Redundant AIP SSM-20 Config Replication?
I have two ASA's in a redundant configuration. Each one has an AIM SSM-20 in it. If I make changes to the "live" SSM-20 is there a way to make it write the config over to the one in the ASA that's in standby mode?
Does the standby SSM-20 need to have it's own unique IP address or can it share the "primary" SSM's address?
NO..configs are not replicated for SSM...CSCsb61072 has been filed for this
Secondary SSM-20 cannot share primary IP address or vice versa
Similar Messages
-
We have a pair of ASA 5520s in active/stanby mode. This part of the situation works great, configurations are always synced to the standby, nothing is lost. Planned failover has worked every time without users even noticing.
We have an AIP-SSM-20 in each.
The challenge arises as it seems there is still no easy and automatic way to sync the configuration of the SSMs together.
Due to all the false positives, we need to perform configurations on the AIP-SSMs. Is there a method I am overlooking, how do you do it?
Thanks.Thanks for your reply. I've gotten back on this subject....
Does this run as a service, like it is running all the time and needs to be installed on a system which is always up, or does this run as an application only as needed.
Based on the requirements, I can not tell. It can run on desktop OSes or Server OSes.
"Hard Drive
⢠100 GB
Memory (RAM)
⢠2 GB
Supported Operating Systems
⢠Windows Vista Business and Ultimate (32-bit only)
⢠Windows XP Professional (32-bit only)
⢠Windows 2003 server
Note: Cisco IPS Manager Express supports only the 32-bit U.S. English version of Windows."
100GB for an application, seems rather hefty to me. Is this for real?
Thanks -
Using ASA5510 AIP-SSM in IDS mode
Hi,
I' ve a Cisco ASA5510 with AIP-SSM and I wold like to use it like a one-armed IDS for connect them to a span port of a switch in my network,
without the traffic passing through the Firewall.
I've try to configure it and connect the interface inside (fast0/1) to the span port, I create the policy for permit all the traffic to the Sensor but it doesn't work, no packet recived on sensor.
somebody can help me?
thanksUnfortunately you can't use the AIP-SSM in an ASA with a spanning switch like you could with the 4200 series appliances.
The reason is that the ASA was built to be a firewall, and no matter how much of that functionality you turn off, it still needs to see TCP and UDP conversations flowing thru the ASA in order to pass that traffic to the AIP-SSM sensor (I tired very hard to see if I could get around this limitation, but you can't).
The best you can hope to do is put the ASA in-line (I know this reduces reliability) and turn off as much of the firewall configs you can. Then you can promisciously monitor the traffic passing thru teh ASA with teh AIP-SSM.
It's not ideal, but it's the cheapest IPS sensor in Cisco's line up right now.
- Bob -
Hi,
i have an ASA5520 with v 7.2(2) running.
but the IPS module spftware is 5.1
when i tried to login to the > session 1
it prompts me for a login and password.
i tried cisco and a few other combinations.. but no luck ,,
how do i reset it ?? also that reset procedure on the docs says its resets password or the user cisco ..
how can i be sure if the user cisco even exists on it or not ?
any help please ???no man it doesnt ..
the link u specified says it too..
hw-module module slot_number password-reset?This command recovers a password on a Cisco ASA 5500 Series Content Security and Control Security Services Module (CSC-SSM) or the AIP-SSM without having to re-image the device.
Note: This command starts support from IPS 6.0 (ASA 7.2 version) and is used to restore the Cisco CLI account password to the default cisco
hers my ASA and IPS details..
ASA# sh version
Cisco Adaptive Security Appliance Software Version 7.2(2)
Device Manager Version 5.2(2)
Compiled on Wed 22-Nov-06 14:16 by builders
System image file is "disk0:/asa722-k8.bin"
Config file at boot was "startup-config"
ASA up 22 days 3 hours
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
ASA# sh module 1
Mod Card Type Model Serial No.
1 ASA5500 SSM-10 ASA-SSM-10 B155670DW4
Mod MAC Add Range Hw Ver. Fw Ver. Sw Ver.
1 00xx to 001 1.0 1.0(10)0 5.0(2)S152.0
Mod SSM Apps. Name Status SSM Apps Version
1 IPS Up 5.0(2)S152.0
Mod Status Data Plane Status Compatibility
1 Up Up -
Configuring SNMP Trap receiver on AIP-SSM sensor
I receive the following error message from my ASA5520 firewall when attempting to forward SNMP traps from my AIP-SSM20 sensor to a server on my Inside interface that is configured to receive SNMP traps:
ASA-4-418001: Through-the-device packet to/from management-only network is denied: udp src management: 10.3.21.2/32768 dst Inside: PPC0ES/162
Can I reconfigure the management IP address of the AIP-SSM sensor to connect to the Inside interface instead of the management vlan or does my SNMP server have to reside on the management vlan with the sensor?Hi Subodh,
Yes, the AIP-SSM can operate in either inline (IPS) or promiscuous (IDS) mode. I would recommend you start by reviewing the following config guide, which shows you how to configure the ASA to pass traffic to the SSM for inspection:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
If you have any other specific questions, feel free to post back.
Hope that helps.
-Mike -
Hi Experts,
We have 2ASA and each one have AIP-SSM,with 2nd ASA AIP-SSM I tried to upload latest image for AIP-SSM 20 but didnt worked and now i see module is dead...pls check the detials below.....pls help me out how to make it up or work properly so that i can config other stuff.Pls its very imp and urgent help me out....
ASA-A:
251-DBSi-ASA5540# sh module 1
Mod Card Type Model Serial No.
1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 JAF11370608
Mod MAC Address Range Hw Version Fw Version Sw Version
1 0007.0e11.e13b to 0007.0e11.e13b 1.0 1.0(11)2 5.1(6)E1
Mod SSM Application Name Status SSM Application Version
1 IPS Up 5.1(6)E1
Mod Status Data Plane Status Compatibility
1 Up Up
ASA-B:
251-DBSi-ASA5540# sh module 1
Mod Card Type Model Serial No.
1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 JAF1137060C
Mod MAC Address Range Hw Version Fw Version Sw Version
1 001d.4524.a414 to 001d.4524.a414 1.0 1.0(11)2 5.1(6)E1
Mod SSM Application Name Status SSM Application Version
1 IPS Not Applicable 5.1(6)E1
Mod Status Data Plane Status Compatibility
1 Recover Not ApplicablePlease try rebooting the module, if it does not work recovery it using the following procedure
http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/cli/cliimage.html#wpxref68481
Regards
Farrukh -
Configuring AIP SSM to monitor only
Hi all,
We purchased an AIP-SSM-20 for our ASA5520. Is there a way to enable IPS functionality, but not block anything, i.e. just log events? This is just to see if any legitimate company traffic will be blocked.
Thanks!
JacquesConfigure the ASA to send traffic to the IPS in promiscuous mode using the following command in a policy-map:
hostname(config-pmap-c)# ips {inline | promiscuous} {fail-close |
fail-open} [sensor {sensor_name | mapped_name}]
http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/aipssm.html
Geroge -
hi,
we have AIP-SSM-40 modeule installed on ASA 5540 but it is just physically present.
Is it possible to configure to this modeule in inline or like IDS mode? It has only one Ethernet interface. Can this interface be treated as sensor interface and mark a copy of all incoming frames on this interface ( by SPA on switches ).
Please share the experience.
Thanks in advance.
SubodhHi Subodh,
Yes, the AIP-SSM can operate in either inline (IPS) or promiscuous (IDS) mode. I would recommend you start by reviewing the following config guide, which shows you how to configure the ASA to pass traffic to the SSM for inspection:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
If you have any other specific questions, feel free to post back.
Hope that helps.
-Mike -
AIP-SSM Configuration Maintenance in Active Stdby modes
So, I'm pretty new to the AIP-SSM but not to ASA's. It appears that very little of the AIP module config gets copied over to the Stdby AIP, nothing other than what appears in the ASA config (ACL's, etc.). So, do all the config elements particular to the module itself have to be manually reproduced on the Stdby module, either by hand entry or config copies moved between the two?
So in Active/Standby scenarios with AIP-SSM, what is the reasoning for not having a feature for automatically copying over module config changes as with the ASA config?
If there is no good reason, is it on the AIP-SSM road map to provide this feature?
This can be a real pain in the arse for complex IPS configs. You have to do everything twice, and right away, so you won't miss anything should the ASA'a flip. -
Hi,
Can anybody send me a lab with a scenario for IPS using AIP SSM 10 and and if they could be for both CLI as well as by using ASDM. Also, when I was trying to access IPS using ASDM, I was getting an error message "Error connecting to sensor. Failed to load sensor-Error getting config data from following modules analysisEngine signatureDefinition networkAccess host". Can anybody please give me a solution for it.
Thanks.Cisco had orginally planned to add a "keep alive" signature to 6.0. but that feature got dropped. The intent was to fire off a signature every few mins as long as the sensor was seeing valid traffic. The absence of seeing this signature should trigger some attention to a downed sensor.
You can write a custom sig, but you have to be able to detect the loss of that event to be of value. -
I have two ASA5520's with ASA-SSM-10 modules which are running Cisco Intrusion Prevention System, Version 6.0(6)E4. These are located at two different sites (one is local and the other remote from where I am based) and so are not running failover.
I understand there is an auto update signature option with Version 6.1 or later which I would like to set up.
The ASA5520's are running Cisco Adaptive Security Appliance Software Version 8.2(5).
Can anyone recommend whether I should be looking at upgrading to Version 6.2 or 7.0 and perhaps why.
Do I also just apply the engine update and then update the latest signatures for good measure.
I was thinking of doing the upgrade through the IDM and was a bit confused about the recovery and system images and what the correct procedure should be e.g. backup the AIP config, tftp the existing image, install the new engine image and reboot the sensor?
Any comments or assistance would be appreciated.
Thanks, Peter.Hello Peter,
Hope you are doing fine,
I would encourage you to go to the latest IPS image available now days whitch is : 7.1.7 Engine 4
Why is that?
Because you will ensure you will have a device with the latest image that will provide you fixes to previous bugs, new features, etc etc.
So go for it.
Now regarding the upgrade
From the CLI
On configuration terminal mode
Configuration terminal
upgrade ftp://user:[email protected]/upgrade_file_name
http://www.networkstraining.com/how-to-upgrade-the-cisco-ips-module-aip-ssm/
Regards,
Julio Carvajal -
I have recently confgured my AIP-SSM-20 module in my firewalls (ASA 5540) which are configured in HA(Active/Standby).This implementation i have done on 13th June. It was working fine.
Now, i have observerd that the AIP-SSM-20 module in the primary firewall had gone to unresponsive state.
Below is the status of show module and show failover command.
FW1-5540# sh module
Mod Card Type Model Serial No.
0 ASA 5540 Adaptive Security Appliance ASA5540 JMX1234L11F
1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 JAF1341ADPS
Mod MAC Address Range Hw Version Fw Version Sw Version
0 0021.d871.77ab to 0021.d871.77af 2.0 1.0(11)4 8.0(3)6
1 0023.ebf6.11ce to 0023.ebf6.11ce 1.0 1.0(11)5 6.2(2)E4
Mod SSM Application Name Status SSM Application Version
1 IPS Not Applicable 6.2(2)E4
Mod Status Data Plane Status Compatibility
0 Up Sys Not Applicable
1 Unresponsive Not Applicable
FW1-5540# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
Version: Ours 8.0(3)6, Mate 8.0(3)6
Last Failover at: 09:06:14 UTC Jun 15 2010
This host:
This host: Primary - Failed
Active time: 191436 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.0(3)6) status (Up Sys)
Interface DMZ_LAN (10.192.153.13): Normal (Waiting)
Interface INTRANET (10.192.154.13): Normal (Waiting)
Interface management (0.0.0.0): Link Down (Waiting)
slot 1: ASA-SSM-20 hw/sw rev (1.0/6.2(2)E4) status (Unresponsive/Down)
IPS, 6.2(2)E4, Not Applicable
Other host: Secondary - Active
Active time: 192692 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.0(3)6) status (Up Sys)
Interface DMZ_LAN (10.192.153.5): Unknown (Waiting)
Interface INTRANET (10.192.154.5): Unknown (Waiting)
Interface management (0.0.0.0): Unknown (Waiting)
slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(2)E4) status (Up/Up)
IPS, 7.0(2)E4, Up
Stateful Failover Logical Update Statistics
Link : Unconfigured.
I have tried using the
hw-module module 1 reset
to reset the IPS module but the status is always unresponsive.
Its production environment where i cannnot expirement much. Ned help to rectify the problem.Hi Scott,
I have almost same problem of sbgcsd in my customer. I'm deploying two ASA-5512 in failover configuration. One day, after almost 2 months testing project in a lab, when we install in customer's datacenter the systems presented following errors:
ciscoasa2(config)# failover
Detected an Active mate
ciscoasa2# Mate NOT PRESENT card in slot 1 is different from mine IPS5512
I tried to discover what was happened with IPS modulo, then I saw error in IPS status: "Unresponsive".
ciscoasa2# sh module ips
Mod Card Type Model Serial No.
ips Unknown N/A FCH1712J7UL
Mod MAC Address Range Hw Version Fw Version Sw Version
ips 7cad.746f.8796 to 7cad.746f.8796 N/A N/A
Mod SSM Application Name Status SSM Application Version
ips Unknown No Image Present Not Applicable
Mod Status Data Plane Status Compatibility
ips Unresponsive Not Applicable
Mod License Name License Status Time Remaining
ips IPS Module Disabled perpetual
According with Cisco Foruns I tried to "Reloading, Shutting Down, Resetting, and Recovering AIP-SSM" (*) using "hw-module module " command. But unfortunatelly ASA didn't accept this command. See below:
ciscoasa2# hw-module module 1 reload
^
ERROR: % Invalid input detected at '^' marker
What happened with this command (hw-module) ? Maybe is a problem in Software version ? When I entered "sh flash" command I saw that didn't exist any software for AIP-SMM module:
ciscoasa2# sh flash
--#-- --length-- -----date/time------ path
11 4096 Sep 12 2013 13:56:54 log
21 4096 Sep 12 2013 13:57:10 crypto_archive
100 0 Sep 12 2013 13:57:10 nat_ident_migrate
22 4096 Sep 12 2013 13:57:10 coredumpinfo
23 59 Sep 12 2013 13:57:10 coredumpinfo/coredump.cfg
101 34523136 Sep 12 2013 14:00:14 asa861-2-smp-k8.bin
102 17851400 Sep 12 2013 14:04:36 asdm-66114.bin
103 38191104 Apr 24 2014 12:59:58 asa912-smp-k8.bin
104 6867 Apr 24 2014 13:01:20 startup-config-jcl.txt
105 24095116 Jun 17 2014 14:54:14 asdm-721.bi
But another ASA (#1) have image:
ciscoasa1# sh flash
--#-- --length-- -----date/time------ path
11 4096 Sep 10 2013 06:42:56 log
21 4096 Apr 17 2014 03:13:12 crypto_archive
123 5276864 Apr 17 2014 03:13:12 crypto_archive/crypto_eng0_arch_1.bin
110 0 Sep 10 2013 06:43:12 nat_ident_migrate
22 4096 Sep 10 2013 06:43:12 coredumpinfo
23 59 Sep 10 2013 06:43:12 coredumpinfo/coredump.cfg
111 34523136 Sep 10 2013 06:44:24 asa861-2-smp-k8.bin
112 42637312 Sep 10 2013 06:45:46 IPS-SSP_5512-K9-sys-1.1-a-7.1-4-E4.aip <===
But I am not sure if this image is really the right image do AIP-SSM in ASA#2. But anyway I copy (through a simple TFTP server) from ASA#1 to ASA#2 , but after this, the same problem ramained !
Because I didn't applied the Failover condition to system.
What can I do now ?
Thank you very much in advance.
Leonardo_Melo.(CCAI-JCL-Brazil). -
AIP-SSM crash during S389 Signature upgrade
Our AIP-SSM [version 6.1(2)E3] crashed during a S389 Signature upgrade on Friday. Neither a "session 1" command from its host, an ASA5520, or a "reload" command of the ASA5520 succeeded in bringing back up the AIP-SSM. Fortunately, after the ASA's power was recycled, the AIP-SSM successfully booted, albeit not to S389, but to its previously loaded S383. I established an SR and supplied the "show tech" and "show config," but the Cisco tech replied "nothing stands out" in them and said just run the S389 update again and send the same info if it crashes. I have several problems with that approach: 1) he had replied that several other customers had had the same problem; 2) our current AIP-SSM is a replacement for an RMA'ed one which had choked on the E2 engine upgrade a few months ago; 3) if another S389 upgrade attempt fails, our client's network will be down because our security policy requires the ASA's bypass mode for the AIP-SSM to be "fail-close." My questions to the forum include:
1) If the "show tech" command is run after an AIP-SSM has rebooted after a previously-attempted S389 upgrade, can it include any information specific to the previously-attempted S389 upgrade? 2) Could the hardware components of the AIP-SSM-10 be inadequate for the combination of the E3 engine plus the cumulative signatures? 3) If the answer to question 2 is "yes" or "possibly," could Cisco modularize the signatures, eg. provide an "only-activated-signatures" (ie smaller) file for customers like us and an "everything" for others? Advice and recommendations heartily requested.Based on your show version, you already have E4, what is it that you are trying to do?
Mike -
Do I need two AIP-SSM modules if I am configuring failover?
Is it possible to use a single AIP-SSM module in two ASA's that are configured in Active/Standby mode?
I would like to configure the module in the first ASA with the fail-open setting. Then, if the first ASA fails, I could then physically remove the AIP-SSM module and place it in the second ASA.
Would there be any problems configuring it this way?
Would the active/standby ASA's complain that there is only one AIP-SSM module?
Thanks in advance.Hello Julio. My name is Rogelio, and I would appreciate your answer on a related matter, because I will have to execute the initial configuration of a failover pair, each one with its own IPS module.
Question: let´s suppose that I execute a basic setup (admin username/password, IP address, mask, gateway), on the IPS module of the active ASA firewall. ¿Will this configuration be replicated to the IPS module of the secondary unit?
Your kind answer will be greatly appreciated.
Best regards... -
How to buy license? for AIP-SSM-10 ?
Hi all
how to buy license? for AIP-SSM-10 ?
1. CON-SU1-AS1A1PK9 this is Cisco SMARTnet Support for AIP-SSM-10
2. do I need smartnet for ASA ?
3. what is part number of license ?
ASA5510test# session 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.
login: cisco
Password:
***NOTICE***
This product contains cryptographic features and is subject to United States
and local country laws governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-party authority to import,
export, distribute or use encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and local country laws. By using
this product you agree to comply with applicable laws and regulations. If you
are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
***LICENSE NOTICE***
There is no license key installed on the SSM-IPS10.
The system will continue to operate with the currently installed
signature set. A valid license must be obtained in order to apply
signature updates. Please go to http://www.cisco.com/go/license
to obtain a new license or install a license.
sensor#
sensor# sh ver
Application Partition:
Cisco Intrusion Prevention System, Version 6.0(6)E3
Host:
Realm Keys key1.0
Signature Definition:
Signature Update S399.0 2009-05-06
Virus Update V1.4 2007-03-02
OS Version: 2.4.30-IDS-smp-bigphys
Platform: ASA-SSM-10
Serial Number: ........
No license present
Sensor up-time is 21 min.
Using 655507456 out of 1032499200 bytes of available memory (63% usage)
application-data is using 39.7M out of 166.8M bytes of available disk space (25%
usage)
boot is using 37.6M out of 68.6M bytes of available disk space (58% usage)
MainApp N-NUBRA_2009_JUL_15_01_10_6_0_5_57 (Ipsbuild) 2009-07-15T01
:15:08-0500 Running
AnalysisEngine N-NUBRA_2009_JUL_15_01_10_6_0_5_57 (Ipsbuild) 2009-07-15T01
:15:08-0500 Running
CLI N-NUBRA_2009_JUL_15_01_10_6_0_5_57 (Ipsbuild) 2009-07-15T01
:15:08-0500
Upgrade History:
IPS-K9-6.0-6-E3 17:48:06 UTC Wed Jul 15 2009
Recovery Partition Version 1.1 - 6.0(6)E3
sensor#Hi,
CON-SU1-AS2A10K9 contract if for ASA+IPS bundle. If AIP-SSM-10 ws purchased as a spare the contract would be CON-SU1-ASIP10K9.
I am not sure whether or not this Cisco Service for IPS contract can be used to cover just the AIP-SSM-10 if it was purchased as part of a Bundle instead of a Spare.
I would recommend that you check with your Cisco reseller or Cisco Sales Representative.
Sourav
Maybe you are looking for
-
I am unable to open documents in Photoshop CC. Do other people have this problem? Is this a bug?
I am getting the above messages when trying to open a document in Photoshop CC. My photoshop has the most recent update. I don't have a ton of stuff open in other programs. Usually this will happen after working with Photoshop for about 10-20 minutes
-
How do I install individual driver of Killer LAN without its Network Management application?
I found sometimes the Network Management application would conflict with other online application, and in other forum an user provided a pure driver package that can solve the problem. Here is the steps: First you can download MSI pure Killer LAN dri
-
Need help with inventory program!!! someone please help me!!!
Ok I have to write this inventory program for one of my classes. For part one i needed to Create a product class that holds the item number, the name of product, the number of units in stock, and the price of each unit. Then create a java application
-
Ical reverts and wont let me edit or delete events - help!
I just installed Lion and am using Icloud - I delete an event and it pops back up right before my eyes. I try to change an event to all day, it moves to the all day section for a second and then returns to the original time. Any ideas?
-
Itunes 11.3 recently installed, nothing opens, no access to music etc please help!
Hi! I downloaded itunes 11.3 yesterday. Nothing happens when I click to open so I can't access anything I had saved on there. Some is backed up... Is there a way of re-accessing my old itunes? My mac is OS X version 10.6.8. Thank you in advance, Zoe