Upgrade asa5585x ips
I upgraded our IPS from 7.1(3)E4 to 7.1(4)E4. My question is how long does it normally take to reboot?
- performed the upgrade using the CLI with no errors
- The upgrade process appeared to complete and reboot, however, the module never came back
to an up state
- sh module 1 detail showed the SSP in an unresponsive state
- sh tech does not show much of anything in the main.log
only message observed during the post is
Cid/E errSystemError - collectStatistics
failed: System error: Could not get user mode interface statistics
[IntfcManager::IntfcManager]
- Most likely related to CSCtw62226
Similar Messages
-
Upgradation from IPS 6.2(1)e3 to 7.0(2)E3.
Hi All.
Any separate license is required to upgrading os from 6.2(1)e3 to 7.0(2)E3 .
Pls find the show version of IPS.
sh version
Application Partition:
Cisco Intrusion Prevention System, Version 6.2(1)E3
Host:
Realm Keys key1.0
Signature Definition:
Signature Update S407.0 2009-06-08
Virus Update V1.4 2007-03-02
OS Version: 2.4.30-IDS-smp-bigphys
Platform: WS-SVC-IDSM-2
Serial Number:
Trial license, expires: 02-Mar-2011 UTC
Sensor up-time is 10 days.
Using 1408135168 out of 1983508480 bytes of available memory (70% usage)
application-data is using 36.7M out of 166.8M bytes of available disk space (23%
usage)
boot is using 39.7M out of 68.6M bytes of available disk space (61% usage)
application-log is using 533.0M out of 2.8G bytes of available disk space (20% u
sage)
MainApp E-2008_OCT_16_16_24 (Release) 2008-10-16T16:40:57-0500 Ru
nning
AnalysisEngine E-2008_OCT_16_16_24 (Release) 2008-10-16T16:40:57-0500 No
tRunning
CLI E-2008_OCT_16_16_24 (Release) 2008-10-16T16:40:57-0500
Upgrade History:
* IPS-sig-S386-req-E3 15:15:25 UTC Sat Mar 14 2009
IPS-sig-S407-req-E3.pkg 16:02:01 UTC Sat Jul 11 2009
Maintenance Partition Version 2.1(3)
Recovery Partition Version 1.1 - 6.2(1)E3
Host Certificate Valid from: 25-Feb-2008 to 25-Feb-2010
Appreciating your earlier reply.
Regards,
AVSThere is no license required to do software upgrades.However a valid License is required to install signature updates.
Regards
Farrukh -
Upgradation of IPS in AIPSSM Module
Hi All,
Can we upgrade the Engine Version of IPS from 6.0(3)E1 to the latest engine version directly in AIPSSM Module . If yes,please let me know if any steps to be noted down while upgrading the same.
Regards
KiranPlease refer to the following link:
http://www.cisco.com/en/US/partner/docs/security/ips/7.0/release/notes/22789_01.html#wp1235012
SongL -
Signature upgrade while IPS licensed expired
Dear All,
I have IDSM-2 module in 6513 switch. One IPS licensed is expired. Other IPS licensed is still valid to 2 months.
Can I still upgrade the signature of this expired(licensed) IPS?
Please advice
Regards,
AnserThanks.
How much sensor inspection load in % consider as normal. Sometime it becomes for than 60% and I see the delay of 15ms to 20ms in the local network druing load on sensors.
Please suggest.
Regards,
Anser -
Can't find purchased apps after upgrade to IPS 7.0
Grrr - that 7.0 upgrade did NOT go well - major hassle and confusion
Now, maybe I have a new AppleID - one thing's for sure - I see NONE of my purchased apps, now!?
Oh, dear - what shall be done?
Anyone?
Please?Now, maybe I have a new AppleID
If you created a new Apple ID you will never see your previous purchases!
Content is forever tied to the Apple ID that bought it. Apple does not transfer content from one Apple ID to another. Apple does not merge Apple IDs. -
Upgrade IPS moudle on ASA to 6.0.3
I upgraded the ips module ASA-SSM-20 on the ASA from 5.x to 6.0.3 lately. The ASA are setup as active/standby. i upgraded both modules successfully on each ASA. After the upgrade, i notice the ASA failover to the other partner about 10 times for the past day, particularly when traffic was high. Before the upgrade, i don't have this problem. Anyone run into this problem before, and any idea? thanks.
Hi, I have the same problem by one our customer. I would like to compare my and your sw versions? We are using Cisco ASA ver 7.0.7GD, I tested it also on versions 7.2.2 and 7.2.3 the result is the same! Do you use also the IPS Firmware version: 1.0(11)2, Software version: 6.0(3)E1? Please could you write out from configuration "show failover state", do you see there also in the field "Last Failure Reason" = IPS Card Failure in both unit? I thing there should be some problem with the new IPS software! If you wish contact me!
Best regards
Jakub Chytracek
[email protected] -
Can anyone help me with the steps of upgrading the IPS signature for the platform ASA SSM-20, IDS 4215, WV-SVC-IDSM-2 via IDM and IME. All the sensors are already upgraded with Engine E4 with signature S480.
Can I upgrade the signature directly from S480 to S507? Please let me know the file which I need to download. Is there any impact while updating the signture like reboot?Hi Gangadaran,
We can apply the same package on all the mentioned platforms. It can be applied to all below platforms:
- IPS-42xx Cisco Intrusion Prevention System (IPS) sensors
- IDS-42xx Cisco Intrusion Detection System (IDS) sensors (except the IDS-4220, and IDS-4230)
- WS-SVC-IDSM2 series Intrusion Detection System Module (IDSM2)
- NM-CIDS IDS Network Module for Cisco 26xx, 3680, and 37xx Router Families.
- ASA-SSM-10 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA)
- ASA-SSM-20 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA)
- ASA-SSM-40 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA)
- AIM-IPS Cisco Advanced Integration Module for ISR Routers
Refer the readme for all details:
http://www.cisco.com/web/software/282549755/37074/IPS-sig-S507.readme.txt
All the best!!
Thanks,
Prapanch -
Can VMS be used to upgrade IPS version (not sig)
Can VMS be used to upgrade the IPS version on sensors? Or do you have to log into each sensor and upgrade that way?
VMS (and it's little brother CSM) were designed to apply all the updates; signature, Service Packs and even (when you're lucky) Majot Updates. VMS is a management tool, allowing you to manage more sensors than if you had to log into each one by hand.
-
ASA SSM IPS module upgrade won't work
Hello all,
I'm trying to upgrade the IPS sig's on an ASA5520 with a SSM IPS module. I'm trying to upgrade the system to 5.1.1 to further upgrade the device with no luck.
I followed these steps provided by Cisco.com:
1. Log in to the ASA.
2. Enter enable mode:
asa# enable
3. Configure the recovery settings for ASA-SSM:
asa (enable)# hw-module module 1 recover configure
NOTE: If you make an error in the recovery configuration, use the
hw-module module 1 recover stop command to stop the system reimaging
and then you can correct the configuration.
4. Specify the TFTP URL for the system image:
Image URL [tftp://0.0.0.0/]:
Example:
Image URL [tftp://0.0.0.0/]: tftp://10.20.30.40/IPS-SSM-K9-sys-1.1-a-5.1-1.img
5. Specify the command and control interface of ASA-SSM:
Port IP Address [0.0.0.0]:
Example:
Port IP Address [0.0.0.0]: 11.21.31.41
6. Leave the VLAN ID at 0.
VLAN ID [0]:
7. Specify the default gateway of the ASA-SSM:
Gateway IP Address [0.0.0.0]:
Example:
Gateway IP Address [0.0.0.0]: 11.22.33.44
8. Execute the recovery:
asa# hw-module module 1 recover boot
9. Periodically check the recovery until it is complete.
NOTE: The status reads "Recovery" during recovery and reads "Up" when
reimaging is complete.
AFter #8 it just goes back to the enable prompt. A 'sh module' lists the device as 'recover' and hangs FOREVER.... I tested the TFTP server which the new image resides on, and the TFTP is working fine. I don't see any attempts or downloads from the TFTP server for over an hour.
I opened a Ciscop TAC on this and not receiving alot of help...
Please help!!!:)
Thanks
Chris Serafin
[email protected]The recovery using this method can takes upwards of 30 minutes, and in some cases even longer.
How long have you left the SSM in the "recovery" state?
There may be something wrong in the config you entered. when that happens the SSM can go into a continuous reboot cycle trying to do the recovery.
Execute "debug module-boot" on the console of the ASA.
The debug output will show you the ROMMON output of the SSM itself. (The SSM has it's own ROMMON. The recovery boot command sends the settings made during the recover configure command to the SSM's ROMMON).
If the ROMMON is experiencing a problem in trying to download the tftp image you should now see that ROMMON error message.
Some typical problems I have seen:
1) Wrong IP given for the sensor.
2) Wrong IP given for the gateway (the gateway must exist on the same network as the sensor) this problem usually happens when using a non-standard netmasked network.
3) Not having the sensor's command and control port plugged into the right network. The external port of the SSM itself is where the IP is being applied. You need to ensure that the extenral port of the SSM is plugged into the right network for that IP.
4) The tftp server is not reachable from the network where the sensor's command and control port is attached. Some users think that if the ASA itself can reach the tftp server that the SSM will also be able to. This is not always the case. It is best to use a tftp server on the same network as the IP provided to the SSM. Or to test the tftp server from another machine on the same network as the SSM.
5) The file name is wrong. Check the captialization especially.
6) The file is not in the default directory on the tftp server. If the file is in a subdirectory you will need to add that subdirectory to the URL:
tftp://10.20.30.40/subdirectoryname/filename
7) The tftp is timing out.
There are 2 things that can cause this:
a) The tftp server is remote, and it takes too long to download the file. The ROMMON does have limits on the number of retries and per packet timeouts (but they are not user configurable). Try using a tftp server local to the SSM.
b) The switch that the SSM connects to has spanning-tree running and spanning-tree does not complete before the SSM ROMMON times out for the tftp attempt. The tftp attempt happens immediately upon ROMMON startup and link up. But with a switch the switch port may be in a "Listen" or "Learn" state for 40 seconds before the box can actually talk on the network. In some cases the tftp download attempts started as soon as link up, and may timeout even before the spanning-tree completes. To work around this configure "spanning-tree portfast" on the switchport. Spanning-tree will connect the port into the vlan immediately rather than 40 seconds later.
If it was a config problem when configuring the recovery settings, then there is a "recover stop" command on the ASA.
It will stop the reboot cycle from happening.
Let the module come up with the old image.
Then correct your "recover configure" settings, and try the "recover boot" again.
Another alternative:
Stop the recovery "recover stop"
Let it boot into the old image.
If it was a 5.0 version, then you can actually upgrade to 5.1 using the sensor's own CLI "upgrade" command. It is actually the preferred method.
The "recover" from the ASA will wipe the box clean and load a fresh image.
The "upgrade" from the sensor will convert your 5.0 config into a 5.1 config while installing 5.1.
5.1 upgrade file:
IPS-K9-min-5.1-1g.pkg
http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
It can be applied through the sensor's CLI upgrade command, or pushed directly through IDM, or applied by CSM.
The "recover" should be limited to disaster recovery. When you can't access the SSM at all, or the files on the SSM have been corrupted.
For normal upgrades you want to use "upgrade" files done through the sensor itelf (CLI, IDM, or CSM). -
Upgrading ids 4.1 to IPS 5
I have a 4235 with 4.1 I am trying to upgrade with IPS-K9-maj-5.0-1e-S149.rpm.pkg the sensor does it's reboot but in the end it just hangs on "uncompressing Linux....ok, booting the kernel" any idea why it stops there.
Call me stupid but I always have the same problem so I have got in the habit of backing up my config on the IDS and downloading the new .img file for the upgrades. I have had that happen to me way to many times.. It wont happen if you use the .img file though.. I promise you that ;)
Note: I said i backed up my IDS config because if you use the .img file you lose the config on the IDS as well.. Just an FYI. -
Activate the license and upgrade signature of AIS IPS on ASA
Hi,
I alreay have smartnet contract for my IPS. Now, I need to do auto upgrade my IPS signature
While i was doing, it ask me to activate license key. How to get the license key for my IPS?
Regards, CTYou can grab your license here:
http://cisco.com/go/license
and install it with these instructions:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_setup.html#wp1046739
- Bob -
Upgrading IDS4.0 to IPS
Can I upgrade IDS 4.0 to IPS. If so, pls tell me what procedure i have to follow.
Following page shows the list of supported sensors that can be upgrated to IPS5.1:
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps4077/products_installation_guide_chapter09186a008055fc77.html#wp498739
The upgrade procedure to upgrade from IPS 4.1 to 5.x is given here:
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps4077/products_installation_guide_chapter09186a008055fc78.html#wp1032104 -
New to IPS, what do I need to plan before I turn this on?
Hi, I have an ASA 5520 AIP-SSM 10. I'm having a consultant in to enable and upgrade our IPS on our ASA from 1.5 to 1.6 so it's intergrated into the ASDM (sounds difficult). He said I need to plan what policies we need to enable for the interfaces and DMZ's etc.
This is very new to me and I wondered if this is right, as it sounds bigger than I first thought. Basically I want my network to my as secure as possible and turning on the IPS we bought is needed.
Any advise, links etc would be most welcome.Go to cisco.com, put this into the search field, download the pdf and read all 799 pages.
Configuring the Cisco Intrusion Prevention
System Sensor Using the Command Line
Interface 6.0
Sorry to be the bearer of bad news, but that is the only way to truly understand this enigmatic box.
Matt -
Is IPS patch 5.1 (1p1) incoporated into version 5.1(2)?
Hi
IPS version 5.1 was not stable in our network, so TAC engineer gave us a special patch (1p1) and we installed it.
This 1p1 was not published on CCO officially.
Now version 5.1(2) is out, does anyone know whether 1p1 is incoporated into this 5.1(2)? Can we upgrade the IPS to 5.1(2)?
Thanks in advance!All of the fixes from 5.1(1p1) Patch have been incorporated into the 5.1(2) Service Pack.
-
Hi all,
i want to upgrade signature on IDS, but IDS is on E3.
i know i have to use IPS-K9-7.0-2-E4.pkg to directly upgrade to E4.
my only concern, is there anything to take care of before doing this. or while doing this upgrade.
because this router is very important and i don't want to lose anything,
can you people share the information so that i can do this without getting into any problem.
and please note platform is IDSM-2
thanx
sh version
Application Partition:
Cisco Intrusion Prevention System, Version 6.2(1)E3
Host:
Realm Keys key1.0
Signature Definition:
Signature Update S479.0 2010-03-19
Virus Update V1.4 2007-03-02
OS Version: 2.4.30-IDS-smp-bigphys
Platform: WS-SVC-IDSM-2
Serial Number: +++++++++
Licensed, expires: 03-May-2011 UTC
Sensor up-time is 103 days.
Using 1407365120 out of 1983508480 bytes of available memory (70% usage)
application-data is using 37.4M out of 166.8M bytes of available disk space (24% usage)
boot is using 39.7M out of 68.6M bytes of available disk space (61% usage)
application-log is using 531.3M out of 2.8G bytes of available disk space (20% u sage)
MainApp E-2008_OCT_16_16_24 (Release) 2008-10-16T16:40:57-0500 Ru nning
AnalysisEngine E-2008_OCT_16_16_24 (Release) 2008-10-16T16:40:57-0500 Ru nning
CLI E-2008_OCT_16_16_24 (Release) 2008-10-16T16:40:57-0500
Upgrade History:
* IPS-sig-S467-req-E3 23:25:03 UTC Sun Feb 07 2010
IPS-sig-S479-req-E3.pkg 03:10:04 UTC Thu Jun 03 2010
Maintenance Partition Version 2.1(1)
Recovery Partition Version 1.1 - 6.2(1)E3
Host Certificate Valid from: 27-Jul-2010 to 27-Jul-2012Charanjit --
Before starting any upgrade work, I would suggest ALWAYS reading through the new version's release notes. They will provide any warnings, caveats, or special procedures that might be needed before doing the upgrade. Also, they will list out any basic requirements to use the new software. Release notes for 7.0(4)E4 can be found here:
http://www.cisco.com/en/US/docs/security/ips/7.0/release/notes/22789_01.html#wp1043779
That being said, it looks like you should have no problem upgrading directly to 7.0(4)E4 from your current version. From the link:
"The minimum required version for upgrading to 7.0(4)E4 is 5.1(6)E3 or later"
You shouldn't have to worry about the rest of the router chassis and modules, as the IDSM upgrades and reboots independently from the rest of the system. Just know that the upgrade can take a little while, so be patient while the module reboots and gets started up.
Of course, as with any upgrade, I would make new backups of all configurations and data before installation, just in case something unexpected occurs.
Maybe you are looking for
-
Installed new version of iTunes and now my library is gone.
I installed the latest version of iTunes when I got a prompt on opening iTunes. When the installation was complete, all of my music was gone. I found my library and thought I imported it to my library correctly, but every time I quit iTunes, the next
-
Self Service Purchasing 5 and Win XP Pro
Hi, Just like to ask, can SSP5 run on WIN XP Pro? Cheers Jerry
-
Embedding image and multiple queries in cfgrid
I have a datagrid that displays a user's work history pulled from one query. In the original HTML table set up, a status icon for each work item was displayed as either "New", 'Needs Attention" or "Archived". This status was determined by using a val
-
I want to re-install my CS5.5. What will be the procedure?
-
How can I delete a developer key?
Hi people! In R/3 where or how can I delete a developer key? Thanks!