Upgrade asa5585x ips

Similar Messages

• Upgradation from IPS 6.2(1)e3 to 7.0(2)E3.

  Hi All.
     Any separate license is required to upgrading os from 6.2(1)e3 to  7.0(2)E3 .
  Pls find the show version of IPS.
  sh version
  Application Partition:
  Cisco Intrusion Prevention System, Version 6.2(1)E3
  Host:
      Realm Keys            key1.0
  Signature Definition:
      Signature Update      S407.0                   2009-06-08
      Virus Update          V1.4                     2007-03-02
  OS Version:               2.4.30-IDS-smp-bigphys
  Platform:                 WS-SVC-IDSM-2
  Serial Number:           
  Trial license, expires:   02-Mar-2011 UTC
  Sensor up-time is 10 days.
  Using 1408135168 out of 1983508480 bytes of available memory (70% usage)
  application-data is using 36.7M out of 166.8M bytes of available disk space (23%
  usage)
  boot is using 39.7M out of 68.6M bytes of available disk space (61% usage)
  application-log is using 533.0M out of 2.8G bytes of available disk space (20% u
  sage)
  MainApp          E-2008_OCT_16_16_24   (Release)   2008-10-16T16:40:57-0500   Ru
  nning
  AnalysisEngine   E-2008_OCT_16_16_24   (Release)   2008-10-16T16:40:57-0500   No
  tRunning
  CLI              E-2008_OCT_16_16_24   (Release)   2008-10-16T16:40:57-0500
  Upgrade History:
  * IPS-sig-S386-req-E3       15:15:25 UTC Sat Mar 14 2009
    IPS-sig-S407-req-E3.pkg   16:02:01 UTC Sat Jul 11 2009
  Maintenance Partition Version 2.1(3)
  Recovery Partition Version 1.1 - 6.2(1)E3
  Host Certificate Valid from: 25-Feb-2008 to 25-Feb-2010
  Appreciating your earlier reply.
  Regards,
  AVS

  There is no license required to do software upgrades.However a valid License is required to install signature updates.
  Regards
  Farrukh

• Upgradation of IPS in AIPSSM Module

  Hi All,
  Can we upgrade the Engine Version of IPS from 6.0(3)E1 to the latest engine version directly in AIPSSM Module . If yes,please let me know if any steps to be noted down while upgrading the same.
  Regards
  Kiran

  Please refer to the following link:
  http://www.cisco.com/en/US/partner/docs/security/ips/7.0/release/notes/22789_01.html#wp1235012
  SongL

• Signature upgrade while IPS licensed expired

  Dear All,
  I have IDSM-2 module in 6513 switch. One IPS licensed is expired. Other IPS licensed is still valid to 2 months.
  Can I still upgrade the signature of this expired(licensed) IPS?
  Please advice
  Regards,
  Anser

  Thanks.
  How much sensor inspection load in % consider as normal. Sometime it becomes for than 60% and I see the delay of 15ms to 20ms in the local network druing load on sensors.
  Please suggest.
  Regards,
  Anser

• Can't find purchased apps after upgrade to IPS 7.0

  Grrr - that 7.0 upgrade did NOT go well - major hassle and confusion
  Now, maybe I have a new AppleID - one thing's for sure - I see NONE of my purchased apps, now!?
  Oh, dear - what shall be done?
  Anyone?
  Please?

  Now, maybe I have a new AppleID
  If you created a new Apple ID you will never see your previous purchases!
  Content is forever tied to the Apple ID that bought it. Apple does not transfer content from one Apple ID to another. Apple does not merge Apple IDs.

• Upgrade IPS moudle on ASA to 6.0.3

  I upgraded the ips module ASA-SSM-20 on the ASA from 5.x to 6.0.3 lately. The ASA are setup as active/standby. i upgraded both modules successfully on each ASA. After the upgrade, i notice the ASA failover to the other partner about 10 times for the past day, particularly when traffic was high. Before the upgrade, i don't have this problem. Anyone run into this problem before, and any idea? thanks.

  Hi, I have the same problem by one our customer. I would like to compare my and your sw versions? We are using Cisco ASA ver 7.0.7GD, I tested it also on versions 7.2.2 and 7.2.3 the result is the same! Do you use also the IPS Firmware version: 1.0(11)2, Software version: 6.0(3)E1? Please could you write out from configuration "show failover state", do you see there also in the field "Last Failure Reason" = IPS Card Failure in both unit? I thing there should be some problem with the new IPS software! If you wish contact me!
  Best regards
  Jakub Chytracek
  [email protected]

• How to upgrade IPS Signature

  Can anyone help me with the steps of upgrading the IPS signature for the platform ASA SSM-20, IDS 4215, WV-SVC-IDSM-2 via IDM and IME. All the sensors are already upgraded with Engine E4 with signature S480.
  Can I upgrade the signature directly from S480 to S507? Please let me know the file which I need to download. Is there any impact while updating the signture like reboot?

  Hi Gangadaran,
  We can apply the same package on all the mentioned platforms. It can be applied to all below platforms:
  - IPS-42xx Cisco Intrusion Prevention System (IPS) sensors
  - IDS-42xx Cisco Intrusion Detection System (IDS) sensors (except the IDS-4220, and IDS-4230)
  - WS-SVC-IDSM2 series Intrusion Detection System Module (IDSM2)
  - NM-CIDS IDS Network Module for Cisco 26xx, 3680, and 37xx Router Families.
  - ASA-SSM-10 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA)
  - ASA-SSM-20 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA)
  - ASA-SSM-40 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA)
  - AIM-IPS Cisco Advanced Integration Module for ISR Routers
  Refer the readme for all details:
  http://www.cisco.com/web/software/282549755/37074/IPS-sig-S507.readme.txt
  All the best!!
  Thanks,
  Prapanch

• Can VMS be used to upgrade IPS version (not sig)

  Can VMS be used to upgrade the IPS version on sensors? Or do you have to log into each sensor and upgrade that way?

  VMS (and it's little brother CSM) were designed to apply all the updates; signature, Service Packs and even (when you're lucky) Majot Updates. VMS is a management tool, allowing you to manage more sensors than if you had to log into each one by hand.

• ASA SSM IPS module upgrade won't work

  Hello all,
  I'm trying to upgrade the IPS sig's on an ASA5520 with a SSM IPS module. I'm trying to upgrade the system to 5.1.1 to further upgrade the device with no luck.
  I followed these steps provided by Cisco.com:
  1. Log in to the ASA.
  2. Enter enable mode:
  asa# enable
  3. Configure the recovery settings for ASA-SSM:
  asa (enable)# hw-module module 1 recover configure
  NOTE: If you make an error in the recovery configuration, use the
  hw-module module 1 recover stop command to stop the system reimaging
  and then you can correct the configuration.
  4. Specify the TFTP URL for the system image:
  Image URL [tftp://0.0.0.0/]:
  Example:
  Image URL [tftp://0.0.0.0/]: tftp://10.20.30.40/IPS-SSM-K9-sys-1.1-a-5.1-1.img
  5. Specify the command and control interface of ASA-SSM:
  Port IP Address [0.0.0.0]:
  Example:
  Port IP Address [0.0.0.0]: 11.21.31.41
  6. Leave the VLAN ID at 0.
  VLAN ID [0]:
  7. Specify the default gateway of the ASA-SSM:
  Gateway IP Address [0.0.0.0]:
  Example:
  Gateway IP Address [0.0.0.0]: 11.22.33.44
  8. Execute the recovery:
  asa# hw-module module 1 recover boot
  9. Periodically check the recovery until it is complete.
  NOTE: The status reads "Recovery" during recovery and reads "Up" when
  reimaging is complete.
  AFter #8 it just goes back to the enable prompt. A 'sh module' lists the device as 'recover' and hangs FOREVER.... I tested the TFTP server which the new image resides on, and the TFTP is working fine. I don't see any attempts or downloads from the TFTP server for over an hour.
  I opened a Ciscop TAC on this and not receiving alot of help...
  Please help!!!:)
  Thanks
  Chris Serafin
  [email protected]

  The recovery using this method can takes upwards of 30 minutes, and in some cases even longer.
  How long have you left the SSM in the "recovery" state?
  There may be something wrong in the config you entered. when that happens the SSM can go into a continuous reboot cycle trying to do the recovery.
  Execute "debug module-boot" on the console of the ASA.
  The debug output will show you the ROMMON output of the SSM itself. (The SSM has it's own ROMMON. The recovery boot command sends the settings made during the recover configure command to the SSM's ROMMON).
  If the ROMMON is experiencing a problem in trying to download the tftp image you should now see that ROMMON error message.
  Some typical problems I have seen:
  1) Wrong IP given for the sensor.
  2) Wrong IP given for the gateway (the gateway must exist on the same network as the sensor) this problem usually happens when using a non-standard netmasked network.
  3) Not having the sensor's command and control port plugged into the right network. The external port of the SSM itself is where the IP is being applied. You need to ensure that the extenral port of the SSM is plugged into the right network for that IP.
  4) The tftp server is not reachable from the network where the sensor's command and control port is attached. Some users think that if the ASA itself can reach the tftp server that the SSM will also be able to. This is not always the case. It is best to use a tftp server on the same network as the IP provided to the SSM. Or to test the tftp server from another machine on the same network as the SSM.
  5) The file name is wrong. Check the captialization especially.
  6) The file is not in the default directory on the tftp server. If the file is in a subdirectory you will need to add that subdirectory to the URL:
  tftp://10.20.30.40/subdirectoryname/filename
  7) The tftp is timing out.
  There are 2 things that can cause this:
  a) The tftp server is remote, and it takes too long to download the file. The ROMMON does have limits on the number of retries and per packet timeouts (but they are not user configurable). Try using a tftp server local to the SSM.
  b) The switch that the SSM connects to has spanning-tree running and spanning-tree does not complete before the SSM ROMMON times out for the tftp attempt. The tftp attempt happens immediately upon ROMMON startup and link up. But with a switch the switch port may be in a "Listen" or "Learn" state for 40 seconds before the box can actually talk on the network. In some cases the tftp download attempts started as soon as link up, and may timeout even before the spanning-tree completes. To work around this configure "spanning-tree portfast" on the switchport. Spanning-tree will connect the port into the vlan immediately rather than 40 seconds later.
  If it was a config problem when configuring the recovery settings, then there is a "recover stop" command on the ASA.
  It will stop the reboot cycle from happening.
  Let the module come up with the old image.
  Then correct your "recover configure" settings, and try the "recover boot" again.
  Another alternative:
  Stop the recovery "recover stop"
  Let it boot into the old image.
  If it was a 5.0 version, then you can actually upgrade to 5.1 using the sensor's own CLI "upgrade" command. It is actually the preferred method.
  The "recover" from the ASA will wipe the box clean and load a fresh image.
  The "upgrade" from the sensor will convert your 5.0 config into a 5.1 config while installing 5.1.
  5.1 upgrade file:
  IPS-K9-min-5.1-1g.pkg
  http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
  It can be applied through the sensor's CLI upgrade command, or pushed directly through IDM, or applied by CSM.
  The "recover" should be limited to disaster recovery. When you can't access the SSM at all, or the files on the SSM have been corrupted.
  For normal upgrades you want to use "upgrade" files done through the sensor itelf (CLI, IDM, or CSM).

• Upgrading ids 4.1 to IPS 5

  I have a 4235 with 4.1 I am trying to upgrade with IPS-K9-maj-5.0-1e-S149.rpm.pkg the sensor does it's reboot but in the end it just hangs on "uncompressing Linux....ok, booting the kernel" any idea why it stops there.

  Call me stupid but I always have the same problem so I have got in the habit of backing up my config on the IDS and downloading the new .img file for the upgrades. I have had that happen to me way to many times.. It wont happen if you use the .img file though.. I promise you that ;)
  Note: I said i backed up my IDS config because if you use the .img file you lose the config on the IDS as well.. Just an FYI.

• Activate the license and upgrade signature of AIS IPS on ASA

  Hi,
  I alreay have smartnet contract for my IPS. Now, I need to do auto upgrade my IPS signature
  While i was doing, it ask me to activate license key. How to get the license key for my IPS?
  Regards, CT

  You can grab your license here:
  http://cisco.com/go/license
  and install it with these instructions:
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_setup.html#wp1046739
  - Bob

• Upgrading IDS4.0 to IPS

  Can I upgrade IDS 4.0 to IPS. If so, pls tell me what procedure i have to follow.

  Following page shows the list of supported sensors that can be upgrated to IPS5.1:
  http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps4077/products_installation_guide_chapter09186a008055fc77.html#wp498739
  The upgrade procedure to upgrade from IPS 4.1 to 5.x is given here:
  http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps4077/products_installation_guide_chapter09186a008055fc78.html#wp1032104

• New to IPS, what do I need to plan before I turn this on?

  Hi, I have an ASA 5520 AIP-SSM 10. I'm having a consultant in to enable and upgrade our IPS on our ASA from 1.5 to 1.6 so it's intergrated into the ASDM (sounds difficult). He said I need to plan what policies we need to enable for the interfaces and DMZ's etc.
  This is very new to me and I wondered if this is right, as it sounds bigger than I first thought. Basically I want my network to my as secure as possible and turning on the IPS we bought is needed.
  Any advise, links etc would be most welcome.

  Go to cisco.com, put this into the search field, download the pdf and read all 799 pages.
  Configuring the Cisco Intrusion Prevention
  System Sensor Using the Command Line
  Interface 6.0
  Sorry to be the bearer of bad news, but that is the only way to truly understand this enigmatic box.
  Matt

• Is IPS patch 5.1 (1p1) incoporated into version 5.1(2)?

  Hi
  IPS version 5.1 was not stable in our network, so TAC engineer gave us a special patch (1p1) and we installed it.
  This 1p1 was not published on CCO officially.
  Now version 5.1(2) is out, does anyone know whether 1p1 is incoporated into this 5.1(2)? Can we upgrade the IPS to 5.1(2)?
  Thanks in advance!

  All of the fixes from 5.1(1p1) Patch have been incorporated into the 5.1(2) Service Pack.

• Problems while upgrading 6.2(1)E3 to 7.0(4) E4 ...???

  Hi all,
  i want to upgrade signature on IDS, but IDS is on E3.
  i know i have to use IPS-K9-7.0-2-E4.pkg to directly upgrade to E4.
  my only concern, is there anything to take care of before doing this. or while doing this upgrade.
  because this router is very important and i don't want to lose anything,
  can you people share the information so that i can do this without getting into any problem.
  and please note platform is IDSM-2
  thanx
  sh version
  Application Partition:
  Cisco Intrusion Prevention System, Version 6.2(1)E3
  Host:
      Realm Keys          key1.0
  Signature Definition:
      Signature Update    S479.0                   2010-03-19
      Virus Update        V1.4                     2007-03-02
  OS Version:             2.4.30-IDS-smp-bigphys
  Platform:               WS-SVC-IDSM-2
  Serial Number:          +++++++++
  Licensed, expires:      03-May-2011 UTC
  Sensor up-time is 103 days.
  Using 1407365120 out of 1983508480 bytes of available memory (70% usage)
  application-data is using 37.4M out of 166.8M bytes of available disk space (24%                                              usage)
  boot is using 39.7M out of 68.6M bytes of available disk space (61% usage)
  application-log is using 531.3M out of 2.8G bytes of available disk space (20% u                                             sage)
  MainApp          E-2008_OCT_16_16_24   (Release)   2008-10-16T16:40:57-0500   Ru                                             nning
  AnalysisEngine   E-2008_OCT_16_16_24   (Release)   2008-10-16T16:40:57-0500   Ru                                             nning
  CLI              E-2008_OCT_16_16_24   (Release)   2008-10-16T16:40:57-0500                                                
  Upgrade History:
  * IPS-sig-S467-req-E3       23:25:03 UTC Sun Feb 07 2010
    IPS-sig-S479-req-E3.pkg   03:10:04 UTC Thu Jun 03 2010
  Maintenance Partition Version 2.1(1)
  Recovery Partition Version 1.1 - 6.2(1)E3
  Host Certificate Valid from: 27-Jul-2010 to 27-Jul-2012

  Charanjit --
  Before starting any upgrade work, I would suggest ALWAYS reading through the new version's release notes.  They will provide any warnings, caveats, or special procedures that might be needed before doing the upgrade.  Also, they will list out any basic requirements to use the new software.  Release notes for 7.0(4)E4 can be found here:
  http://www.cisco.com/en/US/docs/security/ips/7.0/release/notes/22789_01.html#wp1043779
  That being said, it looks like you should have no problem upgrading directly to 7.0(4)E4 from your current version.  From the link:
  "The minimum required version for upgrading to 7.0(4)E4 is 5.1(6)E3 or later"
  You shouldn't have to worry about the rest of the router chassis and modules, as the IDSM upgrades and reboots independently from the rest of the system.  Just know that the upgrade can take a little while, so be patient while the module reboots and gets started up.
  Of course, as with any upgrade, I would make new backups of all configurations and data before installation, just in case something unexpected occurs.