IPS (7.0(7)E4) on ASA-SSM-10 block DNS without alerts

Similar Messages

• ASA-SSM-10 inspection load 100% (version 7.0(5a)E4

  Hi all,
  I have a challenge with the IPS module in the ASA5520, the ASA-SSM-10. When we start a test to connect to the webservers I get a inspection load of 100% and traffic/performance will slow down.
  We test with 63000 sessions per minute which perform a load of: from the test-servers(clients) to the web-servers of 20.000 kbits/sec and traffic from the web-servers back to the test-servers(clients) 75.000 kbits/sec.
  Can you please advise what to do because we cannot go live with this environment only when this is fixed.
  Thanks in advance,
  Erik Verkerk.

  Hi Bob,
  thanks for you reply/suggestion and you understood the numbers correctly. Unfortunately the AIP-SSM-10 module must inspect this kind of load. I can test, within 8 hours time, a lower amount of traffic.
  I do have some questions for you:
  When you have a traffic of 75Mb/s what is your inspection load saying 80%?
  Regarding the specs Cisco tells in the documentation of the ASA5520 that when you are using a AIP-SSM-10 you can firewalling and IPS a maximum of 225Mb/s. Now I understand that this is probably the commercial figures but Iám only looking for half of this, 95MB/s. Do you have an explaination for this?
  Perhaps the amount of signatures is too much: I have 1500 signatures active, can you tell how much active signatures you run in your AIP-SSM-10?
  Last but not least question:
  It is hard for me to find some usefull documentation, specific troubleshooting the IPS, do you have suggestions?
  I hope you have the time to answers these questions it certainly helps me to understand the IPS and fix the problem.
  Many thanks in advance,
  Erik.

• Updating License & Signatures on ASA-SSM-10

  Hi,
  Does the same options are used to:
  updating IPS License and updating signatures on ASA-SSM-10?
  Actually i updated license file received from cisco licensing team:
  using IDM 6.0 > licensing option > update license > file location:
  and I was trying to update signatures using same options (as i dont find seprate options to update signatuers) but it gives error:
  Invalid license etc.,
  could anyone guide.
  Thank you.

  In the Update Sensor pane, you can immediately apply service pack and signature updates.
  Update Sensor Pane Field Definitions
  The following fields are found in the Update Sensor pane:
  •Update is located on a remote server and is accessible by the sensor—Lets you specify the following options:
  –URL—Identifies the type of server where the update is located. Specify whether to use FTP, HTTP, HTTPS, or SCP.
  –://—Identifies the path to the update on the remote server.
  –Username—Identifies the username corresponding to the user account on the remote server.
  –Password—Identifies the password for the user account on the remote server.
  •Update is located on this client—Lets you specify the following options:
  –Local File Path—Identifies the path to the update file on this local client.
  –Browse  Local—Opens the Browse dialog box for the file system on this local  client. From this dialog box, you can navigate to the update file.

• Monitor Inspection Load IPS ASA-SSM-20

  All,
    I am aware there is a feature request but don't see any updates.  Taking the chance here that its fallen through the cracks and someone has figured out another way to monitor inspection load on ASA-SSM-20 IPS.  We are currently running 7.0(5a)E4.  I want to be able to use Solarwinds Orion to monitor Inspection Load on our IPS devices.  Does anyone know if that is yet possible...if so how?
  Thanks!

  Bump +1

• ASA SSM IPS module upgrade won't work

  Hello all,
  I'm trying to upgrade the IPS sig's on an ASA5520 with a SSM IPS module. I'm trying to upgrade the system to 5.1.1 to further upgrade the device with no luck.
  I followed these steps provided by Cisco.com:
  1. Log in to the ASA.
  2. Enter enable mode:
  asa# enable
  3. Configure the recovery settings for ASA-SSM:
  asa (enable)# hw-module module 1 recover configure
  NOTE: If you make an error in the recovery configuration, use the
  hw-module module 1 recover stop command to stop the system reimaging
  and then you can correct the configuration.
  4. Specify the TFTP URL for the system image:
  Image URL [tftp://0.0.0.0/]:
  Example:
  Image URL [tftp://0.0.0.0/]: tftp://10.20.30.40/IPS-SSM-K9-sys-1.1-a-5.1-1.img
  5. Specify the command and control interface of ASA-SSM:
  Port IP Address [0.0.0.0]:
  Example:
  Port IP Address [0.0.0.0]: 11.21.31.41
  6. Leave the VLAN ID at 0.
  VLAN ID [0]:
  7. Specify the default gateway of the ASA-SSM:
  Gateway IP Address [0.0.0.0]:
  Example:
  Gateway IP Address [0.0.0.0]: 11.22.33.44
  8. Execute the recovery:
  asa# hw-module module 1 recover boot
  9. Periodically check the recovery until it is complete.
  NOTE: The status reads "Recovery" during recovery and reads "Up" when
  reimaging is complete.
  AFter #8 it just goes back to the enable prompt. A 'sh module' lists the device as 'recover' and hangs FOREVER.... I tested the TFTP server which the new image resides on, and the TFTP is working fine. I don't see any attempts or downloads from the TFTP server for over an hour.
  I opened a Ciscop TAC on this and not receiving alot of help...
  Please help!!!:)
  Thanks
  Chris Serafin
  [email protected]

  The recovery using this method can takes upwards of 30 minutes, and in some cases even longer.
  How long have you left the SSM in the "recovery" state?
  There may be something wrong in the config you entered. when that happens the SSM can go into a continuous reboot cycle trying to do the recovery.
  Execute "debug module-boot" on the console of the ASA.
  The debug output will show you the ROMMON output of the SSM itself. (The SSM has it's own ROMMON. The recovery boot command sends the settings made during the recover configure command to the SSM's ROMMON).
  If the ROMMON is experiencing a problem in trying to download the tftp image you should now see that ROMMON error message.
  Some typical problems I have seen:
  1) Wrong IP given for the sensor.
  2) Wrong IP given for the gateway (the gateway must exist on the same network as the sensor) this problem usually happens when using a non-standard netmasked network.
  3) Not having the sensor's command and control port plugged into the right network. The external port of the SSM itself is where the IP is being applied. You need to ensure that the extenral port of the SSM is plugged into the right network for that IP.
  4) The tftp server is not reachable from the network where the sensor's command and control port is attached. Some users think that if the ASA itself can reach the tftp server that the SSM will also be able to. This is not always the case. It is best to use a tftp server on the same network as the IP provided to the SSM. Or to test the tftp server from another machine on the same network as the SSM.
  5) The file name is wrong. Check the captialization especially.
  6) The file is not in the default directory on the tftp server. If the file is in a subdirectory you will need to add that subdirectory to the URL:
  tftp://10.20.30.40/subdirectoryname/filename
  7) The tftp is timing out.
  There are 2 things that can cause this:
  a) The tftp server is remote, and it takes too long to download the file. The ROMMON does have limits on the number of retries and per packet timeouts (but they are not user configurable). Try using a tftp server local to the SSM.
  b) The switch that the SSM connects to has spanning-tree running and spanning-tree does not complete before the SSM ROMMON times out for the tftp attempt. The tftp attempt happens immediately upon ROMMON startup and link up. But with a switch the switch port may be in a "Listen" or "Learn" state for 40 seconds before the box can actually talk on the network. In some cases the tftp download attempts started as soon as link up, and may timeout even before the spanning-tree completes. To work around this configure "spanning-tree portfast" on the switchport. Spanning-tree will connect the port into the vlan immediately rather than 40 seconds later.
  If it was a config problem when configuring the recovery settings, then there is a "recover stop" command on the ASA.
  It will stop the reboot cycle from happening.
  Let the module come up with the old image.
  Then correct your "recover configure" settings, and try the "recover boot" again.
  Another alternative:
  Stop the recovery "recover stop"
  Let it boot into the old image.
  If it was a 5.0 version, then you can actually upgrade to 5.1 using the sensor's own CLI "upgrade" command. It is actually the preferred method.
  The "recover" from the ASA will wipe the box clean and load a fresh image.
  The "upgrade" from the sensor will convert your 5.0 config into a 5.1 config while installing 5.1.
  5.1 upgrade file:
  IPS-K9-min-5.1-1g.pkg
  http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
  It can be applied through the sensor's CLI upgrade command, or pushed directly through IDM, or applied by CSM.
  The "recover" should be limited to disaster recovery. When you can't access the SSM at all, or the files on the SSM have been corrupted.
  For normal upgrades you want to use "upgrade" files done through the sensor itelf (CLI, IDM, or CSM).

• Proper ASA-SSM-20 IPS and MARS Intergration

  I?m trying to understand how to best manage my MARS and ASA-SSM-20 IPS implementation. I?ve been running this solution for about 2 months and have been experimenting with how to manage alert s from the blades to MARS.
  The MARS documentation says to configure 2 Event Action Override -Verbose Alerts and Log Pair Packets. However there seems to be a major drawback:
  1. The IPS generates alert for signatures that by default have no alert action configured. At first glance this seems ok, but over time I found that many false positives are generated for signatures that would otherwise remain quite.
  My question is, how should this be managed? I want verbose alerts and logged pair packets for signatures that produce alerts by default, but if I manually configure this, is there a performance consideration?

  You might be hitting the bug CSCuc34812.
  Please contact Cisco TAC to have the issue analyzed.
  Regards,
  Sawan Gupta

• How do I backup an IPS config (ASA-SSM-10)

  Hi,
  How do I backup an IPS config (ASA-SSM-10)?
  Thanks

  There is a copy command in the IPS CLI that can be used to copy the current configuration to a backup configuration on the sensor itself.
  Or to copy the current configuration to an FTP or SCP server.
  The copy command can then be used to copy a configuration from backup or from an FTP or SCP server back to the running configuration of the sensor.
  http://www.cisco.com/en/US/docs/security/ips/6.2/command/reference/crCmds.html#wp458440

• Correlating Cisco ASA-SSM-IPS Events/Logs

  I have just configured a Cisco ASA-SSM-IPS10. An exciting feature of this decice is the ability to monitor, analyse, and correlate security events. Can anybody help with a documentation to simplify daily (or periodic) analysis, and correlation of the IPS Logs? As I am not yet to up to speed with this task yet, a "How-to" document would be just fine.  Thank you.

  Hi Chris,
  Good to have you get on the case. I am yet to setup and ips manager software. Presently, I use an ASDM 6 interface, with this interface, I am able to view events and alerts, and perform other adminsitrative cores... The IPS manager express does it comes bundle with our device purchase? Does it contain necesary templates/docs for correlating events/Logs?

• Upgrading IPS strings, ASA SSM-10 module

  I am having a challenging time upgrading the ASA SSM-10 IPS module. I down loaded the IPS-sig-s327-req-e1.pkg to Win XP ftp server (my workstation). The instructions in following does not work: http://download-sj.cisco.com/cisco/ciscosecure/ips/6.x/sigup/IPS-sig-S327.readme.txt
  "error: execUpgradeSoftware : Connect failed". Any suggestion would be appreciated.

  I can connect the LAN switch directly to the inside interface of the ASA5510 firewall. Hosts can get Internet connectivity while cabled to the switch. However, when the LAN switch is connected to the port on the IPS module, there is no Internet connectivity. Any suggestions would be appreciated. The following is the sh configuration and sh int output.
  sh con_[Jfiguration
  Version 5.1(6)
  ! Current configuration last modified Sat Apr 05 12:28:11 2008
  service interface
  exit
  service analysis-engine
  virtual-sensor vs0
  physical-interface GigabitEthernet0/1
  exit
  exit
  service authentication
  exit
  service event-action-rules rules0
  exit
  service host
  network-settings
  host-ip 192.168.1.36/24,192.168.1.10
  host-name ips
  telnet-option enabled
  --MORE--
  access-list 0.0.0.0/0
  exit
  time-zone-settings
  offset 0
  standard-time-zone-name UTC
  exit
  exit
  service logger
  exit
  service network-access
  exit
  service notification
  exit
  service signature-definition sig0
  exit
  service ssh-known-hosts
  exit
  service trusted-certificates
  --MORE--
  exit
  service web-server
  exit
  ips# sh inter_[Jfaces _[2C
  Interface Statistics
  Total Packets Received = 6806
  Total Bytes Received = 2001784
  Missed Packet Percentage = 0
  Current Bypass Mode = Auto_off
  MAC statistics from interface GigabitEthernet0/1
  Interface function = Sensing interface
  Description =
  Media Type = backplane
  Missed Packet Percentage = 0
  Inline Mode = Unpaired
  Pair Status = N/A
  Link Status = Up
  Link Speed = Auto_1000
  Link Duplex = Auto_Full
  Total Packets Received = 6807
  Total Bytes Received = 2001866
  Total Multicast Packets Received = 0
  Total Broadcast Packets Received = 0
  Total Jumbo Packets Received = 0
  Total Undersize Packets Received = 0
  Total Receive Errors = 0
  Total Receive FIFO Overruns = 0
  Total Packets Transmitted = 6807
  --MORE--
  Total Bytes Transmitted = 2017118
  Total Multicast Packets Transmitted = 0
  Total Broadcast Packets Transmitted = 0
  Total Jumbo Packets Transmitted = 0
  Total Undersize Packets Transmitted = 0
  Total Transmit Errors = 0
  Total Transmit FIFO Overruns = 0
  MAC statistics from interface GigabitEthernet0/0
  Interface function = Command-control interface
  Description =
  Media Type = TX
  Link Status = Down
  Link Speed = N/A
  Link Duplex = N/A
  Total Packets Received = 126
  Total Bytes Received = 14255
  Total Multicast Packets Received = 0
  Total Receive Errors = 0
  Total Receive FIFO Overruns = 0
  Total Packets Transmitted = 1
  Total Bytes Transmitted = 64
  Total Transmit Errors = 0
  Total Transmit FIFO Overruns = 0

• Evet Store on IPS ASA-SSM-10

  Hi Guys.
  I'm trying to find out the size of the evnet store for the IPS ASA-SSM-10 and if it's possible to configure how it will be overwritten.
  I can't find any information about it.
  Does anyone konw anything?
  Best Regards

  Ernesto
  I found this in the configuration manual for the IPS:
  The following password recovery options exist:
  ?If another Administrator account exists, the other Administrator can change the password.
  ?If a Service account exists, you can log in to the service account and switch to user root using the command su - root. Use the password command to change the CLI Administrator account's password. For example, if the Administrator username is "adminu," the command is password adminu. You are prompted to enter the new password twice. For more information, see Creating the Service Account.
  You can reimage the sensor using either the recovery partition or a system image file.
  If you want to see more detail here is the URL:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055dfcd.html
  HTH
  Rick

• Cisco IPS ASA SSM-10

  I am using an ASA SSM-10 IPS. Currently it keeps logging those event of alerts.
  Where does the IPS keeps all those event logs? In the disk space?
  Where can i see how much space i left?
  Will it went down if the space is full?

  This is from the post I linked earlier, and you don't have to worry the sensor will definitely not go 'down', the event-log data structure is circular and is over-written every time it is full.
  "The eventStore size starting at version 5.0(1) is a fixed 30 Meg. Its a *circular* eventStore that is intended to wrap (new events overwriting oldest events). The usual sensor deployment includes some sort of remote event monitor application (like IEV,IME etc.) that pulls events from the sensor. The eventStore acts as a buffer to allow the remote monitoring app to keep up with busy sensors. If your eventStore wraps every few hours then the monitoring app should be able to keep up with all the events being generated. The concern would be if the eventStore continuously wrapped in less than 10 or 15 minutes. At that point you may be loosing events and would need to tune the sensor signature config to only alarm on meaningful events."
  I'm assuming since the event-store is only 30 MB, its a 'part' of one of the following parititions:
  application-data OR application-log
  Most probably the first one.
  Regards
  Farrukh

• How to do a factory reset ASA-SSM-10?

  Hi.
  I forgot the user for management a IPS SSM-10, when i follow the procedure to reset the password for cisco user, i can get into the module, i change the password and every thing is OK, but when i tried to configure y don´t have rights to do anything.
  if i see the privileges for the user cisco this is the result
  EDGE-IPS2# sh user
      CLI ID   User    Privilege
  *   4143     cisco   viewer
  Application Partition:
  Cisco Intrusion Prevention System, Version 6.1(1)E2
  Host:
      Realm Keys          key1.0
  Signature Definition:
      Signature Update    S364.0                   2008-10-24
      Virus Update        V1.4                     2007-03-02
  OS Version:             2.4.30-IDS-smp-bigphys
  Platform:               ASA-SSM-10
  Serial Number:          JAF1208BNPP
  License expired:        20-Jun-2009 UTC
  Sensor up-time is 1:09.
  Using 657850368 out of 1032495104 bytes of available memory (63% usage)
  system is using 17.7M out of 29.0M bytes of available disk space (61% usage)
  application-data is using 41.5M out of 166.8M bytes of available disk space (26% usage)
  boot is using 40.5M out of 68.6M bytes of available disk space (62% usage)
  MainApp          M-2008_APR_24_19_16    (Release)   2008-04-24T19:49:05-0500   Running
  AnalysisEngine   ME-2008_JUN_05_18_26   (Release)   2008-06-05T18:55:02-0500   Running
  CLI              M-2008_APR_24_19_16    (Release)   2008-04-24T19:49:05-0500
  Upgrade History:
  * IPS-K9-6.1-1-E2           22:40:50 UTC Tue Feb 26 2013
    IPS-sig-S364-req-E2.pkg   18:43:20 UTC Wed Nov 12 2008
  Recovery Partition Version 1.1 - 6.1(1)E2
  Host Certificate Valid from: 17-Nov-2008 to 18-Nov-2010
  What can i do in this case?
  IPS Info
  Getting details from the Service Module, please wait...
  ASA 5500 Series Security Services Module-10
  Model:              ASA-SSM-10
  Hardware version:   1.0
  Serial Number:      JAF1208BNPP
  Firmware version:   1.0(11)4
  Software version:   6.1(1)E2
  MAC Address Range:  001e.f710.5b6c to 001e.f710.5b6c
  App. name:          IPS
  App. Status:        Up
  App. Status Desc:
  App. version:       6.1(1)E2
  Data plane Status:  Up
  Status:             Up
  Mgmt IP addr:       X.X.X.X
  Mgmt web ports:     443
  Mgmt TLS enabled:  

  The process will normally use the following command:
  hw-module module 1 password-reset
  It will reload the ASA and when loggin back the "Cisco" username will have admin rights.
  If this is not your case, a re-image of the unit will be the next step, keep in mind that this will remove all the custom config.

• Equivalent to show disk0: on ASA-SSM-10

  Hi, are you able to see the contents of the disk on an ASA-SSM-10 module? Like the show disk0: command on my 5510? I know it has an internal flash disk..Is that where the image and configuration files and software are located? Can one see these files and copy them to TFTP server?
  Cheers
  Phil

  Hi Philip,
  You can view this content through the service account of IPS. The downside will be that you can only access it with the supervision of TAC. If you want to see the configuration you can do a show config; if you want to see what version are you running you can do it through the show version command.
  HTH
  Luis Silva
  "If you need PDI (Planning, Design, Implement) assistance feel free to reach us"
  http://www.cisco.com/web/partners/tools/pdihd.html

• ASA-SSM-40 Installation - Unresponsive

  Hi,
  We are trying to Install a new IPS module into our exisiting Cisco ASA and we are getting
  Unresponsive Module not suppported
  Please have a look at the sh ver and sh module in the attachment

  The SSM-40 requires one of the later 8.0 versions or 8.2 versions on the ASA.
  Try loading the latest 8.0(4) version on the ASA.

• ASA-SSM-40

  I have an ASA-SSM-40 in an ASA 5540.  A couple of days ago, the IPS went into bypass mode and I could figure out why.  I reloaded the image with version 7.0.6 E4.  I lost the config and have now reconfigured it.  I cannot ping the device from anywhere, but I can ping out from the device.  The config looks the same as all the other SSM's we have installed at other sites.  I'm using the same IP address, and the ASA is still configured as it was before when it was working.  Obviously I can't web to the device either.

  I reimaged again with version 7.0.4 E4 and got everything working again.  Will try later to upgrade to 7.0.6.