Do I need two AIP-SSM modules if I am configuring failover?

Is it possible to use a single AIP-SSM module in two ASA's that are configured in Active/Standby mode?
I would like to configure the module in the first ASA with the fail-open setting.  Then, if the first ASA fails, I could then physically remove the AIP-SSM module and place it in the second ASA.
Would there be any problems configuring it this way?
Would the active/standby ASA's complain that there is only one AIP-SSM module?
Thanks in advance.

Hello Julio. My name is Rogelio, and I would appreciate your answer on a related matter, because I will have to execute the initial configuration of a failover pair, each one with its own IPS module.
Question: let´s suppose that I execute a basic setup (admin username/password, IP address, mask, gateway), on the IPS module of the active ASA firewall. ¿Will this configuration be replicated to the IPS module of the secondary unit?
Your kind answer will be greatly appreciated.
Best regards...

Similar Messages

  • AIP-SSM module hung

    I have recently confgured my AIP-SSM-20 module in my firewalls (ASA 5540) which are configured in HA(Active/Standby).This implementation i have done on 13th June. It was working fine.
    Now, i have observerd that the AIP-SSM-20 module in the primary firewall had gone to unresponsive state.
    Below is the status of show module and show failover command.
    FW1-5540# sh module
    Mod Card Type                                    Model              Serial No.
      0 ASA 5540 Adaptive Security Appliance         ASA5540            JMX1234L11F
      1 ASA 5500 Series Security Services Module-20  ASA-SSM-20         JAF1341ADPS
    Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
      0 0021.d871.77ab to 0021.d871.77af  2.0          1.0(11)4     8.0(3)6
      1 0023.ebf6.11ce to 0023.ebf6.11ce  1.0          1.0(11)5     6.2(2)E4
    Mod SSM Application Name           Status           SSM Application Version
      1 IPS                            Not Applicable   6.2(2)E4
    Mod Status             Data Plane Status     Compatibility
      0 Up Sys             Not Applicable
      1 Unresponsive       Not Applicable
    FW1-5540# sh failover
    Failover On
    Failover unit Primary
    Failover LAN Interface: FAILOVER GigabitEthernet0/2 (up)
    Unit Poll frequency 1 seconds, holdtime 15 seconds
    Interface Poll frequency 5 seconds, holdtime 25 seconds
    Interface Policy 1
    Monitored Interfaces 3 of 250 maximum
    Version: Ours 8.0(3)6, Mate 8.0(3)6
    Last Failover at: 09:06:14 UTC Jun 15 2010
            This host:
                    This host: Primary - Failed
                    Active time: 191436 (sec)
                    slot 0: ASA5540 hw/sw rev (2.0/8.0(3)6) status (Up Sys)
                      Interface DMZ_LAN (10.192.153.13): Normal (Waiting)
                      Interface INTRANET (10.192.154.13): Normal (Waiting)
                      Interface management (0.0.0.0): Link Down (Waiting)
                    slot 1: ASA-SSM-20 hw/sw rev (1.0/6.2(2)E4) status (Unresponsive/Down)
                      IPS, 6.2(2)E4, Not Applicable
            Other host: Secondary - Active
                    Active time: 192692 (sec)
                    slot 0: ASA5540 hw/sw rev (2.0/8.0(3)6) status (Up Sys)
                      Interface DMZ_LAN (10.192.153.5): Unknown (Waiting)
                      Interface INTRANET (10.192.154.5): Unknown (Waiting)
                      Interface management (0.0.0.0): Unknown (Waiting)
                    slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(2)E4) status (Up/Up)
                      IPS, 7.0(2)E4, Up
    Stateful Failover Logical Update Statistics
            Link : Unconfigured.
    I have tried using the
    hw-module module 1 reset
    to reset the IPS module but the status is always unresponsive.
    Its production environment where i cannnot expirement much. Ned help to rectify the problem.

    Hi Scott, 
    I have almost same problem of sbgcsd in my customer. I'm deploying two ASA-5512 in failover configuration. One day, after almost 2 months testing project in a lab, when we install in customer's datacenter the systems presented following errors:
      ciscoasa2(config)# failover
            Detected an Active mate
      ciscoasa2# Mate NOT PRESENT card in slot 1 is different from mine IPS5512
    I tried to discover what was happened with IPS modulo, then I saw error in IPS status: "Unresponsive".
      ciscoasa2# sh module ips
      Mod  Card Type                                    Model              Serial No.
       ips Unknown                                      N/A                FCH1712J7UL
      Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
       ips 7cad.746f.8796 to 7cad.746f.8796  N/A          N/A 
      Mod  SSM Application Name           Status           SSM Application Version
       ips Unknown                        No Image Present Not Applicable  
      Mod  Status             Data Plane Status     Compatibility
       ips Unresponsive       Not Applicable 
      Mod  License Name   License Status  Time Remaining
       ips IPS Module     Disabled        perpetual
    According with Cisco Foruns I tried to "Reloading, Shutting Down, Resetting, and Recovering AIP-SSM" (*) using "hw-module module " command. But unfortunatelly ASA didn't accept this command. See below:
      ciscoasa2# hw-module module 1 reload
                 ^
      ERROR: % Invalid input detected at '^' marker
    What happened with this command (hw-module) ? Maybe is a problem in Software version ? When I entered "sh flash" command I saw that didn't exist any software for AIP-SMM module:
      ciscoasa2# sh flash
      --#--  --length--  -----date/time------  path
       11  4096        Sep 12 2013 13:56:54  log
       21  4096        Sep 12 2013 13:57:10  crypto_archive
      100  0           Sep 12 2013 13:57:10  nat_ident_migrate
       22  4096        Sep 12 2013 13:57:10  coredumpinfo
       23  59          Sep 12 2013 13:57:10  coredumpinfo/coredump.cfg
      101  34523136    Sep 12 2013 14:00:14  asa861-2-smp-k8.bin
      102  17851400    Sep 12 2013 14:04:36  asdm-66114.bin
      103  38191104    Apr 24 2014 12:59:58  asa912-smp-k8.bin
      104  6867        Apr 24 2014 13:01:20  startup-config-jcl.txt
      105  24095116    Jun 17 2014 14:54:14  asdm-721.bi
    But another ASA (#1) have image:
    ciscoasa1# sh flash
    --#--  --length--  -----date/time------  path
       11  4096        Sep 10 2013 06:42:56  log
       21  4096        Apr 17 2014 03:13:12  crypto_archive
      123  5276864     Apr 17 2014 03:13:12  crypto_archive/crypto_eng0_arch_1.bin
      110  0           Sep 10 2013 06:43:12  nat_ident_migrate
       22  4096        Sep 10 2013 06:43:12  coredumpinfo
       23  59          Sep 10 2013 06:43:12  coredumpinfo/coredump.cfg
      111  34523136    Sep 10 2013 06:44:24  asa861-2-smp-k8.bin
      112  42637312    Sep 10 2013 06:45:46  IPS-SSP_5512-K9-sys-1.1-a-7.1-4-E4.aip <===
    But I am not sure if this image is really the right image do AIP-SSM in ASA#2. But anyway I copy (through a simple TFTP server) from ASA#1 to ASA#2 , but after this, the same problem ramained ! 
    Because I didn't applied the Failover condition to system. 
    What can I do now ?
    Thank you very much in advance.
    Leonardo_Melo.(CCAI-JCL-Brazil).

  • Is there any architectural difference between CSC-SSM and AIP-SSM modules

    Hello security gurus!
    I'm wondering if there's any chance to make Content security module (CSC-SSM) work as IPS (AIP-SSM). It seems to me they are absolutely identical in terms of hardware. Is there any chance to make CSC-SSM boot with the flash from AIP-SSM and have the ASA recognize it as an IPS module ?
    Eugene

    Zheka,
    This is not recommended and you will loose support, these are different devices designed for different purposes, you will also have issues with the license, I have seen it one once, and the customer did it by mistake, the module eventually crashed and we had to add the proper image.
    Regards,
    Felipe.

  • IPS Manager Exp 7.0.3 fails to connect to AIP-SSM module

    Hi, am trying to connect to my IPS module nested in a Cisco ASA 5540 appliance. Yesterday i was able to connect and do my configurations but when running the IME today i dint find my sensor module in the devices list so i tried adding it again and it gives an error. The IME systems logs are:
    2010-07-22 09:29:30,092 [j_] WARN - addSource() source exists
    2010-07-22 09:29:30,092 [ty] ERROR - 1
    2010-07-22 09:32:06,775 [j_] WARN - addSource() source exists
    2010-07-22 09:32:06,775 [ty] ERROR - 1
    2010-07-22 09:33:47,753 [j_] WARN - addSource() source exists
    2010-07-22 09:33:47,753 [ty] ERROR - 1
    2010-07-22 09:45:16,887 [j_] WARN - addSource() source exists
    2010-07-22 09:45:16,887 [ty] ERROR - 1
    Kindly assist on how to overcome this.
    Jerry.

    Its ok guys, silly Windows issues, i had to run the application as an administrator!!!!!!     

  • SSM MODULES and Mars events and local?

    Is it possible to setup an AIP-SSM Module to log event alerts to Its local cache as well as the Mars Appliance. I say this because I ran some tests for alerts and never see them on the IPS module itself but i do see them on the Mars Appliance correctly! I dont know what setting would need to be changed to make sure that the event alerts are logged to the local IPS itself. Or is this even possible?
    does anyone know how to make it log locally and to the MARS Appliance?
    Thanks,

    Make sure Bypass mode is not enabled on IPs Module. Another workaround for this issue is to reload the Advanced Inspection and Prevention Security Services Module (AIP-SSM) IPS module with the hw-module module 1 reload command, and tune any noisy signatures in order to lighten the sensor load.

  • Activating IPS AIP-SSM

    Hello Everyone,
    Some time ago we purchase a couple of ASA5510s with the IPS aip-ssm modules in them. I got them installed and got the vpns running, but never activated the IPS module on them.
    I am getting ready to get the IPS modules going. But, don't I need some time of subscription so that the IPS module can download signature updates?
    Does anyone know what the part number on that subscription is? I am seeing listings for "content security plus" licenses, but I think that is something different. I am also seeing licenses for Botnet traffic filter licenses. But, again, I am not sure if that's the right one.
    Thanks,
    Ben

    You will need a subscription license in order to take advantage of signature and Global Correlation updates. The official name for this license is "Cisco Services for IPS".  Take a look at the following Q&A doc which covers some of the part numbers.
    http://www.cisco.com/en/US/services/ps2827/ps6076/services_qa0900aecd8022e962.pdf

  • Remote Connectivity Issues to AIP-SSM-10

    Hi,
    I have a ASA-5520 with AIP-SSM Module in it. I have done the basic "setup" on the module and assigned it an IP address. I am using IME to connect to the IPS module. The ASA-IPS is at a remote location and has a private IP address. I have a linux server in the same subnet as the IPS IP address. I am connecting to that server remotely through SSH and doing port forwarding to connect to IPS IP address. When I start IME and connect to the locally forwarded port it connects to my IPS module perfactly fine. Please see the attached screen capture "IME_IPS_Error-1.gif" and the column where it says "event status : connected". So far so good, now I click on "configuration" tab and I get an error, please see the "IME_IPS_Error-2.gif" for the error detail. Can anyone send me some pointers to resolve this issue?
    Thanks

    I was able to resolve the issue. Earlier (when I had trouble) I was doing a port forwarding as localhost:10031=>IPS:443 and IME was connecting to localhost:10031. So I was getting to the IPS/IME home page and the device status was connected but when I clicked on "Configuration" tab I got error.
    To resolve the issue I did the port forwarding as follows:
    127.0.0.102:443=>IPS:443 and then IME was connecting to 127.0.0.102:443 and everything worked fine. Looks like earlier when I clicked on "Configuration" it tried/redirected to connect to localhost:443 intead of localhost:10031. I have attached the network diagram and the screen captures of the resolution.

  • AIP SSM

    Hello Friends,
    Please see the attached.
    I have 2 AIP-SSM module in 2 ASA boxes, The version of 1 IPS is 7.0(2)E4 and the other is 6.2(1)E3 i want to upgrade the 6.2 to 7.0.2. But on cisco website there is no such download option for 7.0(2) OR 7.0(4)system software.
    I have a valid IPS  contract with cisco but still i can't see any option to download the version 7.0
    Thanks

    You are looking at the wrong download site, that is for IPS SSC-5 on ASA 5505.
    Here is the download site for AIP-SSM module:
    http://www.cisco.com/cisco/software/release.html?mdfid=280302728&flowid=4427&softwareid=282549759&release=7.0%284%29E4&rellifecycle=&relind=AVAILABLE&reltype=latest
    (The latest is 7.0.4(E4))
    Here is the ReadMe on the platform that is supported and AIP module on ASA uses the same file "IPS-K9-7.0-4-E4.pkg":
    http://www.cisco.com/web/software/282549709/35783/IPS-7_0-4-E4_readme.txt
    Hope this helps.

  • IPS Signature DataBase - ASA IPS/IOS IPS/IPS 42xx/AIP-SSM

    Hi,
    Can anyone briefly tell me the signature database details (No of Signature) among the following devices,
    -->ASA IPS/IOS IPS/IPS 42xx/AIP-SSM.
    Thanks,

    IPS on ASA/PIX = just 50 or so common signatures
    AIP-SSM module = same signatures as Cisco 4200 series sensors. Little minor differences exist (like IPv6 signature support etc.)
    Please rate if helpful.
    Regards
    Farrukh

  • Customizing signatures question on AIP-SSM

    Hi all
    actually our customer has an AIP-SSM module which is configured in inline mode.some users are appeared as attackers in the IPS event store .
    can i deny any unwanted connection for these users without affecting on the legitimate connections of these users like internet browsing ???
    i tried to make the signature action to be "deny connection inline" but when the signature fire , the user who has appeared as an attacker is totally blocked and cannot access internet.
    anyone face this issue ??
    please advice.
    regards

    Hi Mohammed.
    Right now I'm preparing the IPS Exam, and I have read some where that:
    "deny connection inline" will stop the connection totaly. But if the same user(IP Address) has many "deny connection inline", the IPS will say that there is a problem with this PC, and I'll not lose ressource and time to block each connection, and the the IPS sensor will block the Host.
    You can tune the Signature to solve this issue, but this will not solve the main problem.
    But as Andy said, thier is a Sweep attack from these PCs. try to scan them with Anti-Virus, and anti-worm... because they are the source of this issues.
    Sweep is a "Network Reconnaissance Attack". Please take a look at this link for more information:
    http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliSgEng.html#wp1048257
    I hope this helpful.
    Best regards
    Reda
    [email protected]

  • Changing time on AIP SSM 10 module.

    How can i change the sensors time manually on my AIP-SSM-10 module installed in the ASA 5520 device .. ??
    i tried the clock set command but apparently its not supported on AIP-SSM-10 module.
    the ASA has the correnct time but the IPS does not...
    any ideas ??
    thanks..
    zaid

    You can find the complete configuration guide for the AIP-SSM-10 in the URL posted below. The configuration of the time-settings is explained in the following chapter: 'Initial Tasks > Configuring Time'.
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df9a.html#wp1035238
    Please rate if the post is usefull!
    Regards,
    Michael

  • Cisco IPS 4240 VS Cisco ASA AIP SSM-10 Modula

    I'm looking to replace another vendor's IPS system we have at our company. We do have an ASA 5510 in our envionment currently.
    Considering I don't need the extra bandwidth of the IPS 4240 series and the AIP SSM-10 requires an ASA 5510 what are the differences?

    Operationally the AIP-SSM1 and the 4240 run the same software, so they work pretty much the same.
    The AIP-SSM inside the ASA is less expensive alternateive, but becuase it sits inside an ASA there is more to configure and manage (the ASA plus the sensor), The ASA also has some built in inspections that may filter some traffic/attacks from being seen at the AIP-SSM sensor.
    - Bob

  • Best practices for using Normalizer in ASA and in AIP-SSM

    Both PIX OS 7.x and IPS 5.x software have a concept of "traffic normalization". PIX OS on ASA can do virtual reassembly, IPS on SSM (so far as I know) can do physical reassembly and fragmentation of IP packets. Also, both ASA and SSM can do TCP normalization. For example, they both can "check inconsistent retransmissions" and protect against "TTL evasion attacks". I realize that PIX OS has only basic normalization functions and the SSM is much more configurable.
    The question is: what are the best practices here? Is it better to disable some IP/TCP PIX OS checks / IPS signatures on ASA and/or SSM? Is it better to use just SSM for traffic normalization? Does anybody has personal experience here?
    Also, there is a BugID CSCsd04327 - "ASA all out of order packets are dropped when sending to ssm"
    "When ips ssm is inline slowness is reported. show service-policy shows that the number of out of order packets reported match exactly the number of no buffer drops (even with queue-limit option). Performance hit is not the result of tcp normalization (on IPS 5.x ssm) in this case, but rather an issue with asa normalizer."
    To me it seems to be more logical to have normalization function on the firewall, but there may be drawbacks in doing this.
    So, those who're using ASA with SSM, please share your experience.
    Thx.

    Yes, this is almost correct ;)
    TCP SRP (Stream Reassemly Processor) is turned OFF on the SSM and cannot be enabled, contrary to 4200 appliances, but IP FRP (Fragmentation Reassembly Processor) is functioning on the SSM.
    The testing of 7.2(1) shows the following:
    When you configure "policy-map" to send packets to the SSM the "tcp-map" parameter "queue-limit", which has the value of zero by default, is set to an X (the X is unknown). This means that the ASA now only accepts the TCP segments which are sent in the correct order. More specifically, the gaps in SEQs are not allowed anymore. When for example, the ASA receives a TCP segment which has a SEQ within the window, but the previous TCP segment has been lost, it sends an ACK to the sender to enforce retransmition of the lost segment. As a result the sender retransmits both segments. Only after that the ASA forwards both segments to the SSM. This basically means that SSM always sees in-order TCP segments. That it is why SRP is not needed on the SSM.
    There are at least two problems however.
    The first problem is the performance impact.
    ASA now acts almost like a proxy. And, so far as I know, it doesn't support SACK (Selective ACKs). First, when the ASA does TCP SEQ randomization it doesn't change SEQ values within the SACK TCP Option. This simply breakes SACK. Second, even if you turn randomization mechanism OFF, then, I believe, the ASA will not selectively ACK the lost TCP segments, as it simply doesn't support this mechanism.
    The second problem is THE SECURITY HOLE.
    By default the ASA doesn't check TCP checksums. The 4200 appliances do check by default. But as we now know the SRP is turned OFF on the SSM... So, this means that SSM module can easily be evaded. The hacker only needs to mix attacking traffic with the random TCP segments that have bad TCP checksum. The SSM module will see the mixture of the two and will not recognize the attack. The target host will drop TCP segments with the bad checksums and see only attacking traffic... This has been successfully verified in the lab.
    Of course, this security hole can be closed with the "tcp-map" parameter "checksum-verification", but it will definitely has performance impact.
    The last note: All of the above has never been documented by Cisco. So, use at your own risk, etc.
    I hope, you will read this message, Marcoa. All of this MUST be documented. Once again, the default behaviour of the ASA opens up a big security hole.
    Regards,
    Oleg Tipisov,
    REDCENTER,
    Moscow

  • Single AIP-SSM in Cisco ASA Failover Active / Standby Mode

    Hi,
    I can add single AIP-SSM on Cisco ASA in failover active / standby mode?

    No, both units need the same hardware, that includes the installed modules.
    Sent from Cisco Technical Support iPad App

  • AIP-SSM Configuration Maintenance in Active Stdby modes

    So, I'm pretty new to the AIP-SSM but not to ASA's. It appears that very little of the AIP module config gets copied over to the Stdby AIP, nothing other than what appears in the ASA config (ACL's, etc.). So, do all the config elements particular to the module itself have to be manually reproduced on the Stdby module, either by hand entry or config copies moved between the two?

    So in Active/Standby scenarios with AIP-SSM, what is the reasoning for not having a feature for automatically copying over module config changes as with the ASA config?
    If there is no good reason, is it on the AIP-SSM road map to provide this feature?
    This can be a real pain in the arse for complex IPS configs. You have to do everything twice, and right away, so you won't miss anything should the ASA'a flip.

Maybe you are looking for