No AutoUpdate feature working on ASA-SSM-20
Hi!
Autoupdate feature is not working on ASA-SSM-20 module.
We have configure:
https://www.cisco.com//cgi-bin/front.x/ida/locator/locator.pl
And/Or:
https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
And/Or:
https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl
And/Or:
https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
We get this errors on the ASA-SSM-20 module:
evError: eventId=1280563964539644086 vendor=Cisco severity=error
originator:
hostId: sensor1
appName: mainApp
appInstanceId: 356
time: nov 17, 2010 08:15:45 UTC offset=60 timeZone=GMT+01:00
errorMessage: AutoUpdate exception: Receive HTTP response failed [3,212] name=errSystemError
evError: eventId=1280563964539644079 vendor=Cisco severity=error
originator:
hostId: sensor1
appName: mainApp
appInstanceId: 356
time: nov 17, 2010 08:10:02 UTC offset=60 timeZone=GMT+01:00
errorMessage: http error response: 400 name=errSystemError
Any Ideas?
I am experiencing a similar issue currently with a new SSC-5 module. I am working with TAC, however reposne has been slow. I can see traffic with Wireshark for 198.133.219.25 but I never see the traffic for 198.133.219.243 that I was told to allow on the firewall. I also found it confusing that I need to create exceptions on the firewall for outbound traffic to these two IP addresses when I do not have to make any exceptions for any other outbound traffic.
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Here is what I see:
IPS_Sensor# show stat host
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Auto Update Statistics
lastDirectoryReadAttempt = 09:03:09 GMT-06:00 Wed Jan 19 2011
= Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
= Error: AutoUpdate exception: HTTP connection failed [1,110]
lastDownloadAttempt = N/A
lastInstallAttempt = N/A
nextAttempt = 11:00:00 GMT-06:00 Wed Jan 19 2011 Auxilliary Processors Installed
IPS_Sensor# show clock
.09:24:05 GMT-06:00 Wed Jan 19 2011
I know this thread is a few months old, but am hoping to spark an interest here.
Thanks.
Similar Messages
-
ASA SSM IPS module upgrade won't work
Hello all,
I'm trying to upgrade the IPS sig's on an ASA5520 with a SSM IPS module. I'm trying to upgrade the system to 5.1.1 to further upgrade the device with no luck.
I followed these steps provided by Cisco.com:
1. Log in to the ASA.
2. Enter enable mode:
asa# enable
3. Configure the recovery settings for ASA-SSM:
asa (enable)# hw-module module 1 recover configure
NOTE: If you make an error in the recovery configuration, use the
hw-module module 1 recover stop command to stop the system reimaging
and then you can correct the configuration.
4. Specify the TFTP URL for the system image:
Image URL [tftp://0.0.0.0/]:
Example:
Image URL [tftp://0.0.0.0/]: tftp://10.20.30.40/IPS-SSM-K9-sys-1.1-a-5.1-1.img
5. Specify the command and control interface of ASA-SSM:
Port IP Address [0.0.0.0]:
Example:
Port IP Address [0.0.0.0]: 11.21.31.41
6. Leave the VLAN ID at 0.
VLAN ID [0]:
7. Specify the default gateway of the ASA-SSM:
Gateway IP Address [0.0.0.0]:
Example:
Gateway IP Address [0.0.0.0]: 11.22.33.44
8. Execute the recovery:
asa# hw-module module 1 recover boot
9. Periodically check the recovery until it is complete.
NOTE: The status reads "Recovery" during recovery and reads "Up" when
reimaging is complete.
AFter #8 it just goes back to the enable prompt. A 'sh module' lists the device as 'recover' and hangs FOREVER.... I tested the TFTP server which the new image resides on, and the TFTP is working fine. I don't see any attempts or downloads from the TFTP server for over an hour.
I opened a Ciscop TAC on this and not receiving alot of help...
Please help!!!:)
Thanks
Chris Serafin
[email protected]The recovery using this method can takes upwards of 30 minutes, and in some cases even longer.
How long have you left the SSM in the "recovery" state?
There may be something wrong in the config you entered. when that happens the SSM can go into a continuous reboot cycle trying to do the recovery.
Execute "debug module-boot" on the console of the ASA.
The debug output will show you the ROMMON output of the SSM itself. (The SSM has it's own ROMMON. The recovery boot command sends the settings made during the recover configure command to the SSM's ROMMON).
If the ROMMON is experiencing a problem in trying to download the tftp image you should now see that ROMMON error message.
Some typical problems I have seen:
1) Wrong IP given for the sensor.
2) Wrong IP given for the gateway (the gateway must exist on the same network as the sensor) this problem usually happens when using a non-standard netmasked network.
3) Not having the sensor's command and control port plugged into the right network. The external port of the SSM itself is where the IP is being applied. You need to ensure that the extenral port of the SSM is plugged into the right network for that IP.
4) The tftp server is not reachable from the network where the sensor's command and control port is attached. Some users think that if the ASA itself can reach the tftp server that the SSM will also be able to. This is not always the case. It is best to use a tftp server on the same network as the IP provided to the SSM. Or to test the tftp server from another machine on the same network as the SSM.
5) The file name is wrong. Check the captialization especially.
6) The file is not in the default directory on the tftp server. If the file is in a subdirectory you will need to add that subdirectory to the URL:
tftp://10.20.30.40/subdirectoryname/filename
7) The tftp is timing out.
There are 2 things that can cause this:
a) The tftp server is remote, and it takes too long to download the file. The ROMMON does have limits on the number of retries and per packet timeouts (but they are not user configurable). Try using a tftp server local to the SSM.
b) The switch that the SSM connects to has spanning-tree running and spanning-tree does not complete before the SSM ROMMON times out for the tftp attempt. The tftp attempt happens immediately upon ROMMON startup and link up. But with a switch the switch port may be in a "Listen" or "Learn" state for 40 seconds before the box can actually talk on the network. In some cases the tftp download attempts started as soon as link up, and may timeout even before the spanning-tree completes. To work around this configure "spanning-tree portfast" on the switchport. Spanning-tree will connect the port into the vlan immediately rather than 40 seconds later.
If it was a config problem when configuring the recovery settings, then there is a "recover stop" command on the ASA.
It will stop the reboot cycle from happening.
Let the module come up with the old image.
Then correct your "recover configure" settings, and try the "recover boot" again.
Another alternative:
Stop the recovery "recover stop"
Let it boot into the old image.
If it was a 5.0 version, then you can actually upgrade to 5.1 using the sensor's own CLI "upgrade" command. It is actually the preferred method.
The "recover" from the ASA will wipe the box clean and load a fresh image.
The "upgrade" from the sensor will convert your 5.0 config into a 5.1 config while installing 5.1.
5.1 upgrade file:
IPS-K9-min-5.1-1g.pkg
http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
It can be applied through the sensor's CLI upgrade command, or pushed directly through IDM, or applied by CSM.
The "recover" should be limited to disaster recovery. When you can't access the SSM at all, or the files on the SSM have been corrupted.
For normal upgrades you want to use "upgrade" files done through the sensor itelf (CLI, IDM, or CSM). -
ErrSystemError-ct-sensorApp.463 not responding on ASA-SSM-10
Hello,
I got following error message when login into IPS over IDM, after error is displayed IDM is closing.
errSystemError-ct-sensorApp.463 not responding, please check system processes
- The connect to the specified Io::ClientPipe failed.
SSH login works, when using CLI following health statistics are available:
sensor# show health
Overall Health Status Red
Health Status for Failed Applications Red
Health Status for Signature Updates Yellow
Health Status for License Key Expiration Green
Health Status for Running in Bypass Mode Red
Health Status for Interfaces Being Down Green
Health Status for the Inspection Load Green
Health Status for the Time Since Last Event Retrieval Green
Health Status for the Number of Missed Packets Green
Health Status for the Memory Usage Not Enabled
Health Status for Global Correlation Green
Health Status for Network Participation Not Enabled
Security Status for Virtual Sensor sensor-int Green
Security Status for Virtual Sensor vs0 Green
Do you have any idea why IPS crashed ?
ASA-SSM-10 is installed into ASA 5510.Hello,
I have the sem problem since sveral days, I found the following workaround on our environement. Working since 5hours.
Hope it helps.
Regards.
IDSM-2 Sensor Module - errSystemError -ct-sensorApp.XXX not responding, please check system processes - The connect to the specified Io::ClientPipe failed.
Symptom:
When attempting to access an IDSM-2 sensor via its GUI (IDM) or via IME (IPS Manager Express), an error such as the following is encountered:
"errSystemError -ct-sensorApp.XXX not responding, please check system processes - The connect to the specified Io::ClientPipe failed."
Additionally, review of the 'show version' command output indicates the AnalysisEngine (sensorApp process) to be "Not Running".
Conditions:
IDSM-2 sensor module running 7.0(x) software release. Global Correlation Inspection feature enabled (On). A 'show tech' command output includes a sensorApp process core containing lines similar to the following:
cat /usr/cids/idsRoot/core/sensorApp/core.txt
/usr/cids/idsRoot/bin/sensorApp(_ZN3Cid3Rep9RepIpData13ApplyIpUpdateEPKcPNS0_8RepScoreE+)
Solution:
This problem is tracked as defect CSCti79423. It can be encountered on the IDSM-2 platform when a Global Correlation Update occurs. A fix for this is currently planned for inclusion in the next 7.0 release (7.0(6)).
In the interim, the only workaround to ensure that the sensor does not re-encounter this defect is to disable Global Correlation Inspection (Updates) as such:
sensor# conf t
sensor(config)# service global-correlation
sensor(config-glo)# global-correlation-inspection off
sensor(config-glo)# exit
Apply Changes?[yes]: yes
After making the above configuration change, a reboot of the affected IDSM-2 sensor module should restore it to service:
sensor# reset -
Monitor Inspection Load IPS ASA-SSM-20
All,
I am aware there is a feature request but don't see any updates. Taking the chance here that its fallen through the cracks and someone has figured out another way to monitor inspection load on ASA-SSM-20 IPS. We are currently running 7.0(5a)E4. I want to be able to use Solarwinds Orion to monitor Inspection Load on our IPS devices. Does anyone know if that is yet possible...if so how?
Thanks!Bump +1
-
I have an ASA-SSM-40 in an ASA 5540. A couple of days ago, the IPS went into bypass mode and I could figure out why. I reloaded the image with version 7.0.6 E4. I lost the config and have now reconfigured it. I cannot ping the device from anywhere, but I can ping out from the device. The config looks the same as all the other SSM's we have installed at other sites. I'm using the same IP address, and the ASA is still configured as it was before when it was working. Obviously I can't web to the device either.
I reimaged again with version 7.0.4 E4 and got everything working again. Will try later to upgrade to 7.0.6.
-
Password reset on a older ASA-SSM-20
Hi I have takken over a running ASA with a ASA-SSM-20
but nowhere can i find the password
and the asa is running 8.0.3 but the SSM is only running 5.1
so the command hw-module module x password-reset dosn't work
anybody there have an idea how to fix it
thanks in advanceIn that case then the only way to recover
the password is to perform a re-image of the AIP-SSM.
You can perform the re-image via tftp using the commands
'hardware-module module 1 recover configure' and then 'hardware-module
module 1 recover boot'
Link Re-image instructions
http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliSSM.html#wp1034193
images:
http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=282520327
hope this helps
regards
Yesua -
Will ASA-SSM-20 reload affect ASA failover?
I have 2 ASA 5520s with an ASA-SSM-20 installed in each. The ASA-SSM-20 in the primary ASA is not working correctly:
Error: Cannot communicate with mainApp (getVersion). Please contact your system administrator.
Would you like to run cidDump?[no]:
I would like to reload the module, but I don't know if that will cause the whole ASA to failover. The ASAs are running 7.2(3).
Any thoughts?Thanks Brett.
We are using stateful failover. Not all sessions get dropped, just enough Telnet and application interface links that we start getting calls and people show up at my door. This is on a new ASA5520 that normally runs <5% CPU utilization. I just checked the failover link is set to 1000FULL so there should not be any delay updated state information.
Am I missing something in the config?
Portcullis# sho run failover
failover
failover lan unit primary
failover lan interface heartbeat GigabitEthernet0/2
failover polltime unit 3 holdtime 9
failover replication http
failover link heartbeat GigabitEthernet0/2
failover interface ip heartbeat 172.31.0.201 255.255.255.0 standby 172.31.0.202
Portcullis# sho run interface g0/2
interface GigabitEthernet0/2
description LAN/STATE Failover Interface
speed 1000
duplex full
Portcullis#
-Roy- -
Correlating Cisco ASA-SSM-IPS Events/Logs
I have just configured a Cisco ASA-SSM-IPS10. An exciting feature of this decice is the ability to monitor, analyse, and correlate security events. Can anybody help with a documentation to simplify daily (or periodic) analysis, and correlation of the IPS Logs? As I am not yet to up to speed with this task yet, a "How-to" document would be just fine. Thank you.
Hi Chris,
Good to have you get on the case. I am yet to setup and ips manager software. Presently, I use an ASDM 6 interface, with this interface, I am able to view events and alerts, and perform other adminsitrative cores... The IPS manager express does it comes bundle with our device purchase? Does it contain necesary templates/docs for correlating events/Logs? -
Signature recommendations for ASA-SSM-10
hi, I was wondering if anyone has recommendations on what sigs to enable on the ASA-SSM-10.......I know.... to a certain extent, 'it depends' on your individual environment. But I think it must be the case that there are some disabled sigs that are good to enable..right? I was hoping to tap into the 'group mind' on what works well.
Also, why not enable all? I am assuming the ASA-SSM-10 probably cannot keep up with that level of inspection??
thanks in advanceandrodri,
Thanks for your reply. I have some followup questions.
1. I noticed that any signature that is disabled is listed as retired....does retired mean disabled or something else (like not needed any more).
2. it seems like most of the malware sigs are disabled, i would think that if you are in a user environment, you would want those on, is there an example of a situation that you would not want them on....how do you know if you have a problem if you don't look.
thanks -
Swap Cisco ASA SSM-10 from dead firewall
Good afternoon,
I currenty have 2 cisco 5510 firewalls one of the firewals is completly dead but contains a Cisco ASA SSM-10 can i remove this card and just place it into a working unit, will i have any problems doing so.
Regards
PaulNo, that shouldn't be a problem at all as the serial number of the SSM-10 module does not get linked to the actual ASA appliance.
-
Autoupdate not working-please h
This is from another person having the same problem, same here: Clean install and Audigy 2zs
Is anyone having a problem using this feature? I click on the accept button on the bottom of the page then the next paged launched dosent do anything but give the message:
<I><<B></B></I>
<I><<B>Please set any installed pop-up blockers to allow pop-ups from this site in order to use the <B>AutoUpdate</B> service.</B></I>Products on your system
I allowed pop-ups like i always did in the past when checking but for some reason this is all i get. i disabled them, marked as a trusted site, still no go.
well since its not working for me was also wondering if there was a specific install order of the patches to do them manualy
ThanksDuring all period of using Audigy 2 ZS, autoupdate never worked, it always crashing IE(6.0) after running the autoupdate acti've-x application on browser, is there a standalone autoupdate application instead of acti've-x application in browser?
-
Need assistance to configure ASA-SSM-10
Hello All,
Can someone assist me on setting up the IPS ASA-SSM-10 module in ASA 5520 firewall . I have just licensed the box. It would be great if someone can help me with relevant videos\docs to configure the SSM module to enable all the required IPS features for the box to run. I am running ASDM 6.4 and if anyone has the configs to enable via ASDM\CLI whichever is feasible is fine . Kindly assist .Below is the module details.
ASA 5500 Series Security Services Module-10
Model: ASA-SSM-10
Hardware version: 1.0
Firmware version: 1.0(11)5
Software version: 7.1(8)E4
App. name: IPS
App. Status: Up
App. Status Desc: Normal Operation
App. version: 7.1(8)E4
Data plane Status: Up
Status: Up
Regards,
KarthikDo you need the syslogs to be sent or the Events.
IPS sensors do not support syslog forwarding. Syslog is fairly
restrictive in size of messages and is not secure or reliable.
sensor does support sending of events using SNMP
(again with the same sets of restrictions: not full data, clear text,
not reliable).
There is a physical ability to send events as traps. It isn't
recommended for many reasons (or lets say it isn't recommended in the
same way that monitoring using SDEE is). SNMP trap receivers generally
aren't built to handle, say 200 events per second per device. The
sensor isn't capable of sending at the same event rate as it is with
SDEE. The traps are in clear text and are not reliably sent. They
don't contain the same amount of info as an SDEE event, and can't.
If you need the events to be sent to a database you can run cisco IME which can collect all the events generated by the IPS.
Hope this helps.
Sachin -
Image recovery on 5520 IDS Module (ASA-SSM-10) TFTP timeout failure
I have an ASA 5520 with an ASA-SSM-10 module in it for IDS. It has (from what I can tell) never been used or configured. In fact, I only recently found that it existed! I would like to begin using it, starting with replacing the software image with the latest (I do NOT need any configuration from it now).
Details ...
KCH-ASA-Primary# sh module 1 details
Getting details from the Service Module, please wait...
ASA 5500 Series Security Services Module-10
Model: ASA-SSM-10
Hardware version: 1.0
Serial Number: JAF10422581
Firmware version: 1.0(11)2
Software version: 6.0(1)E1
MAC Address Range: 0018.b91b.69f1 to 0018.b91b.69f1
App. name: IPS
App. Status: Up
App. Status Desc:
App. version: 6.0(1)E1
Data plane Status: Up
Status: Up
Mgmt IP addr: 172.17.1.20
Mgmt web ports: 443
Mgmt TLS enabled: true
The problem that I am having is that when I set it up to pull down the new software through TFTP, it just hangs and times out.
KCH-ASA-Primary# hw module 1 recover config
Image URL [tftp://10.10.10.9/IPS-sig-S789-req-E4.pkg]:
Port IP Address [172.17.1.20]:
VLAN ID [950]:
Gateway IP Address [172.17.1.1]:
KCH-ASA-Primary#
And then ...
KCH-ASA-Primary# debug module-boot
debug module-boot enabled at level 1
KCH-ASA-Primary# hw module 1 recover boot
The module in slot 1 will be recovered. This may
erase all configuration and all data on that device and
attempt to download a new image for it.
Recover module in slot 1? [confirm]
Recover issued for module in slot 1
KCH-ASA-Primary# Slot-1 215> Cisco Systems ROMMON Version (1.0(11)2) #0: Thu Jan 26 10:43:08 PST 2006
Slot-1 216> Platform ASA-SSM-10
Slot-1 217> GigabitEthernet0/0
Slot-1 218> Link is UP
Slot-1 219> MAC Address: 0018.b91b.69f1
Slot-1 220> ROMMON Variable Settings:
Slot-1 221> ADDRESS=172.17.1.20
Slot-1 222> SERVER=10.10.10.9
Slot-1 223> GATEWAY=172.17.1.1
Slot-1 224> PORT=GigabitEthernet0/0
Slot-1 225> VLAN=950
Slot-1 226> IMAGE=IPS-sig-S789-req-E4.pkg
Slot-1 227> CONFIG=
Slot-1 228> LINKTIMEOUT=20
Slot-1 229> PKTTIMEOUT=4
Slot-1 230> RETRY=20
Slot-1 231> tftp [email protected] via 172.17.1.1
KCH-ASA-Primary# Slot-1 232> TFTP failure: Packet verify failed after 20 retries
Slot-1 233> Rebooting due to Autoboot error ...
Slot-1 234> Rebooting....
I know that I can reach 10.10.10.9 from 172.17.1.x. And this is the present port IP of the device. If I do a 'session1' and ping 10.10.10.9, I get replies. I know my TFTP is working ... I use it for all of my switches for config backups and installing new IOS. And watching my TFTP server window, I am not seeing any connection attempts.
What am I doing wrong here? :-(Thanks for your response. As I mentioned earlier in my email, I tried 2 different images (IPS-SSC_5-K9-sys-1.1-a-6.2-2-E4.img and IPS-SSM_10-K9-sys-1.1-a-7.1-5-E4.img) without any success. Since there are no packets coming from IPS on the TFTP server, I think the problem is something else.
When I run the "debug cplane 255" command, I see some errors mentioned below:
asa(config)# debug cplane 255
debug cplane enabled at level 255
asa(config)#
cp_connect: Connecting to card 1, socket 3, port 7000
cp_connect: Error - cp_connect() returned -1
cp_check_connection: handle -1, conflicts with connection 1 (-1)
cp_check_connection: handle -1, conflicts with connection 2 (-1)
cp_check_connection: handle -1, conflicts with connection 3 (-1)
cp_update_connection: Error updating connection_id 0
Is this a hardware issue? -
Upgrading IPS strings, ASA SSM-10 module
I am having a challenging time upgrading the ASA SSM-10 IPS module. I down loaded the IPS-sig-s327-req-e1.pkg to Win XP ftp server (my workstation). The instructions in following does not work: http://download-sj.cisco.com/cisco/ciscosecure/ips/6.x/sigup/IPS-sig-S327.readme.txt
"error: execUpgradeSoftware : Connect failed". Any suggestion would be appreciated.I can connect the LAN switch directly to the inside interface of the ASA5510 firewall. Hosts can get Internet connectivity while cabled to the switch. However, when the LAN switch is connected to the port on the IPS module, there is no Internet connectivity. Any suggestions would be appreciated. The following is the sh configuration and sh int output.
sh con_[Jfiguration
Version 5.1(6)
! Current configuration last modified Sat Apr 05 12:28:11 2008
service interface
exit
service analysis-engine
virtual-sensor vs0
physical-interface GigabitEthernet0/1
exit
exit
service authentication
exit
service event-action-rules rules0
exit
service host
network-settings
host-ip 192.168.1.36/24,192.168.1.10
host-name ips
telnet-option enabled
--MORE--
access-list 0.0.0.0/0
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
exit
service logger
exit
service network-access
exit
service notification
exit
service signature-definition sig0
exit
service ssh-known-hosts
exit
service trusted-certificates
--MORE--
exit
service web-server
exit
ips# sh inter_[Jfaces _[2C
Interface Statistics
Total Packets Received = 6806
Total Bytes Received = 2001784
Missed Packet Percentage = 0
Current Bypass Mode = Auto_off
MAC statistics from interface GigabitEthernet0/1
Interface function = Sensing interface
Description =
Media Type = backplane
Missed Packet Percentage = 0
Inline Mode = Unpaired
Pair Status = N/A
Link Status = Up
Link Speed = Auto_1000
Link Duplex = Auto_Full
Total Packets Received = 6807
Total Bytes Received = 2001866
Total Multicast Packets Received = 0
Total Broadcast Packets Received = 0
Total Jumbo Packets Received = 0
Total Undersize Packets Received = 0
Total Receive Errors = 0
Total Receive FIFO Overruns = 0
Total Packets Transmitted = 6807
--MORE--
Total Bytes Transmitted = 2017118
Total Multicast Packets Transmitted = 0
Total Broadcast Packets Transmitted = 0
Total Jumbo Packets Transmitted = 0
Total Undersize Packets Transmitted = 0
Total Transmit Errors = 0
Total Transmit FIFO Overruns = 0
MAC statistics from interface GigabitEthernet0/0
Interface function = Command-control interface
Description =
Media Type = TX
Link Status = Down
Link Speed = N/A
Link Duplex = N/A
Total Packets Received = 126
Total Bytes Received = 14255
Total Multicast Packets Received = 0
Total Receive Errors = 0
Total Receive FIFO Overruns = 0
Total Packets Transmitted = 1
Total Bytes Transmitted = 64
Total Transmit Errors = 0
Total Transmit FIFO Overruns = 0 -
Hi,
I've installed an ASA-SSM-10 module into my ASA 5510 firewall but it's in "Unresponsive" state. I tried to reset and recover the module but nothing seems to work. Below you may find information about the system and details about what I did. Any help is greatly appreciated.
Firewall:
ASA5510-K8, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
System image file is "disk0:/asa843-k8.bin"
Device Manager Version 6.4(3)
IPS Module:
ASA 5500 Series Security Services Module-10 ASA-SSM-10
Hw Version: 1.0
Sw Version: 6.2(2)E4
SSM Application Version: 6.2(2)E4
I have 2 IPS images at my TFTP server:
IPS-SSC_5-K9-sys-1.1-a-6.2-2-E4.img
IPS-SSM_10-K9-sys-1.1-a-7.1-5-E4.img
I tried the command: hw-module module 1 reset
At first module status changes to "Inıt" but after then it goes back to "Unresponsive"
I used the command "hw-module module 1 recover configure" for 2 different images mentioned above by the same order and then tried:
"hw-module module 1 recover boot"
Module status changes to "Recover" and stays like that for hours. I've waited for 2 hours for 2 different images. And then I issued the command: hw-module module 1 recover stop and the module goes back to "Unresponsive" state.
The Module's network interface is connected to the same switch where the TFTP server is connected. When I run a sniffer on the TFTP server (Linux, tcpdump), there's no TFTP activity. But I can use this TFTP server from ASA (Connected to the Inside interface).
ASA Inside interface IP Address: X.X.X.1
TFTP Server IP Address: X.X.X.8
"show module 1 recover" command output:
Module 1 recover parameters...
Boot Recovery Image: Yes
Image URL: tftp://X.X.X.8/IPS-SSC_5-K9-sys-1.1-a-6.2-2-E4.img
Port IP Address: X.X.X.2
Gateway IP Address: X.X.X.1
VLAN ID: 0
(There are no VLANs used on this network.)Thanks for your response. As I mentioned earlier in my email, I tried 2 different images (IPS-SSC_5-K9-sys-1.1-a-6.2-2-E4.img and IPS-SSM_10-K9-sys-1.1-a-7.1-5-E4.img) without any success. Since there are no packets coming from IPS on the TFTP server, I think the problem is something else.
When I run the "debug cplane 255" command, I see some errors mentioned below:
asa(config)# debug cplane 255
debug cplane enabled at level 255
asa(config)#
cp_connect: Connecting to card 1, socket 3, port 7000
cp_connect: Error - cp_connect() returned -1
cp_check_connection: handle -1, conflicts with connection 1 (-1)
cp_check_connection: handle -1, conflicts with connection 2 (-1)
cp_check_connection: handle -1, conflicts with connection 3 (-1)
cp_update_connection: Error updating connection_id 0
Is this a hardware issue?
Maybe you are looking for
-
Command for "How to find Cursor Size" in Oracle Stored Procedure"
Hi Can u tell me.... How to find Cursor Size" in Oracle Stored Procedure........ I want command for that........
-
No track names on burned cd's.
why aren't the track names and info transfering to the cd's when i burn playlists?
-
Create New Report with aggregation at the bottom
We want to create a new report on Opportunity. Requirement includes having filters on Sales Stages and Classification and the columns being - Opportunity Name | Sales Stage | Classification 1|Revenue| How should we aggregate the same at the bottom wh
-
<u>Running</u> RPUAUD00 shows no results. (No lines under "Logged Changes in Infotype Data"). <u>Customization</u> via: Personnel Management>Personnel administration>Tools>Revision>Set up change document, was maintained properly (I believe so, I did
-
Okay, so I wanted to install vine (an app) but I can't. The reason why is because the free button (the app is free) is faded out so I can't download it. I tries so many different things but still I can't install certain apps. When I try to click on t