto_archive
      123  5276864     Apr 17 2014 03:13:12  crypto_archive/crypto_eng0_arch_1.bin
      110  0           Sep 10 2013 06:43:12  nat_ident_migrate
       22  4096        Sep 10 2013 06:43:12  coredumpinfo
       23  59          Sep 10 2013 06:43:12  coredumpinfo/coredump.cfg
      111  34523136    Sep 10 2013 06:44:24  asa861-2-smp-k8.bin
      112  42637312    Sep 10 2013 06:45:46  IPS-SSP_5512-K9-sys-1.1-a-7.1-4-E4.aip <===
    But I am not sure if this image is really the right image do AIP-SSM in ASA#2. But anyway I copy (through a simple TFTP server) from ASA#1 to ASA#2 , but after this, the same problem ramained ! 
    Because I didn't applied the Failover condition to system. 
    What can I do now ?
    Thank you very much in advance.
    Leonardo_Melo.(CCAI-JCL-Brazil).

Maybe you are looking for