Updating License & Signatures on ASA-SSM-10

Similar Messages

• Download signatures for ASA-SSM-10

  I have a couple of  ASA with some SSM-10 and SSM-20 modules. My CSM is currently not working on the auto update side and i'm a bit behind on the updates till I  figure out what's the issue.. Can somebody tell me what link can I manually downoad the signatures the how to update it from either IDM or IME pertaining to a SSM-10/20 ?
  My last update history shows.
  Upgrade History:
  * IPS-sig-S535-req-E4       04:55:41 UTC Sat Dec 11 2010
    IPS-sig-S537-req-E4.pkg   04:55:33 UTC Wed Jan 05 2011
  so these are the signature trains I'm after..
  thanks

  The download URL was posted in the above reply (and can also be found in the IDS/IPS - Quick Links document). As far as installing the update via IME: You can do that by navigating to IME's Configuration > Sensor Management > Update Sensor section. From there, check (select) the radio button next to Update is located on this client, then click the Browse Local... button to select the file, and finally click the Update Sensor button to transfer and install the update.

• ASA-SSM-10 Signature Update Errors Messages

  Hello,
  I am getting error messages on ASA-SSM-10 IPS. It has following configuration:
  Model:   ASA-SSM-10
  Hardware version:   1.0
  Firmware version:   1.0(11)5
  Software version:   7.0(7)E4
  App. version:       7.0(7)E4
  Here are error messages:
  evError: eventId=1334244240891143986  vendor=Cisco  severity=error  
    originator:  
      hostId: sensor 
      appName: mainApp 
      appInstanceId: 357 
    errorMessage: No installable auto update package found on server  name=errSystemError 
  evError: eventId=1334244240891141857  vendor=Cisco  severity=error 
    originator:  
      hostId: sensor 
      appName: mainApp 
      appInstanceId: 357 
    errorMessage: could not parse cisco-locator-server response  name=errSystemError 
  evError: eventId=1334244240891142089  vendor=Cisco  severity=error 
    originator:  
      hostId: sensor 
      appName: collaborationApp 
      appInstanceId: 489 
    errorMessage: A global correlation update failed: Receive HTTP response failed [3,212]
  Messages, like this one, in the category - Reputation update failure - were logged 1 times in the last 105245 seconds.  name=errUnclassified 
  evError: eventId=1334244240891141325  vendor=Cisco  severity=error 
    originator:  
      hostId: sensor 
      appName: mainApp 
      appInstanceId: 357 
    errorMessage: could not parse cisco-locator-server response  name=errSystemError 
  Actually IPS is doing signature and Global Correlation updates, but form time to time I see  these error messages. Do you have any information what could it indicate.

  Hello Giorgi,
  Sometimes it may be server saturation, other connection problems proxy and so on. I recommend you to not put the hour for auto update to an exact time ie 2:00 PM or 1:00 AM try putting not even numbers like 9:17 or 10:41, and see if you continue getting these errors.
  Mike

• Update ASA-SSM-CSC-10 module

  Hi,
  I'm not able to update (reinstall) a ASA-SSM-CSC-10 module. I used the CLI-Command : "hw module 1 recover boot". But the module is still in the Recover-mode.
  Output from CLI (I used the image: csc6.1-b1519.bin):
  Slot-1 890> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  Slot-1 891> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  Slot-1 892> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  Slot-1 893> Received 59944272 bytes
  Slot-1 894> Launching TFTP Image...
  sclfw002# sh module
  Mod Card Type Model Serial No.
  0 ASA 5510 Adaptive Security Appliance ASA5510 JMX1032K16L
  1 ASA 5500 Series Content Security Services Mo ASA-SSM-CSC-10 JAF10290481
  Mod MAC Address Range Hw Version Fw Version Sw Version
  0 0018.195b.e68d to 0018.195b.e691 1.1 1.0(11)2 7.2(1)
  1 0018.7317.b44a to 0018.7317.b44a 1.0 1.0(11)2
  Mod SSM Application Name Status SSM Application Version
  Mod Status Data Plane Status Compatibility
  0 Up Sys Not Applicable
  1 Recover Not Applicable
  Could anybody help me?
  thanks
  Reto

  Are you able to stop the recovery from continuously running? Use "hw-module module 1 recover stop" to end it. Then try to reset it again (hw-module module 1 reset).
  If the module become unresponsive due to too long running in recover mode, big chances you need to reset the ASA. But try to reset/shut it down via ASA CLI first before decide to shutdown/powerup the whole box. This may be inevitable. During shutdown, remove the module, and power-up the ASA. Insert the module once the ASA is properly running, and check the status/mode again.
  Start the boot recovery process again, recover configure if necessary. If you need to stop it, issue "hw-module module 1 recover stop" within 45sec after the recover boot/configure started.
  HTH
  AK

• Signature recommendations for ASA-SSM-10

  hi, I was wondering if anyone has recommendations on what sigs to enable on the ASA-SSM-10.......I know.... to a certain extent, 'it depends'  on your individual environment.  But I think it must be the case that there are some disabled sigs that are good to enable..right?  I was hoping to tap into the 'group mind' on what works well.
  Also, why not enable all?  I am assuming the ASA-SSM-10 probably cannot keep up with that level of inspection??
  thanks in advance

  androdri,
    Thanks for your reply.  I have some followup questions.
  1.  I noticed that any signature that is disabled is listed as retired....does retired mean disabled or something else (like not needed any more).
  2.  it seems like most of the malware sigs are disabled, i would think that if you are in a user environment, you would want those on, is there an example of a situation that you would not want them on....how do you know if you have a problem if you don't look.
  thanks

• Failed auto update on ASA-SSM-20 The host is not trusted. Add the host to the system's trusted TLS certificates.

  Failed auto update on ASA-SSM-20 The host is not trusted. Add the host to the system's trusted TLS certificates.
    errorMessage: WebSession::sessionTask TLS connection exception: handshake incomplete.
  Messages, like this one, in the category - TLS connection failure - were logged 1464 times in the last 21461 seconds.  name=errTransport  

  Sam,
  See the other post in the list talking about your problem, "host not trusted".
  I had the same problem and the fix was to upgrade the IPS to 7.1(9)E4 . 
  Mike

• How to do a factory reset ASA-SSM-10?

  Hi.
  I forgot the user for management a IPS SSM-10, when i follow the procedure to reset the password for cisco user, i can get into the module, i change the password and every thing is OK, but when i tried to configure y don´t have rights to do anything.
  if i see the privileges for the user cisco this is the result
  EDGE-IPS2# sh user
      CLI ID   User    Privilege
  *   4143     cisco   viewer
  Application Partition:
  Cisco Intrusion Prevention System, Version 6.1(1)E2
  Host:
      Realm Keys          key1.0
  Signature Definition:
      Signature Update    S364.0                   2008-10-24
      Virus Update        V1.4                     2007-03-02
  OS Version:             2.4.30-IDS-smp-bigphys
  Platform:               ASA-SSM-10
  Serial Number:          JAF1208BNPP
  License expired:        20-Jun-2009 UTC
  Sensor up-time is 1:09.
  Using 657850368 out of 1032495104 bytes of available memory (63% usage)
  system is using 17.7M out of 29.0M bytes of available disk space (61% usage)
  application-data is using 41.5M out of 166.8M bytes of available disk space (26% usage)
  boot is using 40.5M out of 68.6M bytes of available disk space (62% usage)
  MainApp          M-2008_APR_24_19_16    (Release)   2008-04-24T19:49:05-0500   Running
  AnalysisEngine   ME-2008_JUN_05_18_26   (Release)   2008-06-05T18:55:02-0500   Running
  CLI              M-2008_APR_24_19_16    (Release)   2008-04-24T19:49:05-0500
  Upgrade History:
  * IPS-K9-6.1-1-E2           22:40:50 UTC Tue Feb 26 2013
    IPS-sig-S364-req-E2.pkg   18:43:20 UTC Wed Nov 12 2008
  Recovery Partition Version 1.1 - 6.1(1)E2
  Host Certificate Valid from: 17-Nov-2008 to 18-Nov-2010
  What can i do in this case?
  IPS Info
  Getting details from the Service Module, please wait...
  ASA 5500 Series Security Services Module-10
  Model:              ASA-SSM-10
  Hardware version:   1.0
  Serial Number:      JAF1208BNPP
  Firmware version:   1.0(11)4
  Software version:   6.1(1)E2
  MAC Address Range:  001e.f710.5b6c to 001e.f710.5b6c
  App. name:          IPS
  App. Status:        Up
  App. Status Desc:
  App. version:       6.1(1)E2
  Data plane Status:  Up
  Status:             Up
  Mgmt IP addr:       X.X.X.X
  Mgmt web ports:     443
  Mgmt TLS enabled:  

  The process will normally use the following command:
  hw-module module 1 password-reset
  It will reload the ASA and when loggin back the "Cisco" username will have admin rights.
  If this is not your case, a re-image of the unit will be the next step, keep in mind that this will remove all the custom config.

• How to buy license? for AIP-SSM-10 ?

  Hi all
  how to buy license? for AIP-SSM-10 ?
  1. CON-SU1-AS1A1PK9 this is Cisco SMARTnet Support for AIP-SSM-10
  2. do I need smartnet for ASA ?
  3. what is part number of license ?
  ASA5510test# session 1
  Opening command session with slot 1.
  Connected to slot 1. Escape character sequence is 'CTRL-^X'.
  login: cisco
  Password:
  ***NOTICE***
  This product contains cryptographic features and is subject to United States
  and local country laws governing import, export, transfer and use. Delivery
  of Cisco cryptographic products does not imply third-party authority to import,
  export, distribute or use encryption. Importers, exporters, distributors and
  users are responsible for compliance with U.S. and local country laws. By using
  this product you agree to comply with applicable laws and regulations. If you
  are unable to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  ***LICENSE NOTICE***
  There is no license key installed on the SSM-IPS10.
  The system will continue to operate with the currently installed
  signature set.  A valid license must be obtained in order to apply
  signature updates.  Please go to http://www.cisco.com/go/license
  to obtain a new license or install a license.
  sensor#
  sensor# sh ver
  Application Partition:
  Cisco Intrusion Prevention System, Version 6.0(6)E3
  Host:
      Realm Keys          key1.0
  Signature Definition:
      Signature Update    S399.0                   2009-05-06
      Virus Update        V1.4                     2007-03-02
  OS Version:             2.4.30-IDS-smp-bigphys
  Platform:               ASA-SSM-10
  Serial Number:          ........
  No license present
  Sensor up-time is 21 min.
  Using 655507456 out of 1032499200 bytes of available memory (63% usage)
  application-data is using 39.7M out of 166.8M bytes of available disk space (25%
  usage)
  boot is using 37.6M out of 68.6M bytes of available disk space (58% usage)
  MainApp          N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500   Running
  AnalysisEngine   N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500   Running
  CLI              N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500
  Upgrade History:
    IPS-K9-6.0-6-E3   17:48:06 UTC Wed Jul 15 2009
  Recovery Partition Version 1.1 - 6.0(6)E3
  sensor#

  Hi,
  CON-SU1-AS2A10K9 contract if for ASA+IPS bundle. If AIP-SSM-10 ws purchased as a spare the contract would be CON-SU1-ASIP10K9.
  I am not sure whether or not this Cisco Service for IPS contract can be  used to cover just the AIP-SSM-10 if it was purchased as part of a  Bundle instead of a Spare.
  I would recommend that you check with your Cisco reseller or Cisco  Sales Representative.
  Sourav

• ErrSystemError-ct-sensorApp.463 not responding on ASA-SSM-10

  Hello,
  I got following error message when login into IPS over IDM, after error is displayed IDM is closing.
  errSystemError-ct-sensorApp.463 not responding, please check system processes
  - The connect to the specified Io::ClientPipe failed.
  SSH login works, when using CLI following health statistics are available:
  sensor# show health
  Overall Health Status                                               Red
  Health Status for Failed Applications                         Red
  Health Status for Signature Updates                         Yellow
  Health Status for License Key Expiration                   Green
  Health Status for Running in Bypass Mode                Red
  Health Status for Interfaces Being Down                   Green
  Health Status for the Inspection Load                      Green
  Health Status for the Time Since Last Event Retrieval   Green
  Health Status for the Number of Missed Packets          Green
  Health Status for the Memory Usage                      Not Enabled
  Health Status for Global Correlation                    Green
  Health Status for Network Participation                 Not Enabled
  Security Status for Virtual Sensor sensor-int    Green
  Security Status for Virtual Sensor vs0           Green
  Do you have any idea why IPS crashed ?
  ASA-SSM-10 is installed into ASA 5510.

  Hello,
  I have the sem problem since sveral days, I found the following workaround on our environement. Working since 5hours.
  Hope it helps.
  Regards.
  IDSM-2 Sensor Module - errSystemError -ct-sensorApp.XXX not responding, please check system processes - The connect to the specified Io::ClientPipe failed.
  Symptom:
  When attempting to access an IDSM-2 sensor via its GUI (IDM) or via IME (IPS Manager Express), an error such as the following is encountered:
  "errSystemError -ct-sensorApp.XXX not responding, please check system processes - The connect to the specified Io::ClientPipe failed."
  Additionally, review of the 'show version' command output indicates the AnalysisEngine (sensorApp process) to be "Not Running".
  Conditions:
  IDSM-2 sensor module running 7.0(x) software release. Global Correlation Inspection feature enabled (On). A 'show tech' command output includes a sensorApp process core containing lines similar to the following:
  cat /usr/cids/idsRoot/core/sensorApp/core.txt
  /usr/cids/idsRoot/bin/sensorApp(_ZN3Cid3Rep9RepIpData13ApplyIpUpdateEPKcPNS0_8RepScoreE+)
  Solution:
  This problem is tracked as defect CSCti79423. It can be encountered on the IDSM-2 platform when a Global Correlation Update occurs. A fix for this is currently planned for inclusion in the next 7.0 release (7.0(6)).
  In the interim, the only workaround to ensure that the sensor does not re-encounter this defect is to disable Global Correlation Inspection (Updates) as such:
  sensor# conf t
  sensor(config)# service global-correlation
  sensor(config-glo)# global-correlation-inspection off
  sensor(config-glo)# exit
  Apply Changes?[yes]: yes
  After making the above configuration change, a reboot of the affected IDSM-2 sensor module should restore it to service:
  sensor# reset

• Problems with license upgrade on AIP-SSM

  Hi guys:
  I have a problem with my AIP-SSM, recently I download the latest license and I need to install in my AIP but when I try to do this I receive this error:
  "errSystemError-idsPackageMgr: digital signature of the update file was not valid, use CCO to replace corrupted file"
  So I download the license again, because maybe was corrupted, but I receive the same error at the time I want to install it.
  Does anybody knows what this error means?
  Regards

  It sounds like you are attempting to install a .lic license-key file via the Update Sensor section (which is used for software upgrades/updates instead). If you are trying to install a .lic license-key file, you can do that from IDM or IME's Configuration > Sensor Management > Licensing section. Ensure the Update From: option is set to License File, then click the Browse Local… button and locate/select the .lic license-key file on your local client machine. Finally, click the Update License button to upload and install the license-key file onto the sensor.
  If you try to install a .lic license-key file via the Update Sensor section, then you will encounter the error message you noted.

• Monitor Inspection Load IPS ASA-SSM-20

  All,
    I am aware there is a feature request but don't see any updates.  Taking the chance here that its fallen through the cracks and someone has figured out another way to monitor inspection load on ASA-SSM-20 IPS.  We are currently running 7.0(5a)E4.  I want to be able to use Solarwinds Orion to monitor Inspection Load on our IPS devices.  Does anyone know if that is yet possible...if so how?
  Thanks!

  Bump +1

• How to install and verify the license file on ASA 5512-x

  Hi Friends,
  How to install and verify the license file on ASA 5512-x Firewall. I have lincese pak for CX and web security essential.
  What need to be done? can i install this lic file on firewall or need to be install on CX server.  Because i dont have the CX server right now.
  Please share me document for installation of this license.
  thx
  Ashish Kumar

  Hi,
  one possible solution is to use an intermediate array. The intermediate array should be used in the user interface. When new data is entered the VI should read each element and then compare to the elements in the stored array. If all elements are different then update the array, otherwise display a fault message.
  You could use asequence activated when the Enter button is pressed. In the first frame you would compare the First array with the stored array. it is probably best to use a Boolean indicator to show if the data is valid Make sure you declare this as a local variable.
  With the sequence you can perform the comparisons in several seperate frames or in one frame with a OR to link the results. For large numbers of comparisons I prefer to use m
  ultiple frames because otherwise the screen becomes a maze of wires and other programmers who may need to maintain the code in the future will find it hard to follow a single frame.
  Once all the data items have been compared then the following sequence should contain a CASE statement of type True/False. Link a readable copy of your local variable to the selector of this statement. Then in the FALSE case (Assuming you have linked the boolean to be false when no data is duplicated) copy the new array to the stored array. In the TRUE case bring up an error message.
  So long as your arrays are not too large and you do not use this technique in too many places in your code the processor overhead should not be badly affected. For frequent use of such a caomparison in several VIs you may want to create a dedicated subVI for the task. For very large arrays you should seek a different solution.
  Hope that helps a bit.
  Good luck,
  Shaf

• ASA-SSM-10 inspection load 100% (version 7.0(5a)E4

  Hi all,
  I have a challenge with the IPS module in the ASA5520, the ASA-SSM-10. When we start a test to connect to the webservers I get a inspection load of 100% and traffic/performance will slow down.
  We test with 63000 sessions per minute which perform a load of: from the test-servers(clients) to the web-servers of 20.000 kbits/sec and traffic from the web-servers back to the test-servers(clients) 75.000 kbits/sec.
  Can you please advise what to do because we cannot go live with this environment only when this is fixed.
  Thanks in advance,
  Erik Verkerk.

  Hi Bob,
  thanks for you reply/suggestion and you understood the numbers correctly. Unfortunately the AIP-SSM-10 module must inspect this kind of load. I can test, within 8 hours time, a lower amount of traffic.
  I do have some questions for you:
  When you have a traffic of 75Mb/s what is your inspection load saying 80%?
  Regarding the specs Cisco tells in the documentation of the ASA5520 that when you are using a AIP-SSM-10 you can firewalling and IPS a maximum of 225Mb/s. Now I understand that this is probably the commercial figures but Iám only looking for half of this, 95MB/s. Do you have an explaination for this?
  Perhaps the amount of signatures is too much: I have 1500 signatures active, can you tell how much active signatures you run in your AIP-SSM-10?
  Last but not least question:
  It is hard for me to find some usefull documentation, specific troubleshooting the IPS, do you have suggestions?
  I hope you have the time to answers these questions it certainly helps me to understand the IPS and fix the problem.
  Many thanks in advance,
  Erik.

• Proper ASA-SSM-20 IPS and MARS Intergration

  I?m trying to understand how to best manage my MARS and ASA-SSM-20 IPS implementation. I?ve been running this solution for about 2 months and have been experimenting with how to manage alert s from the blades to MARS.
  The MARS documentation says to configure 2 Event Action Override -Verbose Alerts and Log Pair Packets. However there seems to be a major drawback:
  1. The IPS generates alert for signatures that by default have no alert action configured. At first glance this seems ok, but over time I found that many false positives are generated for signatures that would otherwise remain quite.
  My question is, how should this be managed? I want verbose alerts and logged pair packets for signatures that produce alerts by default, but if I manually configure this, is there a performance consideration?

  You might be hitting the bug CSCuc34812.
  Please contact Cisco TAC to have the issue analyzed.
  Regards,
  Sawan Gupta

• Will ASA-SSM-20 reload affect ASA failover?

  I have 2 ASA 5520s with an ASA-SSM-20 installed in each. The ASA-SSM-20 in the primary ASA is not working correctly:
  Error: Cannot communicate with mainApp (getVersion). Please contact your system administrator.
  Would you like to run cidDump?[no]:
  I would like to reload the module, but I don't know if that will cause the whole ASA to failover. The ASAs are running 7.2(3).
  Any thoughts?

  Thanks Brett.
  We are using stateful failover. Not all sessions get dropped, just enough Telnet and application interface links that we start getting calls and people show up at my door. This is on a new ASA5520 that normally runs <5% CPU utilization. I just checked the failover link is set to 1000FULL so there should not be any delay updated state information.
  Am I missing something in the config?
  Portcullis# sho run failover
  failover
  failover lan unit primary
  failover lan interface heartbeat GigabitEthernet0/2
  failover polltime unit 3 holdtime 9
  failover replication http
  failover link heartbeat GigabitEthernet0/2
  failover interface ip heartbeat 172.31.0.201 255.255.255.0 standby 172.31.0.202
  Portcullis# sho run interface g0/2
  interface GigabitEthernet0/2
  description LAN/STATE Failover Interface
  speed 1000
  duplex full
  Portcullis#
  -Roy-