Reg. 6509 IPS Module upgradn

Similar Messages

• How do I use Cisco MARS to monitor two ASA (active/stby) with IPS modules?

  Hi
  The two ASA with IPS modules are in active/standby mode. When I try to add both the two IP (active/standby) into the MARS, the MARS will complain duplicated hostnames.
  How to setup MARS to monitor ASA with IPS with active standby topology?
  Thanks!

  Hi,
  The fundamental problem with this scenario is that you have non-failover capable modules in a failover chassis - think of the ASA failover pair as one device and the IPS modules as two completely separate devices.
  Then, as already mentioned, add only the primary ASA. (The secondary will never be passing traffic in standby mode so it's not actually needed in MARS) Then, with the first IPS module you can add it as a module of the ASA or as a standalone device (MARS doesn't care). With the second IPS module the only option is to add it as a separate device anyway.
  In a failover scenario the ASA's swap IP's but the IPS's don't so whereas you'll only ever get messages from the active ASA you'll get messages from both IPS IP's depending on which one happens to be in the active ASA at the time.
  Don't forget that you have to manually replicate all IPS configuration every time you make a change.
  HTH
  Andrew.

• ASA5505 un-responsive after installing ASA-SSC-AIP-5 IPS module

  Hello,
  Can anyone help?
  I have a pair of ASA 5505 firewalls in a failover configuration. Everything works correctly until I install the IPS module into the secondary firewall. When install I can no longer ping the firewall from the inside network. We do not have an external network set up at present.
  I have connected to the secondary firewall via the console. Issues the command "session 1" and can then get to the IPS. I have set the IPS hostname and given it an address on the interal network. I have set the ACL on the IPS to permit the inside range.
  The results are that we are unable to reach the ASA or the IPS on the internal range. The primary firewall is no longer able to ping the inside address of the secondary firewall. As soon as I remove the IPS modue all returns to normal. Im not sure what would be causing this. If anyone can tell me where they think I went wrong that would be great.
  Thanks

  This sounds like a IP issue some where on the ASA, or IPS module. Did you run a capture on the ASA, and the IPS module to see if the respones are arriveing? On the issue, you can use the "capture interface " on the ASA, and the "packet display expression host ". This will help you determin if there is a ARP, or some other IP related issue on the network.
  I hope this helps,
  Rafael

• IPS modules in Cisco ASA 5510 Active/Standby pair.

  All, I am looking to add the IPS module to my ASA 5510's. I am contemplating only purchasing one module and placing it in the active ASA. I am willing to accept that in a failure scenario I will loose the IPS functionality until the primary ASA is recovered. I have not had a chance to talk to my SE to see if this is even possible. Has anyone attempted a deployment such as this? Will it work and is it supported?
  Sent from Cisco Technical Support iPad App

  Ok, that is what I needed to know.  The purpose of us having an active/standby ASA is to keep the business up and going for the very rare times there could be an active ASA failure.  The purpose for the IPS would be to help protect and inspect traffic and is not necessary to keep the business running.  If we implement IPS I am not worried at all if during the times when the primary ASA is down (hasn't been down for over three years now) we lose the IPS funcationality.  This is not worth the $1000 extra per year to us.
  Thanks for the responses though.  That answers my questions.

• ASA SSM IPS module upgrade won't work

  Hello all,
  I'm trying to upgrade the IPS sig's on an ASA5520 with a SSM IPS module. I'm trying to upgrade the system to 5.1.1 to further upgrade the device with no luck.
  I followed these steps provided by Cisco.com:
  1. Log in to the ASA.
  2. Enter enable mode:
  asa# enable
  3. Configure the recovery settings for ASA-SSM:
  asa (enable)# hw-module module 1 recover configure
  NOTE: If you make an error in the recovery configuration, use the
  hw-module module 1 recover stop command to stop the system reimaging
  and then you can correct the configuration.
  4. Specify the TFTP URL for the system image:
  Image URL [tftp://0.0.0.0/]:
  Example:
  Image URL [tftp://0.0.0.0/]: tftp://10.20.30.40/IPS-SSM-K9-sys-1.1-a-5.1-1.img
  5. Specify the command and control interface of ASA-SSM:
  Port IP Address [0.0.0.0]:
  Example:
  Port IP Address [0.0.0.0]: 11.21.31.41
  6. Leave the VLAN ID at 0.
  VLAN ID [0]:
  7. Specify the default gateway of the ASA-SSM:
  Gateway IP Address [0.0.0.0]:
  Example:
  Gateway IP Address [0.0.0.0]: 11.22.33.44
  8. Execute the recovery:
  asa# hw-module module 1 recover boot
  9. Periodically check the recovery until it is complete.
  NOTE: The status reads "Recovery" during recovery and reads "Up" when
  reimaging is complete.
  AFter #8 it just goes back to the enable prompt. A 'sh module' lists the device as 'recover' and hangs FOREVER.... I tested the TFTP server which the new image resides on, and the TFTP is working fine. I don't see any attempts or downloads from the TFTP server for over an hour.
  I opened a Ciscop TAC on this and not receiving alot of help...
  Please help!!!:)
  Thanks
  Chris Serafin
  [email protected]

  The recovery using this method can takes upwards of 30 minutes, and in some cases even longer.
  How long have you left the SSM in the "recovery" state?
  There may be something wrong in the config you entered. when that happens the SSM can go into a continuous reboot cycle trying to do the recovery.
  Execute "debug module-boot" on the console of the ASA.
  The debug output will show you the ROMMON output of the SSM itself. (The SSM has it's own ROMMON. The recovery boot command sends the settings made during the recover configure command to the SSM's ROMMON).
  If the ROMMON is experiencing a problem in trying to download the tftp image you should now see that ROMMON error message.
  Some typical problems I have seen:
  1) Wrong IP given for the sensor.
  2) Wrong IP given for the gateway (the gateway must exist on the same network as the sensor) this problem usually happens when using a non-standard netmasked network.
  3) Not having the sensor's command and control port plugged into the right network. The external port of the SSM itself is where the IP is being applied. You need to ensure that the extenral port of the SSM is plugged into the right network for that IP.
  4) The tftp server is not reachable from the network where the sensor's command and control port is attached. Some users think that if the ASA itself can reach the tftp server that the SSM will also be able to. This is not always the case. It is best to use a tftp server on the same network as the IP provided to the SSM. Or to test the tftp server from another machine on the same network as the SSM.
  5) The file name is wrong. Check the captialization especially.
  6) The file is not in the default directory on the tftp server. If the file is in a subdirectory you will need to add that subdirectory to the URL:
  tftp://10.20.30.40/subdirectoryname/filename
  7) The tftp is timing out.
  There are 2 things that can cause this:
  a) The tftp server is remote, and it takes too long to download the file. The ROMMON does have limits on the number of retries and per packet timeouts (but they are not user configurable). Try using a tftp server local to the SSM.
  b) The switch that the SSM connects to has spanning-tree running and spanning-tree does not complete before the SSM ROMMON times out for the tftp attempt. The tftp attempt happens immediately upon ROMMON startup and link up. But with a switch the switch port may be in a "Listen" or "Learn" state for 40 seconds before the box can actually talk on the network. In some cases the tftp download attempts started as soon as link up, and may timeout even before the spanning-tree completes. To work around this configure "spanning-tree portfast" on the switchport. Spanning-tree will connect the port into the vlan immediately rather than 40 seconds later.
  If it was a config problem when configuring the recovery settings, then there is a "recover stop" command on the ASA.
  It will stop the reboot cycle from happening.
  Let the module come up with the old image.
  Then correct your "recover configure" settings, and try the "recover boot" again.
  Another alternative:
  Stop the recovery "recover stop"
  Let it boot into the old image.
  If it was a 5.0 version, then you can actually upgrade to 5.1 using the sensor's own CLI "upgrade" command. It is actually the preferred method.
  The "recover" from the ASA will wipe the box clean and load a fresh image.
  The "upgrade" from the sensor will convert your 5.0 config into a 5.1 config while installing 5.1.
  5.1 upgrade file:
  IPS-K9-min-5.1-1g.pkg
  http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
  It can be applied through the sensor's CLI upgrade command, or pushed directly through IDM, or applied by CSM.
  The "recover" should be limited to disaster recovery. When you can't access the SSM at all, or the files on the SSM have been corrupted.
  For normal upgrades you want to use "upgrade" files done through the sensor itelf (CLI, IDM, or CSM).

• Can't get SNMP data from ASA's AIP 10 IPS module

  Hi,
  I have just had the AIP 10 IPS module installed onto my ASA 5520. I have now setup the SNMP and my SNMP server (solarwinds) can detect the CPU, Memory and sensors to monitor.
  The problem I have is the SNMP server is getting data form the sensors but not data from the CPU or memory mibs, is something denying this from the IPS?

  The following are some IDS mibs, Cisco forgot to link them on the MIBs page located at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
  ftp://ftp-sj.cisco.com/pub/mibs/v2/CISCO-ENHANCED-MEMPOOL-MIB.my
  ftp://ftp-sj.cisco.com/pub/mibs/v2/CISCO-PROCESS-MIB.my
  ftp://ftp-sj.cisco.com/pub/mibs/v2/CISCO-CIDS-MIB.my
  ftp://ftp-sj.cisco.com/pub/mibs/oid/CISCO-CIDS-MIB.oid
  ftp://ftp-sj.cisco.com/pub/mibs/oid/CISCO-ENHANCED-MEMPOOL-MIB.oid
  Here is the forula we are using to get the memory utlization percentage(in BMC Dashboard):
  average ( select 1.3.6.1.4.1.9.9.221.1.1.1.1.8 ) / ( average ( select 1.3.6.1.4.1.9.9.221.1.1.1.1.8 ) + average ( select 1.3.6.1.4.1.9.9.221.1.1.1.1.7 ) ) * 100
  Which translates to:
  average ( select cempmempoolfree ) / ( average ( select cempmempoolfree ) + average ( select cempmempoolused ) ) * 100
  I'm unable to find the formula for the CPU, but try loading the PROCESS mib for that.
  average ( select 1.3.6.1.4.1.9.9.109.1.1.1.1.5 )
  Please rate if helpful.
  Regards
  Farrukh

• Recovery the Password of IPS Module

  Dear Expert,
  I have an ASA 5500 series with AIP SSM (IPS module), the login name and password are lost.
  According to the cisco portal, there are two approach to recover the password:
  1. using CLI command: hw-module module slot_number password-reset;
  2. using ASDM --> tools --> "IPS password reset"
  I am not sure both commands to achieve the same result (recover password) or they may have different outcome (i.e. need to reset the module).
  The device is on line, reset module is not prefered. 
  After checking some information from internet, it suggests to reset the IPS module. Any problem will be occurred if the IPS module is not reset?
  rdgs
  Anita

  I don't believe that either method will reset the module.

• ASA5505, SYN attack, ISP and IPS module

  Our 5505 is currently being hit by a SYN attack from surprise, surprise, China.  The attack easily brings down the 5505 by hitting the 10,000 connection limit of the box.  I am currently using the shun command to try to mitigate the problem but it is not much help.  It converts the 10,000 connections into 12-15k dropped packets per second which doesn't crash the box but pretty much makes it unusable. 
  I have seen some examples on using service policies to set connection and embryonic limits but I don't think they will work for me because the attacks come from several IPs and use several different ports.  The attacks don't seem to be pinpointing any particular server or service.  Seems like just basic DoS of our service.  Besides, the feedback from people who have tried this doesn't seem too convincing.
  So I have two questions:
  1) My ISP is unwilling and/or unable to do anything.  They suggest I email the abuse mailbox from the offending ISP.  Just for grins, I did send an email and it promptly came back marked "mailbox full" which is quite funny I thought.
  2) Will adding the IPS module help here?  I am hoping that the processing of the dropped packets would move to the module and leave the main processor of the ASA free to do its usual NAT and firewall functions.
  Any and all advice is welcome.
  Thanks,
  Diego

  Hi Diego,
  As Julio mentioned, info has to be there. Do you have the 'show xlate' when the issue was seen? In such cases, along with xlate table, you can check connection for hosts making unusual number of connections (show connection count/show connection all). Here are few useful commands in such scenarios:
  show local-host connection udp 100-10000          << Gives host with total UDP connections b/w 100-1000
  show local-host connection tcp 100-10000          << Same info for hosts making TCP connections
  show local-host connection embryonic 100-10000    << hosts with 100-1000 embryonic connections
  Change the range as per need.
  Sourav

• Which IDS/IPS module for 10 GB WAN/LAN

  I have a question about present scenario in a network where the wan connectivity is 4 GB and Lan network is 10 GB. The firewall for the WAN is cisco 5580-20 with 10 GB ethernet interface and on the LAN 6500 series switch with 10 GB ethernet module. The issue about how to implement IPS in this network. Because cisco 5580 series firewall doesn't support any IPS module even 6500 series switch support IDSM-2 module. But only for 2 GB ethernet module. So what can be the solution for such a network?

  On a machine that can do 10Gb firware rate, it is well advisable to have your IDS/IPS to be a separate box.  IDS/IPS "cost" alot of CPU power.  It gets more expensive when you are talking about pushing beyond 1Gb.  This is why you'll find several forums stating that if you have a firewall with 10Gb speed, separate IDS/IPS is the way to go.  Otherwise, a firewall with IDS/IPS will not necessarily push 10Gb all together.

• Radius or TACAS support on IPS modules ??

  HI..
  I want to integrate Authentication Server & IPS Sensor & VMS
  Authentication Server is Radius or TACAS.
  so. Radius or TACAS support on IPS modules ??
  thanks,

  CiscoWorks Login Module to TACACS+ or Radius
  http://www.cisco.com/en/US/products/ps6498/products_user_guide_chapter09186a00806167e3.html#wp98970
  But, I don't know IPS module support Radius.
  Radius or TACAS support on IPS modules ??

• Reg Plant Maintenance Module

  There is a smartform developed for my client instead of SAPSCRIPT for program RIPCT00(i.e TCODE - IW32).  In smartform client wants to have 2 fields.
  1 - How many Maintenance order created of the eqiupment
  2 - Last Maintenance order of selected equipment.
  But for both fileds they have mentioned as Max of AFIH-AUFNR.
  Experts can you please suggest me what will be the solution.
  Ex: if there are 2 records with AUFNR as 21 and 22.
  My guess is for 1 is by calculating no of records in AFIH. i.e 21 and 22 so value is 2.
  My guess is for  2 should i take 21 or 22 as Last maintenance order.
  Is my guess is in right direction because i am new to PM module. Please give me your valuable suggestions.

  Hi,
  1 - How many Maintenance order created of the eqiupment
  general logic will be to count the total number of AUFNR in the table
  2. Last maint order of selec equipment.
  This you have to check on the below logics
  Based on Created date.
  Based on Order start date.
  based on Order number.
  So for this you need to discuss with the business owner and document them in the FS correctly.
  Reg
  dsk

• Reg Sender AS2 module configuration for text file

  Hi Experts,
  I am working on an inbound scenario where Sender is AS2 and Receiver is SAP system in PI7.4. The Sender Trading Partner is Sending a text file which should be converted to xml. I have added the module parameter localjbs/PlainConverterModule .It is throwing the error as per the attached file.
  Could anyone please guide me on this issue. Also Please let me know whether any configuration needs to be set in EDI content Manager.
  Cheers,
  Neethu

  Hi Neethu,
  according to the b2b help the module is used to convert EDIFACT message standards into XML. I your case you have flat file comming from AS2. you can use message transform bean to convert flat file to XML in sender as2 adapter. Or you need to define ED XML converter. Please refer the below link
  SAP PI: Using the B2BADDON EDI<>XML Convertor Modules - Basics
  You configure the communication channels of any Process Integration adapter with the PLAIN-XML converter module to convert business documents encoded in EDIFACT message standards into XML and the other way round. It must be configured in the sender and receiver channels based on the business scenario. The PLAIN-XML converter module runs on the SAP NetWeaver Process Integration Adapter framework.
  You use this procedure to configure the parameters of the PLAIN-XML converter module.
  source - Configuring the PLAIN-XML Converter Module - SAP NetWeaver Process Integration, business-to-business add-on 1 - SAP Libr…
  regards,
  Harish

• Reg: Calling Function Module

  Hi to all,
  I have created a Function module, Which working fine and giving results which i expected and also i called that function module in programme in SE38, and giving correct results. BUT when i used in Transformation it giving ERROR. Routine not able to call that function module.It giving error as EXCEPTION IN SUBSTEP:RULES and PROCESS TERMINATED. In monitor screen besied this error message, There is a ikon, on cliking that ikon, it taking me to Statement CALL FUNCTION 'Function Module name'. Cursor is not going inside the Function module.
  It is Normal Function Module.
  Can anybody help in this Regard.
  Regards
  Mrk Reddy

  Hi,
  Were you able to solve this issue? I have exactly the same problem at the moment.
  Your feedback would be much appreciated.
  Regards,
  Edo

• Reg. SAP module

  Hi All,
  I did my PG in Business administration and I have 2+ years of experience in Hospitality Management.
  Now I am planning to learn SAP.
  Can you please guide me , which functional module will fit for my experience?
  Regards,
  Nagesh

  Hi Nagesh
  I would suggest That you go thru' Sap Crm Module
  This would fit into your Domain,Qualification and experience.
  As a starting point you can go thru the below weblink for details
  link:[http://www.sap.com/solutions/business-suite/crm/index.epx]
  link:[http://www.sap-press.de/download/dateien/586/sappress_mysap_crm_engl.pdf]
  Regards
  Vikrant

• Reg:rfc function modules

  can i call below functionmodule in within the rfc function module.
  CALL FUNCTION 'ZTEST_FUNC' in background task
  here ztest_func is the rfc function module.
  could any body please tell me its very urgent.
  Regards,
  Chaitanya

  Yes you can call it but, you have to ensure that you do a COMMIT WORK after the LUW for the function module to get executed in the background.
  CALL FUNCTION 'ZTEST_FUNC' in background task
  COMMIT WORK. ( This kicks off the function module).
  hith
  Sunil Achyut