Upgrade AIP SSM with Signature Engine 4 file

Similar Messages

• Upgrade AIP-SSM-10 to E4

  Hello, I am trying to upgrade from e3 to e4 and then upgrade my software...
  here is a show version
  Cisco Intrusion Prevention System, Version 6.2(2)E3
  Host:
      Realm Keys          key1.0
  Signature Definition:
      Signature Update    S479.0                   2010-03-19
      Virus Update        V1.4                     2007-03-02
  OS Version:             2.4.30-IDS-smp-bigphys
  Platform:               ASA-SSM-10
  Serial Number:        
  Licensed, expires:     
  Sensor up-time is 171 days.
  Using 674635776 out of 1032499200 bytes of available memory (65% usage)
  application-data is using 43.5M out of 166.8M bytes of available disk space (28% usage)
  boot is using 40.1M out of 68.6M bytes of available disk space (62% usage)
  MainApp          E-ECLIPSE_2009_SEP_14_13_21_6_2_1_119   (Ipsbuild)   2009-09-14T13:22:32-0500   Running
  AnalysisEngine   E-ECLIPSE_2009_SEP_14_13_21_6_2_1_119   (Ipsbuild)   2009-09-14T13:22:32-0500   Running
  CLI              E-ECLIPSE_2009_SEP_14_13_21_6_2_1_119   (Ipsbuild)   2009-09-14T13:22:32-0500
  Upgrade History:
  * IPS-K9-6.2-2-E3           10:33:06 UTC Tue Sep 22 2009
    IPS-sig-S479-req-E3.pkg   12:17:09 UTC Tue Jun 22 2010
  Recovery Partition Version 1.1 - 6.2(2)E3
  Host Certificate Valid from: 15-Jun-2010 to 15-Jun-2012
  I understood that I can upgrade to IPS-engine-E4-req-7.0-2.pkg but when I try this from the asdm or from the cli, here is the output from the cli:
  IPS-1(config)# upgrade ftp://N****@***.**.**.**//IPSengine-E4-req-7.0-2.pkg
  Password: ********
  The filename IPSengine-E4-req-7.0-2.pkg is not a valid upgrade file type.
  Continue with upgrade? []: no
  IPS-1(config)# upgrade ftp://N****@***.**.**.**//IPSengine-E4-req-6.2-2.pkg
  Password: ********
  The filename IPSengine-E4-req-6.2-2.pkg is not a valid upgrade file type.
  Continue with upgrade? []: no
  IPS-1(config)# end
  do I want to just go ahead with the upgrade? even though it is telling me its not a valid upgrade type?
  thanks for any help...

  You can only upgrade using the IPS-engine-E4-req-7.0-2.pkg file if you are already running the latest version on that major version: 7.02(E3).
  So since you are running version 6.2.2(E3) at the moment, I would suggest that you upgrade the module to the latest E4 directly using this upgrade file:
  IPS-K9-7.0-4-E4.pkg
  Here is the readme file for 7.0.4(E4):
  http://www.cisco.com/web/software/282549709/35783/IPS-7_0-4-E4_readme.txt
  Hope that helps.

• AIP-SSM-10 signature update failure

  Hopefully someone will be able to help me, I am unable to get the IPS signature autoupdate working on our ASA 5510. We have a valid support contract, our username does not incude and special characters and I am able to download the signature files from the website using our CCO.
  When trying to get them via Auto/cisco.com update though I get the following in the event logs every update attempt:
  evError: eventId=1319467413849005289  vendor=Cisco  severity=error 
    originator:  
      hostId: xxxx 
      appName: mainApp 
      appInstanceId: 354 
    time: Oct 26, 2011 11:40:01 UTC  offset=60  timeZone=GMT00:00 
    errorMessage: AutoUpdate exception: HTTP connection failed [1,111]  name=errSystemError 
  I have included a "show conf" and a "show stat host" below.
  <snip>
  xxxxxx# show conf
  ! Current configuration last modified Wed Oct 26 10:48:07 2011
  ! Version 7.0(6)
  ! Host:
  !     Realm Keys          key1.0
  ! Signature Definition:
  !     Signature Update    S604.0   2011-10-20
  service interface
  exit
  service authentication
  exit
  service event-action-rules rules0
  exit
  service host
  network-settings
  host-ip 10.x.x.x/24,10.x.x.x
  host-name xxxxxx
  telnet-option disabled
  access-list 10.x.x.x/32
  access-list 10.x.x.x/16
  access-list 10.x.x.x/32
  dns-primary-server enabled
  address 10.x.x.x
  exit
  dns-secondary-server disabled
  dns-tertiary-server disabled
  exit
  time-zone-settings
  offset 0
  standard-time-zone-name GMT00:00
  exit
  ntp-option enabled-ntp-unauthenticated
  ntp-server 10.x.x.x
  exit
  summertime-option recurring
  summertime-zone-name GMT00:00
  start-summertime
  week-of-month last
  exit
  end-summertime
  month october
  week-of-month last
  exit
  end-summertime
  month october
  week-of-month last
  exit
  exit
  auto-upgrade
  cisco-server enabled
  schedule-option periodic-schedule
  start-time 00:40:00
  interval 1
  exit
  user-name xxxxxxxxxxxxxxx
  cisco-url https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
  exit
  exit
  exit
  service logger
  exit
  service network-access
  exit
  service notification
  exit
  service signature-definition sig0
  exit
  service ssh-known-hosts
  exit
  service trusted-certificates
  exit
  service web-server
  exit
  service anomaly-detection ad0
  exit
  service external-product-interface
  exit
  service health-monitor
  exit
  service global-correlation
  exit
  service aaa
  exit
  service analysis-engine
  virtual-sensor vs0
  physical-interface GigabitEthernet0/1
  exit
  exit
  <snip>
  xxxxxx# show stat host
  General Statistics
     Last Change To Host Config (UTC) = 27-Oct-2011 08:27:10
     Command Control Port Device = GigabitEthernet0/0
  Network Statistics
      = ge0_0     Link encap:Ethernet  HWaddr 00:12:D9:48:F7:44
      =           inet addr:10.x.x.x  Bcast:10.x.x.x.x  Mask:255.255.255.0
      =           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      =           RX packets:470106 errors:0 dropped:0 overruns:0 frame:0
      =           TX packets:139322 errors:0 dropped:0 overruns:0 carrier:0
      =           collisions:0 txqueuelen:1000
      =           RX bytes:40821181 (38.9 MiB)  TX bytes:102615325 (97.8 MiB)
      =           Base address:0xbc00 Memory:f8200000-f8220000
  NTP Statistics
      =      remote           refid      st t when poll reach   delay   offset  jitter
      = *time.xxxx.x 195.x.x.x   3 u  142 1024  377    1.825   -0.626   0.305
      =  LOCAL(0)        LOCAL(0)        15 l   59   64  377    0.000    0.000   0.001
      = ind assID status  conf reach auth condition  last_event cnt
      =   1 43092  b644   yes   yes  none  sys.peer   reachable  4
      =   2 43093  9044   yes   yes  none    reject   reachable  4
     status = Synchronized
  Memory Usage
     usedBytes = 664383488
     freeBytes = 368111616
     totalBytes = 1032495104
  Summertime Statistics
     start = 03:00:00 GMT00:00 Sun Mar 27 2011
     end = 01:00:00 GMT00:00 Sun Oct 30 2011
  CPU Statistics
     Usage over last 5 seconds = 51
     Usage over last minute = 44
     Usage over last 5 minutes = 50
  Memory Statistics
     Memory usage (bytes) = 664383488
     Memory free (bytes) = 368111616
  Auto Update Statistics
     lastDirectoryReadAttempt = 08:40:00 GMT00:00 Thu Oct 27 2011
      =   Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
      =   Error: AutoUpdate exception: HTTP connection failed [1,111]
     lastDownloadAttempt = N/A
     lastInstallAttempt = N/A
     nextAttempt = 09:28:00 GMT00:00 Thu Oct 27 2011
  Auxilliary Processors Installed
  <snip>
  Many thanks.

  Hi Bob,
  Thanks for the reply - it got me thinking about how it was actually getting the update.
  I needed to modify an ACL and add a PAT for the sensor management IP as I've tied down the hosts that can get out.
  It's now showing that it is attempting to reach the URL - currently there aren't any updates waiting though....
  Many thanks.

• AIP-SSM Upgrade Procedure

  Hi everybody!
  I have ASA5520 version 8.2(1) with AIP-SSM-20 module
  and I want to upgrade AIP-SSM-20 software from version 6.1(3)E3 to 7.0(2)E4
  I go to the download site and see the following list:
  Intrusion Prevention System (IPS) Recovery Software:
  IPS-K9-r-1.1-a-7.0-2-E4.pkg
          Release Date: 29/Mar/2010
          IPS Recovery Image File
  Intrusion Prevention System (IPS) Signature Updates:
  IPS-sig-S481-req-E4.pkg
          Release Date: 31/Mar/2010
          E4 Signature Update S481
  Intrusion Prevention System (IPS) System Software:
  IPS-SSM_20-K9-sys-1.1-a-7.0-2-E4.img
          Release Date: 29/Mar/2010
          IPS-SSM_20 System Image File
  Intrusion Prevention System (IPS) System Upgrades
  IPS-K9-7.0-2-E4.pkg
          Release Date: 29/Mar/2010
          IPS 7.0 Major Upgrade File (All Supported Platforms Except AIM-IPS and NME-IPS)
  IPS-engine-E4-req-7.0-2.pkg
          Release Date: 29/Mar/2010
          IPS E4 Engine Update
  I am somewhat confused by the number of files and want to ask what the procedure/sequence I should follow to upgrade?

  This is the file that you would like to use to upgrade it:
  Intrusion Prevention System  (IPS) System Upgrades
  IPS-K9-7.0-2-E4.pkg
  To upgrade:
  1) Upload the "IPS-K9-7.0-2-E4.pkg" file through IDM
  2) IDM --> Configuration --> Sensor Management --> Update Sensor --> choose Update is located on this client --> choose the "IPS-K9-7.0-2-E4.pkg" file --> hit the "Update Sensor" button.
  It will take a while (around 20 minutes) to upgrade the sensor, so don't panic if it doesn't come back up in "UP" status straight away.
  Hope that helps.

• IPS AIP-SSM

  Hi,
  What is difference between E3 and E4 system upgrade files in IPS ? Is it possible to upgrade AIP-SSM from 6.0 E3 to 7.0 E4 ?
  Regards
  Amar

  Amar;
    The E3 and E4 designation represents the version of the analysis engine installed on the sensor.  The signature developers create signatures to the most current release of the analysis engine (E4 currently).  Without the most current analysis engine (and an active license) you cannot apply signature updates to the sensor.
    It is possible to upgrade an AIP-SSM from release 6.0 to 7.0 using the current 7.0 upgrade package (.pkg file).
  Scott

• AIP-SSM (Not Applicable)

  Hi Experts,
               We have 2ASA and each one have AIP-SSM,with 2nd ASA AIP-SSM I tried to upload latest image for AIP-SSM 20 but didnt worked and now i see module is dead...pls check the detials below.....pls help me out how to make it up or work properly so that i can config other stuff.Pls its very imp and urgent help me out....
  ASA-A:
  251-DBSi-ASA5540# sh module 1
  Mod Card Type                                    Model              Serial No.
    1 ASA 5500 Series Security Services Module-20  ASA-SSM-20         JAF11370608
  Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
    1 0007.0e11.e13b to 0007.0e11.e13b  1.0          1.0(11)2     5.1(6)E1
  Mod SSM Application Name           Status           SSM Application Version
    1 IPS                            Up               5.1(6)E1
  Mod Status             Data Plane Status     Compatibility
    1 Up                 Up
  ASA-B:
  251-DBSi-ASA5540# sh module 1
  Mod Card Type                                    Model              Serial No.
    1 ASA 5500 Series Security Services Module-20  ASA-SSM-20         JAF1137060C
  Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
  1 001d.4524.a414 to 001d.4524.a414  1.0          1.0(11)2     5.1(6)E1
  Mod SSM Application Name           Status           SSM Application Version
    1 IPS                            Not Applicable   5.1(6)E1
  Mod Status             Data Plane Status     Compatibility
    1 Recover            Not Applicable

  Please try rebooting the module, if it does not work recovery it using the following procedure
  http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/cli/cliimage.html#wpxref68481
  Regards
  Farrukh

• AIP-SSM crash during S389 Signature upgrade

  Our AIP-SSM [version 6.1(2)E3] crashed during a S389 Signature upgrade on Friday. Neither a "session 1" command from its host, an ASA5520, or a "reload" command of the ASA5520 succeeded in bringing back up the AIP-SSM. Fortunately, after the ASA's power was recycled, the AIP-SSM successfully booted, albeit not to S389, but to its previously loaded S383. I established an SR and supplied the "show tech" and "show config," but the Cisco tech replied "nothing stands out" in them and said just run the S389 update again and send the same info if it crashes. I have several problems with that approach: 1) he had replied that several other customers had had the same problem; 2) our current AIP-SSM is a replacement for an RMA'ed one which had choked on the E2 engine upgrade a few months ago; 3) if another S389 upgrade attempt fails, our client's network will be down because our security policy requires the ASA's bypass mode for the AIP-SSM to be "fail-close." My questions to the forum include:
  1) If the "show tech" command is run after an AIP-SSM has rebooted after a previously-attempted S389 upgrade, can it include any information specific to the previously-attempted S389 upgrade? 2) Could the hardware components of the AIP-SSM-10 be inadequate for the combination of the E3 engine plus the cumulative signatures? 3) If the answer to question 2 is "yes" or "possibly," could Cisco modularize the signatures, eg. provide an "only-activated-signatures" (ie smaller) file for customers like us and an "everything" for others? Advice and recommendations heartily requested.

  Based on your show version, you already have E4, what is it that you are trying to do?
  Mike

• Problems with license upgrade on AIP-SSM

  Hi guys:
  I have a problem with my AIP-SSM, recently I download the latest license and I need to install in my AIP but when I try to do this I receive this error:
  "errSystemError-idsPackageMgr: digital signature of the update file was not valid, use CCO to replace corrupted file"
  So I download the license again, because maybe was corrupted, but I receive the same error at the time I want to install it.
  Does anybody knows what this error means?
  Regards

  It sounds like you are attempting to install a .lic license-key file via the Update Sensor section (which is used for software upgrades/updates instead). If you are trying to install a .lic license-key file, you can do that from IDM or IME's Configuration > Sensor Management > Licensing section. Ensure the Update From: option is set to License File, then click the Browse Local… button and locate/select the .lic license-key file on your local client machine. Finally, click the Update License button to upload and install the license-key file onto the sensor.
  If you try to install a .lic license-key file via the Update Sensor section, then you will encounter the error message you noted.

• Signature Updates for AIP-SSM 10

  Hi all how can i obtain Signature Updates for AIP-SSM 10 where i am having 60 day trial license with me

  Here is the main file download page for the IPS sensors.
  Find the section for the version you are running and click on the Latest Signature Updates link to take to you to the download page for signature updates.
  You can then download which ever signature update you want.
  NOTE1: Each Signature Updates contains all signatures from previous Sig levels. So you only need to download the latest one.
  NOTE2: Each signature update has a specific E (Engine) level requirement. You can execute "show ver" on your sensor to determine if it is at an E1 or E2 level. If it is at E1 and you want the latest sigs that require E2 then you will first need to install the E2 upgrade.
  On that main download page look for the "Latest Upgrades" link for your version, and look for the IPS-engine-E2-req-X.X-X.pkg file where the X.X-X matches your sensor version.
  If there is not an X.X-X matching your sensor version, then you may need to upgrade the software version for your sensor as well.
  NOTE3: Many of these links will also require an account on cisco.com. And for some of these files that account may also need to be verified for being from a country where the USA's export restrictions allow downloads for encryption. (Most countries qualify but you do have to go through that qualification step). It has been over 10 years that I have had do this so I am not sure of the latest procedures for getting an account or validating it for encrpytion downloads.

• Installing signature update for IDSM-2 on AIP-SSM

  Hi every one,im not sure about this question but i think its beter to ask you experts.i want to know that if i have signature update for example for my IDSM-2 can i instal this sig update on my AIP-SSM --> suppose that IPS software on both devices are same and also i have installed valid license key on AIP-SSM.now can i do this or no? and i know that if you have not valid license installed on IDSM-2 you cant instal any sig update on IDSM-2 but what about AIP-SSM?i mean can i instal sig update on AIP-SSM without installed valid license key on AIP-SSM? thanks

  There are 3 main types of Signature Updates.
  1) IPS Sensor Signature Updates
  2) CSM Signature Updates for IPS Sensors
  3) IOS IPS Signature Updates
  The IPS Signature Update filename is in the form: IPS-sig-Sxxx-req-Ey.pkg
  This is most likely what you are referrnig to in your post. This file can be installed on ANY IDS/IPS Appliance or Module.
  The Requirement here is not the platform but rather the Engine Level. The "req-Ey" portion of the filename tells you that the sensor must already be running the "y" Engine level of software.
  So an IPS-sig-S436-req-E3.pkg file can be installed on any IDS/IPS Appliance or Module so long as the software on that sensor is an "E3" version.
  The CSM updates, are signature updates for the Cisco Security Manager. They contain special files that CSM uses to update itself, and then also included within the CSM update is the actual sensor update described above. CSM unpackages the CSM update, updates itself, and then uses that embedded file to upgrade the actual sensor.
  The third type of file is for IOS Routers loaded with special IOS software that has the special IOS IPS features where the Router itself (instead of a separate IDS/IPS module) does the signature monitoring.
  These IOS IPS Signature Updates get installed on the actual router, and are not installed on the IDS/IPS Sensor Appliances or Modules.
  So in answer to your question, yes the same Signature Update for your IDSM-2 is the exact same Signature Update for your SSM modules.
  The exact same file is available through multiple different paths on cisco.com. But it doesn't matter through which cisco.com path you downloaded the file you can still install it on all IDS/IPS Appliances and Modules.
  As for licensing, the license works the same on all IDS/IPS Appliances and Modules. A license must be on the sensor for the Signature Update to be applied.
  NOTE: A Trial License is available from cisco.com for new sensors to allow you time to get everything setup correctly for your sensor to be covered by a service contract, and get the standard license from the service contract.

• AIP-SSM-10 sensor upgrade

  I have two ASA5520's with ASA-SSM-10 modules which are running Cisco Intrusion Prevention System, Version 6.0(6)E4. These are located at two different sites (one is local and the other remote from where I am based) and so are not running failover.
  I understand there is an auto update signature option with Version 6.1 or later which I would like to set up.
  The ASA5520's are running Cisco Adaptive Security Appliance Software Version 8.2(5).
  Can anyone recommend whether I should be looking at upgrading to Version 6.2 or 7.0 and perhaps why.
  Do I also just apply the engine update and then update the latest signatures for good measure.
  I was thinking of doing the upgrade through the IDM and was a bit confused about the recovery and system images and what the correct procedure should be e.g. backup the AIP config, tftp the existing image, install the new engine image and reboot the sensor?
  Any comments or assistance would be appreciated.
  Thanks, Peter.

  Hello Peter,
  Hope you are doing fine,
  I would encourage you to go to the latest IPS image available now days whitch is : 7.1.7 Engine 4
  Why is that?
  Because you will ensure you will have a device with the latest image that will provide you fixes to previous bugs, new features, etc etc.
  So go for it.
  Now regarding the upgrade
  From the CLI
  On configuration terminal mode
  Configuration  terminal
       upgrade ftp://user:[email protected]/upgrade_file_name
  http://www.networkstraining.com/how-to-upgrade-the-cisco-ips-module-aip-ssm/
  Regards,
  Julio Carvajal

• Failure to Upgrade the software of my AIP-SSM-20

  Dear all,
  I have failed to upgrade the software of my AIP-SSM-20 on the ASA. The AIP-SSM-20 had an Image of version IPS-K9-5.1-7-E1.pkg and I tried to upgrade it to IPS-K9-6.1-1-E2.pkg but after the upgrade the AIP-SSM-20 became unusable. I can no longer log on  to the IPS Module from the ASA. When I initiated a connection to the module with session 1 command, the systems says card in slot 1 did not respond to system request. I decided to restored the system image from the ASA by using the hw-module module 1 recover configure and hw-module module 1 recover boot commands but has so far failed.When  I issued the command hw-module module 1 boot command, the status of the IPS shows recover and would be in that state even for days.And my TFTP server shows that it is transfering the images to the IPS.
  I don't know where I have gone wrong and I would be very happy if somebody can give me a procedure that would help me to re-image the software of the IPS.
  Any help would be highly appreciated.
  Claude Fozao

  Halijen has already send you a link to reimage,let me briefly answer what a system image and upgrade files are and the difference between them
  The System Image files are meant to be used only when a complete erasing of the sensor's image is needed.  This is generally because the installed files were corrupted, or so old that it would be easier to start over and make it look like it came from the factory; than to use the standard "upgrade" files.So in case you are doing reimaging than use .img files which are system reimage files
  In more than 90% of the cases, most customers will want to "upgrade" rather than do a System Image.  The "upgrade" is done from within the sensor itself, and will both load the higher version as well as convert your current configuration to work with the newer version.it uses .pkg files
  A usual poblem with the System Re-imaging process is that the card winds up in a boot loop because of an error.  When ROMMON detects an error it reboots and tries the same steps again which usually winds up with the same error which causes a reboot, etc.....
  So determining if the card is in a reboot loop, and what the error is would be the next step in your debugging process.
  Execute "debug module-boot".  Enter "hw-module module 1 recover stop".   Wait for a few minutes, and then enter "hw-module module 1 recover boot".
  The output from ROMMON on the SSM will be seen on your ASA connection.Look at the configuration being passed to the SSM's ROMMON and look for any bad entries.Watch to see if it able to download the System Image file, or if it continuously reboots.
  If it continuously reboots, then look to see what error message is seen just prior to the reboot.
  Some common problems:
  1) Typos in IP address, gateway, tftp server IP, or system image filename.
  2) If the tftp server is on the same subnet as the SSM's IP Address, then try leaving the Gateway address blank since it is not needed.
  3) Remember that the IP Address is for the external interface of the SSM.  So be sure you are using an address that is applicable for the network where you are pluggin in the SSM's external interface.
  4) If the TFTP Server is on another subnet, then be sure there is a route to the other network.  If having to route back through the ASA, then ensure that the ASA will allow TFTP packets to pass through the ASA.  (The ASA could wind up blocking the TFTP packets depending on the ASA configuration)
  5) Be sure the file can be downloaded from the TFTP server.  Check the file permissions, and the directory where the file is located.   From your desktop try to downlaod the file from the tftp server.  This will ensure you are using the correct directory and that the file has correct permissions.  Once common problem is that the file may be /tftpboot/sensorfiles/IPS-SSM_20-K9-sys-1.1-a-6.1-1-E1.img.  But because the tftp server automatically starts in /tftpboot, you may need to NOT specify it for the file and instead just use: sensorfiles/IPS-SSM_20-K9-sys-1.1-a-6.1-1-E1.img
  6) Check to make sure the file is not corrupted by running an md5sum and checking it against the value listed on cisco's web site.

• How to block p2p applications(Bittorent like) with AIP-SSM-10?

  Hi,
  How to block p2p application using AIP-SSM-10 working with ASA5520?AIP is on promiscuous mode.
  Thanks,
  Siva

  There are several signatures that detect p2p, for bit torrent there is 11020.0
  Yahoo triggers: 5539.0, 11200.0, 11212.0, 11217.0 & 11219.0
  etc..
  Some are disabled by default though so please ensure you enable the ones that you need.
  If you want to block these then you will have to use event actions that work in promiscuous setup for example request block connection and tcp reset. Please note that care must be taken when using these event actions.
  For more information about the event actions please refer the link below:
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/idmguide/dmevtrul.htm#wp1069467

• Obtaining hardware and signature support for AIP SSM-10

  We have a 5510 which we have purchased an AIP SSM-10 card for the ASA which is already under a support contract. We now wish to add hardware maintenance for the new AIP SSM-10 card as well as signature updates. Our Cisco supplier will not confirm that we will receive signature updates with the hardware support though (we have been trying to get an answer from them since June or July now).
  Could someone let us know what the correct part number is so we can ask for the specific option that will provide both hardware cover and signature updates.

  i think this is what you need,
  CON-SU1-AS1A1PK9
  IPS SVC, AR NBD ASA5510-AIP10SP-K9
  cisco smartnet support

• AIP-SSM upgrade

  going to upgrade from 6.0(1)E1 to
  IPS IPS-K9-6.1-1-E2.pkg
  we run 2 asa in active/active for 2 context. wd like to upgrade one SSM first and run it for a week with new signatures then upgrade the other. this means one module will have 6.0(1)E1 and not the latest. will this cause any issue?
  also my output shows data plane DOWN. any ideas what may cause it and how to fix it
  od Card Type Model Serial No.
  1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 JAF11025147
  Mod MAC Address Range Hw Version Fw Version Sw Version
  1 0019.e82b.d238 to 0019.e82b.d238 1.0 1.0(11)2 6.0(1)E1
  Mod SSM Application Name Status SSM Application Version
  1 IPS Up 6.0(1)E1
  Mod Status Data Plane Status Compatibility
  1 Up Down

  The two units in a failover configuration must have the same hardware configuration. They must be the same model, have the same number and types of interfaces, the same amount of RAM, and, for the ASA 5500 series security appliance, the same SSMs installed (if any).So both SSM should be of the same version always.