Need assistance to configure ASA-SSM-10

Similar Messages

• Configure ASA-SSM-10 for Syslog

  How to configure syslog on the following IPS module ?
  I need to send logs from this sensor
  Platform: ASA-SSM-10
  Build Version: 7.0(4)E4
  Os Version: 2.4.30-IDS-smp-bigphys
  Can anybody advise me on this.
  Regards,
  Rohit

  Do you need the syslogs to be sent or the Events.
  IPS sensors do not support syslog forwarding.  Syslog is fairly
  restrictive in size of messages and is not secure or reliable.
  sensor does support sending of events using SNMP
  (again with the same sets of restrictions:  not full data, clear text,
  not reliable).
  There is a physical ability to send events as traps.  It isn't
  recommended for many reasons (or lets say it isn't recommended in the
  same way that monitoring using SDEE is).  SNMP trap receivers generally
  aren't built to handle, say 200 events per second per device.  The
  sensor isn't capable of sending at the same event rate as it is with
  SDEE.  The traps are in clear text and are not reliably sent.  They
  don't contain the same amount of info as an SDEE event, and can't.
  If you need the events to  be sent to a database you can run cisco IME which can collect all the events generated by the IPS.
  Hope this helps.
  Sachin

• Compiling a driver, need assistance on kernel source configuration

  Hello BBS.
  I am compiling a module for the Asus PCE N53 wireless pci-e card. I have obtained the driver source, and followed the instructions, and have gotten to the point where I need assistance. The instructions requires the kernel source, i have successfully obtained and configured it using the Command line prompt, except for one feature. I need to enable the intel IPW2200 driver code in the kernel source for this driver. What procedure do I follow to enable it?

  > I know in face value, that my request may seem odd. I just need to use the source of the kernel, not a new kernel... I have found that what I am requesting... will fix the problem, based on a Gentoo solution: http://forums.gentoo.org/viewtopic-t-93 … art-0.html. Needing to know how to configure the kernel source to enable the intel driver still stands. The source I am using is the latest arch kernel source.
  ===============
  RT5592 Linux Driver quick start       
  ====================
  Check tools: 
  ====================
  *Before install driver, please check already install compile tool and  kernel source code
  1>Install compile tool
      $yum install gcc-c++
  2>check kernel source code exists /usr/src/kernels/ "kernel name"
      Download your kernel source code
      *http://www.kernel.org/pub/linux/kernel/        
      or
      $yum install kernel-devel
  ====================
  Build Instructions: 
  ====================
  1> $tar -jxvf DPO_GPL_RT5592STA_LinuxSTA_vx.x.x.x.tar.bz2
       go to "DPO_GPL_RT5592STA_LinuxSTA_vx.x.x.x" directory.
  2> In Makefile
       set the "MODE = STA" in Makefile and chose the TARGET to Linux by set "TARGET = LINUX"
       define the linux kernel source include file path LINUX_SRC
       modify to meet your need.
  3> In os/linux/config.mk
       define the GCC and LD of the target machine
       define the compiler flags CFLAGS
       modify to meet your need.
       ** Build for being controlled by NetworkManager or wpa_supplicant wext functions
           Please set 'HAS_WPA_SUPPLICANT=y' and 'HAS_NATIVE_WPA_SUPPLICANT_SUPPORT=y'.
           => $wpa_supplicant -Dwext -ira0 -c wpa_supplicant.conf -d
       ** Build for being controlled by WpaSupplicant with Ralink Driver
           Please set 'HAS_WPA_SUPPLICANT=y' and 'HAS_NATIVE_WPA_SUPPLICANT_SUPPORT=n'.
           => $wpa_supplicant -Dralink -ira0 -c wpa_supplicant.conf -d
  4> $make           
       # compile driver source code, need administrator.
       # To fix "error: too few arguments to function ¡¥iwe_stream_add_event"
          => $patch -i os/linux/sta_ioctl.c.patch os/linux/sta_ioctl.c
  5> $make install
       #install driver
       #copy RT2860STA.dat to /etc/Wireless/RT2860STA/RT2860STA.dat
  6>$vi /etc/rc.d/rc.local
       #input "ifconfig ra0 up"
      $reboot
  7> unload driver   
       $ifconfig ra0 down
       $rmmod rt5592sta
  ======
  Heres the output of my error, when I compile:
  =======
  make -C tools
  make[1]: Entering directory `/home/white/driver/DPO_GPL_RT5592STA_LinuxSTA_v2.6.0.0_20120326/tools'
  gcc -g bin2h.c -o bin2h
  make[1]: Leaving directory `/home/white/driver/DPO_GPL_RT5592STA_LinuxSTA_v2.6.0.0_20120326/tools'
  /home/white/driver/DPO_GPL_RT5592STA_LinuxSTA_v2.6.0.0_20120326/tools/bin2h
  cp -f os/linux/Makefile.6 /home/white/driver/DPO_GPL_RT5592STA_LinuxSTA_v2.6.0.0_20120326/os/linux/Makefile
  make -C /home/white/linux-3.2.9 SUBDIRS=/home/white/driver/DPO_GPL_RT5592STA_LinuxSTA_v2.6.0.0_20120326/os/linux modules
  make[1]: Entering directory `/home/white/linux-3.2.9'
    WARNING: Symbol version dump /home/white/linux-3.2.9/Module.symvers
             is missing; modules will have no dependencies and modversions.
    CC [M]  /home/white/driver/DPO_GPL_RT5592STA_LinuxSTA_v2.6.0.0_20120326/os/linux/../../os/linux/sta_ioctl.o
  /home/white/driver/DPO_GPL_RT5592STA_LinuxSTA_v2.6.0.0_20120326/os/linux/../../os/linux/sta_ioctl.c:2364:2: error: unknown field ‘private’ specified in initializer
  /home/white/driver/DPO_GPL_RT5592STA_LinuxSTA_v2.6.0.0_20120326/os/linux/../../os/linux/sta_ioctl.c:2364:2: warning: initialization from incompatible pointer type [enabled by default]
  /home/white/driver/DPO_GPL_RT5592STA_LinuxSTA_v2.6.0.0_20120326/os/linux/../../os/linux/sta_ioctl.c:2364:2: warning: (near initialization for ‘rt28xx_iw_handler_def.get_wireless_stats’) [enabled by default]
  /home/white/driver/DPO_GPL_RT5592STA_LinuxSTA_v2.6.0.0_20120326/os/linux/../../os/linux/sta_ioctl.c:2365:2: error: unknown field ‘num_private’ specified in initializer
  /home/white/driver/DPO_GPL_RT5592STA_LinuxSTA_v2.6.0.0_20120326/os/linux/../../os/linux/sta_ioctl.c:2365:2: warning: excess elements in struct initializer [enabled by default]
  /home/white/driver/DPO_GPL_RT5592STA_LinuxSTA_v2.6.0.0_20120326/os/linux/../../os/linux/sta_ioctl.c:2365:2: warning: (near initialization for ‘rt28xx_iw_handler_def’) [enabled by default]
  /home/white/driver/DPO_GPL_RT5592STA_LinuxSTA_v2.6.0.0_20120326/os/linux/../../os/linux/sta_ioctl.c:2366:2: error: unknown field ‘private_args’ specified in initializer
  /home/white/driver/DPO_GPL_RT5592STA_LinuxSTA_v2.6.0.0_20120326/os/linux/../../os/linux/sta_ioctl.c:2366:26: warning: excess elements in struct initializer [enabled by default]
  /home/white/driver/DPO_GPL_RT5592STA_LinuxSTA_v2.6.0.0_20120326/os/linux/../../os/linux/sta_ioctl.c:2366:26: warning: (near initialization for ‘rt28xx_iw_handler_def’) [enabled by default]
  /home/white/driver/DPO_GPL_RT5592STA_LinuxSTA_v2.6.0.0_20120326/os/linux/../../os/linux/sta_ioctl.c:2367:2: error: unknown field ‘num_private_args’ specified in initializer
  /home/white/driver/DPO_GPL_RT5592STA_LinuxSTA_v2.6.0.0_20120326/os/linux/../../os/linux/sta_ioctl.c:2367:2: warning: excess elements in struct initializer [enabled by default]
  /home/white/driver/DPO_GPL_RT5592STA_LinuxSTA_v2.6.0.0_20120326/os/linux/../../os/linux/sta_ioctl.c:2367:2: warning: (near initialization for ‘rt28xx_iw_handler_def’) [enabled by default]
  make[2]: *** [/home/white/driver/DPO_GPL_RT5592STA_LinuxSTA_v2.6.0.0_20120326/os/linux/../../os/linux/sta_ioctl.o] Error 1
  make[1]: *** [_module_/home/white/driver/DPO_GPL_RT5592STA_LinuxSTA_v2.6.0.0_20120326/os/linux] Error 2
  make[1]: Leaving directory `/home/white/linux-3.2.9'
  make: *** [LINUX] Error 2
  Last edited by confusedoldman (2012-12-25 20:14:34)

• Equivalent to show disk0: on ASA-SSM-10

  Hi, are you able to see the contents of the disk on an ASA-SSM-10 module? Like the show disk0: command on my 5510? I know it has an internal flash disk..Is that where the image and configuration files and software are located? Can one see these files and copy them to TFTP server?
  Cheers
  Phil

  Hi Philip,
  You can view this content through the service account of IPS. The downside will be that you can only access it with the supervision of TAC. If you want to see the configuration you can do a show config; if you want to see what version are you running you can do it through the show version command.
  HTH
  Luis Silva
  "If you need PDI (Planning, Design, Implement) assistance feel free to reach us"
  http://www.cisco.com/web/partners/tools/pdihd.html

• Will reloading an ASA-SSM effect the Firewall itself?

  We've lost the login info for the IPS-SSM on our ASA 5520. It looks like we will need to re image the module with a newer software version. It currently is not in use i.e. no rules for it on the the firewall. Will this process take the firewall off line at all?
  Output from sh command:
  Firewall03# show module 1
  Mod Card Type Model Serial No.
  1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 xxxxxxx
  Mod MAC Address Range Hw Version Fw Version Sw Version
  1 001b.0ce2.xxxx to 001b.0ce2.xxxx 1.0 1.0(11)2 5.1(5)E1
  Mod SSM Application Name Status SSM Application Version
  1 IPS Up 5.1(5)E1
  Mod Status Data Plane Status Compatibility
  1 Up Up
  Firewall03# show module 1 recover
  Module 1 recover parameters...
  Boot Recovery Image: No
  Image URL: tftp://0.0.0.0/
  Port IP Address: 0.0.0.0
  Gateway IP Address: 0.0.0.0
  VLAN ID: 0

  So it will have an effect on the firewall, causing it to fail over?
  Also I am having a hard time understanding the recovery process as it seems the device needs to be configured to allow the recovery image to be used. I have no idea how if at all the device is configured, we have zero access to the device as we have none of the passwords for it and no idea how it's configured.
  from looking at the above (1st post) you can there is no recovery location set. How do I recover with no info on the device?
  Firewall03# sh module 1 details
  Getting details from the Service Module, please wait...
  ASA 5500 Series Security Services Module-20
  Model: ASA-SSM-20
  Hardware version: 1.0
  Serial Number: JAF111XXXXX
  Firmware version: 1.0(11)2
  Software version: 5.1(5)E1
  MAC Address Range: 001b.0ce2.XXXX to 001b.0ce2.XXXX
  App. name: IPS
  App. Status: Up
  App. Status Desc:
  App. version: 5.1(5)E1
  Data plane Status: Up
  Status: Up
  Mgmt IP addr: 10.1.9.201
  Mgmt web ports: 443
  Mgmt TLS enabled: true
  Firewall03# sh module 1 recover
  Module 1 recover parameters...
  Boot Recovery Image: No
  Image URL: tftp://0.0.0.0/
  Port IP Address: 0.0.0.0
  Gateway IP Address: 0.0.0.0
  VLAN ID: 0
  Firewall03#

• ASA SSM IPS module upgrade won't work

  Hello all,
  I'm trying to upgrade the IPS sig's on an ASA5520 with a SSM IPS module. I'm trying to upgrade the system to 5.1.1 to further upgrade the device with no luck.
  I followed these steps provided by Cisco.com:
  1. Log in to the ASA.
  2. Enter enable mode:
  asa# enable
  3. Configure the recovery settings for ASA-SSM:
  asa (enable)# hw-module module 1 recover configure
  NOTE: If you make an error in the recovery configuration, use the
  hw-module module 1 recover stop command to stop the system reimaging
  and then you can correct the configuration.
  4. Specify the TFTP URL for the system image:
  Image URL [tftp://0.0.0.0/]:
  Example:
  Image URL [tftp://0.0.0.0/]: tftp://10.20.30.40/IPS-SSM-K9-sys-1.1-a-5.1-1.img
  5. Specify the command and control interface of ASA-SSM:
  Port IP Address [0.0.0.0]:
  Example:
  Port IP Address [0.0.0.0]: 11.21.31.41
  6. Leave the VLAN ID at 0.
  VLAN ID [0]:
  7. Specify the default gateway of the ASA-SSM:
  Gateway IP Address [0.0.0.0]:
  Example:
  Gateway IP Address [0.0.0.0]: 11.22.33.44
  8. Execute the recovery:
  asa# hw-module module 1 recover boot
  9. Periodically check the recovery until it is complete.
  NOTE: The status reads "Recovery" during recovery and reads "Up" when
  reimaging is complete.
  AFter #8 it just goes back to the enable prompt. A 'sh module' lists the device as 'recover' and hangs FOREVER.... I tested the TFTP server which the new image resides on, and the TFTP is working fine. I don't see any attempts or downloads from the TFTP server for over an hour.
  I opened a Ciscop TAC on this and not receiving alot of help...
  Please help!!!:)
  Thanks
  Chris Serafin
  [email protected]

  The recovery using this method can takes upwards of 30 minutes, and in some cases even longer.
  How long have you left the SSM in the "recovery" state?
  There may be something wrong in the config you entered. when that happens the SSM can go into a continuous reboot cycle trying to do the recovery.
  Execute "debug module-boot" on the console of the ASA.
  The debug output will show you the ROMMON output of the SSM itself. (The SSM has it's own ROMMON. The recovery boot command sends the settings made during the recover configure command to the SSM's ROMMON).
  If the ROMMON is experiencing a problem in trying to download the tftp image you should now see that ROMMON error message.
  Some typical problems I have seen:
  1) Wrong IP given for the sensor.
  2) Wrong IP given for the gateway (the gateway must exist on the same network as the sensor) this problem usually happens when using a non-standard netmasked network.
  3) Not having the sensor's command and control port plugged into the right network. The external port of the SSM itself is where the IP is being applied. You need to ensure that the extenral port of the SSM is plugged into the right network for that IP.
  4) The tftp server is not reachable from the network where the sensor's command and control port is attached. Some users think that if the ASA itself can reach the tftp server that the SSM will also be able to. This is not always the case. It is best to use a tftp server on the same network as the IP provided to the SSM. Or to test the tftp server from another machine on the same network as the SSM.
  5) The file name is wrong. Check the captialization especially.
  6) The file is not in the default directory on the tftp server. If the file is in a subdirectory you will need to add that subdirectory to the URL:
  tftp://10.20.30.40/subdirectoryname/filename
  7) The tftp is timing out.
  There are 2 things that can cause this:
  a) The tftp server is remote, and it takes too long to download the file. The ROMMON does have limits on the number of retries and per packet timeouts (but they are not user configurable). Try using a tftp server local to the SSM.
  b) The switch that the SSM connects to has spanning-tree running and spanning-tree does not complete before the SSM ROMMON times out for the tftp attempt. The tftp attempt happens immediately upon ROMMON startup and link up. But with a switch the switch port may be in a "Listen" or "Learn" state for 40 seconds before the box can actually talk on the network. In some cases the tftp download attempts started as soon as link up, and may timeout even before the spanning-tree completes. To work around this configure "spanning-tree portfast" on the switchport. Spanning-tree will connect the port into the vlan immediately rather than 40 seconds later.
  If it was a config problem when configuring the recovery settings, then there is a "recover stop" command on the ASA.
  It will stop the reboot cycle from happening.
  Let the module come up with the old image.
  Then correct your "recover configure" settings, and try the "recover boot" again.
  Another alternative:
  Stop the recovery "recover stop"
  Let it boot into the old image.
  If it was a 5.0 version, then you can actually upgrade to 5.1 using the sensor's own CLI "upgrade" command. It is actually the preferred method.
  The "recover" from the ASA will wipe the box clean and load a fresh image.
  The "upgrade" from the sensor will convert your 5.0 config into a 5.1 config while installing 5.1.
  5.1 upgrade file:
  IPS-K9-min-5.1-1g.pkg
  http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
  It can be applied through the sensor's CLI upgrade command, or pushed directly through IDM, or applied by CSM.
  The "recover" should be limited to disaster recovery. When you can't access the SSM at all, or the files on the SSM have been corrupted.
  For normal upgrades you want to use "upgrade" files done through the sensor itelf (CLI, IDM, or CSM).

• Update ASA-SSM-CSC-10 module

  Hi,
  I'm not able to update (reinstall) a ASA-SSM-CSC-10 module. I used the CLI-Command : "hw module 1 recover boot". But the module is still in the Recover-mode.
  Output from CLI (I used the image: csc6.1-b1519.bin):
  Slot-1 890> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  Slot-1 891> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  Slot-1 892> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  Slot-1 893> Received 59944272 bytes
  Slot-1 894> Launching TFTP Image...
  sclfw002# sh module
  Mod Card Type Model Serial No.
  0 ASA 5510 Adaptive Security Appliance ASA5510 JMX1032K16L
  1 ASA 5500 Series Content Security Services Mo ASA-SSM-CSC-10 JAF10290481
  Mod MAC Address Range Hw Version Fw Version Sw Version
  0 0018.195b.e68d to 0018.195b.e691 1.1 1.0(11)2 7.2(1)
  1 0018.7317.b44a to 0018.7317.b44a 1.0 1.0(11)2
  Mod SSM Application Name Status SSM Application Version
  Mod Status Data Plane Status Compatibility
  0 Up Sys Not Applicable
  1 Recover Not Applicable
  Could anybody help me?
  thanks
  Reto

  Are you able to stop the recovery from continuously running? Use "hw-module module 1 recover stop" to end it. Then try to reset it again (hw-module module 1 reset).
  If the module become unresponsive due to too long running in recover mode, big chances you need to reset the ASA. But try to reset/shut it down via ASA CLI first before decide to shutdown/powerup the whole box. This may be inevitable. During shutdown, remove the module, and power-up the ASA. Insert the module once the ASA is properly running, and check the status/mode again.
  Start the boot recovery process again, recover configure if necessary. If you need to stop it, issue "hw-module module 1 recover stop" within 45sec after the recover boot/configure started.
  HTH
  AK

• Licese Expire on ASA Platform:ASA-SSM-20

  Dear Sir/Mada,
  Currently i have Cisco ASA 5520 with  ( Platform: ASA-SSM-20) and the license expire on next month.
  Could you let me know the P/N should i order to renewal?
  Best Regards,
  Rechard.

  Have you renewed your IPS license yet? Not sure what question you are asking, however you can renew your IPS smartnet through your vendor or directly with Cisco. You just need to provide you contract number or your Serial number of your IPS device. While you are in the process of renewing your contract, you can get a temporary license from cisco
  https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?DemoKeys=Y
  Let us know if you still need any assistance with this.

• No AutoUpdate feature working on ASA-SSM-20

  Hi!
  Autoupdate feature is not working on ASA-SSM-20 module.
  We have configure:
  https://www.cisco.com//cgi-bin/front.x/ida/locator/locator.pl
  And/Or:
  https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
  And/Or:
  https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl
  And/Or:
  https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
  We get this errors on the ASA-SSM-20 module:
  evError: eventId=1280563964539644086  vendor=Cisco  severity=error 
    originator:  
      hostId: sensor1 
      appName: mainApp 
      appInstanceId: 356 
    time: nov 17, 2010 08:15:45 UTC  offset=60  timeZone=GMT+01:00 
    errorMessage: AutoUpdate exception: Receive HTTP response failed [3,212]  name=errSystemError
  evError: eventId=1280563964539644079  vendor=Cisco  severity=error 
    originator:  
      hostId: sensor1 
      appName: mainApp 
      appInstanceId: 356 
    time: nov 17, 2010 08:10:02 UTC  offset=60  timeZone=GMT+01:00 
    errorMessage: http error response: 400  name=errSystemError
  Any Ideas?

  I am experiencing a similar issue currently with a new SSC-5 module.  I am working with TAC, however reposne has been slow.  I can see traffic with Wireshark for 198.133.219.25 but I never see the traffic for 198.133.219.243 that I was told to allow on the firewall.  I also found it confusing that I need to create exceptions on the firewall for outbound traffic to these two IP addresses when I do not have to make any exceptions for any other outbound traffic.
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Here is what I see:
  IPS_Sensor# show stat host
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Auto Update Statistics
     lastDirectoryReadAttempt = 09:03:09 GMT-06:00 Wed Jan 19 2011
      =   Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
      =   Error: AutoUpdate exception: HTTP connection failed [1,110]
     lastDownloadAttempt = N/A
     lastInstallAttempt = N/A
     nextAttempt = 11:00:00 GMT-06:00 Wed Jan 19 2011 Auxilliary Processors Installed
  IPS_Sensor# show clock
  .09:24:05 GMT-06:00 Wed Jan 19 2011
  I know this thread is a few months old, but am hoping to spark an interest here.
  Thanks.

• Image recovery on 5520 IDS Module (ASA-SSM-10) TFTP timeout failure

  I have an ASA 5520 with an ASA-SSM-10 module in it for IDS.  It has (from what I can tell) never been used or configured.  In fact, I only recently found that it existed!  I would like to begin using it, starting with replacing the software image with the latest (I do NOT need any configuration from it now).
  Details ...
  KCH-ASA-Primary# sh module 1 details
  Getting details from the Service Module, please wait...
  ASA 5500 Series Security Services Module-10
  Model:              ASA-SSM-10
  Hardware version:   1.0
  Serial Number:      JAF10422581
  Firmware version:   1.0(11)2
  Software version:   6.0(1)E1
  MAC Address Range:  0018.b91b.69f1 to 0018.b91b.69f1
  App. name:          IPS
  App. Status:        Up
  App. Status Desc:
  App. version:       6.0(1)E1
  Data plane Status:  Up
  Status:             Up
  Mgmt IP addr:       172.17.1.20
  Mgmt web ports:     443
  Mgmt TLS enabled:   true
  The problem that I am having is that when I set it up to pull down the new software through TFTP, it just hangs and times out.
  KCH-ASA-Primary# hw module 1 recover config
  Image URL [tftp://10.10.10.9/IPS-sig-S789-req-E4.pkg]:
  Port IP Address [172.17.1.20]:
  VLAN ID [950]:
  Gateway IP Address [172.17.1.1]:
  KCH-ASA-Primary#
  And then ...
  KCH-ASA-Primary# debug module-boot
  debug module-boot  enabled at level 1
  KCH-ASA-Primary# hw module 1 recover boot
  The module in slot 1 will be recovered.  This may
  erase all configuration and all data on that device and
  attempt to download a new image for it.
  Recover module in slot 1? [confirm]
  Recover issued for module in slot 1
  KCH-ASA-Primary# Slot-1 215> Cisco Systems ROMMON Version (1.0(11)2) #0: Thu Jan                             26 10:43:08 PST 2006
  Slot-1 216> Platform ASA-SSM-10
  Slot-1 217> GigabitEthernet0/0
  Slot-1 218> Link is UP
  Slot-1 219> MAC Address: 0018.b91b.69f1
  Slot-1 220> ROMMON Variable Settings:
  Slot-1 221>   ADDRESS=172.17.1.20
  Slot-1 222>   SERVER=10.10.10.9
  Slot-1 223>   GATEWAY=172.17.1.1
  Slot-1 224>   PORT=GigabitEthernet0/0
  Slot-1 225>   VLAN=950
  Slot-1 226>   IMAGE=IPS-sig-S789-req-E4.pkg
  Slot-1 227>   CONFIG=
  Slot-1 228>   LINKTIMEOUT=20
  Slot-1 229>   PKTTIMEOUT=4
  Slot-1 230>   RETRY=20
  Slot-1 231> tftp [email protected] via 172.17.1.1
  KCH-ASA-Primary# Slot-1 232> TFTP failure: Packet verify failed after 20 retries
  Slot-1 233> Rebooting due to Autoboot error ...
  Slot-1 234> Rebooting....
  I know that I can reach 10.10.10.9 from 172.17.1.x.  And this is the present port IP of the device.  If I do a 'session1' and ping 10.10.10.9, I get replies.  I know my TFTP is working ... I use it for all of my switches for config backups and installing new IOS.  And watching my TFTP server window, I am not seeing any connection attempts.
  What am I doing wrong here?  :-(

  Thanks for your response. As I mentioned earlier in my email, I tried 2 different images (IPS-SSC_5-K9-sys-1.1-a-6.2-2-E4.img and IPS-SSM_10-K9-sys-1.1-a-7.1-5-E4.img) without any success. Since there are no packets coming from IPS on the TFTP server, I think the problem is something else.
  When I run the "debug cplane 255" command, I see some errors mentioned below:
  asa(config)# debug cplane 255
  debug cplane  enabled at level 255
  asa(config)#
  cp_connect: Connecting to card 1, socket 3, port 7000
  cp_connect: Error - cp_connect() returned -1
  cp_check_connection: handle -1, conflicts with connection 1 (-1)
  cp_check_connection: handle -1, conflicts with connection 2 (-1)
  cp_check_connection: handle -1, conflicts with connection 3 (-1)
  cp_update_connection: Error updating connection_id 0
  Is this a hardware issue?

• CISCO ASA SSM-10

  I have an ASA 5520, and I have Cisco ASA SSM-10, but I'm not sure how to work with it. My problems are here:
  1. What software do I need to get this to work
  2. From the rj45 connection on this module, where does it connects to.
  3. Give me some guide to configure it and test to see if it works.

  Hi,
  you need to do couple of things to get this to work.
  1. Configuration on ASA to forward the traffic to the module
  2. Chose whether you are going to plug the IPS in inline/promiscious mode
  3. Configure the IPS module
  Configuring ASA to forward the traffic to the module:-
  access-l IPS permit ip any any
  class-IPS
  match access-list IPS
  policy-map global-policy
  class IPS
  IPS inline/promiscious fail-open/fail-close
  When you do this ASa is configured to send the traffic to the module.
  Now you need to get in to the IPS
  you can get in to the through CLI on ASA:-
  do session 1
  it will ask you for username and password
  both are cisco by default
  run the command setup
  and it will walk you through the initial configuration of the sensor.
  once the sensor is configured
  log in to the IDM
  and need to go to configuration>> policies and assign vs0 to the backplane interface of the module so that sigs come in to the act of the traffic.
  you can connect the module in front of the IPS to the switch vlan where the other interface exist from where you want to see this traffic and want ips to come into act.
  Suppose you want to apply the IPS on inside network
  ASA inside interface ip:-192.168.1.1
  Module ip:-192.168.1.3/192.168.1.1
  Here the gateway for the module is the ASA inside interface.
  now all the traffic going outbound or coming in from the inside itnerface will be monitored by the IPS.
  now connect the ethernet interface of the module to the same vlan on switch where your inside interface is connected.
  Now you can even manage the IDM of the IPS just like you manage the ASDM for the ASA, you just need to have your host/network allowed to gain access to it.
  Thanks

• Im looking for some assistance in configuring our wireles...

  Im looking for some assistance in configuring our wireless router to allow remote connections into it.. and then from there access any of the 5 computers on our network. I dont have the model number with me now, but just want to know where to start....
  Goal=== to allow me to access our remote locations network and access / vnc into our 5 terminals...
  I just need to know how i can configure the router to allow outside connections and then from there connect to our other machines via VNC...
  Any suggestions on where to start with this?

  in order to access the router remotely , you need to enable remote management on the router and to access the terminals using VNC .. you need to open the ports used by VNC ..

• How to do a factory reset ASA-SSM-10?

  Hi.
  I forgot the user for management a IPS SSM-10, when i follow the procedure to reset the password for cisco user, i can get into the module, i change the password and every thing is OK, but when i tried to configure y don´t have rights to do anything.
  if i see the privileges for the user cisco this is the result
  EDGE-IPS2# sh user
      CLI ID   User    Privilege
  *   4143     cisco   viewer
  Application Partition:
  Cisco Intrusion Prevention System, Version 6.1(1)E2
  Host:
      Realm Keys          key1.0
  Signature Definition:
      Signature Update    S364.0                   2008-10-24
      Virus Update        V1.4                     2007-03-02
  OS Version:             2.4.30-IDS-smp-bigphys
  Platform:               ASA-SSM-10
  Serial Number:          JAF1208BNPP
  License expired:        20-Jun-2009 UTC
  Sensor up-time is 1:09.
  Using 657850368 out of 1032495104 bytes of available memory (63% usage)
  system is using 17.7M out of 29.0M bytes of available disk space (61% usage)
  application-data is using 41.5M out of 166.8M bytes of available disk space (26% usage)
  boot is using 40.5M out of 68.6M bytes of available disk space (62% usage)
  MainApp          M-2008_APR_24_19_16    (Release)   2008-04-24T19:49:05-0500   Running
  AnalysisEngine   ME-2008_JUN_05_18_26   (Release)   2008-06-05T18:55:02-0500   Running
  CLI              M-2008_APR_24_19_16    (Release)   2008-04-24T19:49:05-0500
  Upgrade History:
  * IPS-K9-6.1-1-E2           22:40:50 UTC Tue Feb 26 2013
    IPS-sig-S364-req-E2.pkg   18:43:20 UTC Wed Nov 12 2008
  Recovery Partition Version 1.1 - 6.1(1)E2
  Host Certificate Valid from: 17-Nov-2008 to 18-Nov-2010
  What can i do in this case?
  IPS Info
  Getting details from the Service Module, please wait...
  ASA 5500 Series Security Services Module-10
  Model:              ASA-SSM-10
  Hardware version:   1.0
  Serial Number:      JAF1208BNPP
  Firmware version:   1.0(11)4
  Software version:   6.1(1)E2
  MAC Address Range:  001e.f710.5b6c to 001e.f710.5b6c
  App. name:          IPS
  App. Status:        Up
  App. Status Desc:
  App. version:       6.1(1)E2
  Data plane Status:  Up
  Status:             Up
  Mgmt IP addr:       X.X.X.X
  Mgmt web ports:     443
  Mgmt TLS enabled:  

  The process will normally use the following command:
  hw-module module 1 password-reset
  It will reload the ASA and when loggin back the "Cisco" username will have admin rights.
  If this is not your case, a re-image of the unit will be the next step, keep in mind that this will remove all the custom config.

• ASA-SSM-40

  I have an ASA-SSM-40 in an ASA 5540.  A couple of days ago, the IPS went into bypass mode and I could figure out why.  I reloaded the image with version 7.0.6 E4.  I lost the config and have now reconfigured it.  I cannot ping the device from anywhere, but I can ping out from the device.  The config looks the same as all the other SSM's we have installed at other sites.  I'm using the same IP address, and the ASA is still configured as it was before when it was working.  Obviously I can't web to the device either.

  I reimaged again with version 7.0.4 E4 and got everything working again.  Will try later to upgrade to 7.0.6.

• Proper ASA-SSM-20 IPS and MARS Intergration

  I?m trying to understand how to best manage my MARS and ASA-SSM-20 IPS implementation. I?ve been running this solution for about 2 months and have been experimenting with how to manage alert s from the blades to MARS.
  The MARS documentation says to configure 2 Event Action Override -Verbose Alerts and Log Pair Packets. However there seems to be a major drawback:
  1. The IPS generates alert for signatures that by default have no alert action configured. At first glance this seems ok, but over time I found that many false positives are generated for signatures that would otherwise remain quite.
  My question is, how should this be managed? I want verbose alerts and logged pair packets for signatures that produce alerts by default, but if I manually configure this, is there a performance consideration?

  You might be hitting the bug CSCuc34812.
  Please contact Cisco TAC to have the issue analyzed.
  Regards,
  Sawan Gupta