What to expect when ASA AIP SSM reaches maximum throughput?

Similar Messages

• Cisco IPS 4240 VS Cisco ASA AIP SSM-10 Modula

  I'm looking to replace another vendor's IPS system we have at our company. We do have an ASA 5510 in our envionment currently.
  Considering I don't need the extra bandwidth of the IPS 4240 series and the AIP SSM-10 requires an ASA 5510 what are the differences?

  Operationally the AIP-SSM1 and the 4240 run the same software, so they work pretty much the same.
  The AIP-SSM inside the ASA is less expensive alternateive, but becuase it sits inside an ASA there is more to configure and manage (the ASA plus the sensor), The ASA also has some built in inspections that may filter some traffic/attacks from being seen at the AIP-SSM sensor.
  - Bob

• Block P2P software using ASA-AIP-SSM-20 module

  Hello,
  I have got a question about blocking P2P traffic on ASA AIP module. I have searched the forums and all I could find were solutions using regex, port block, MPF, but no AIP implementation example.
  Could anyone point me in the right direction please ?
  Many thanks,
        Martin

  Hello Paps,
  Many thanks for your reply. I was searching the web like crazy for some solutions using IPS and it never occured to me that I could just simply look for the signature files on Cisco website.
  Thank you very much again
  With regards,
             Martin

• Do any ASA Inspect statements overlap AIP-SSM functionality?

  Are the ASA inspect statements (http,ftp, sunrpc, etc) a duplication of functionality available in the AIP-SSM IPS module? Asked another way, can/should any of the inspect statements be turned off when the AIP-SSM is present?

  http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080640337.html#wp1313159

• How ASA forwarding traffic to AIP-SSM

  Hi All,
  Can someone help how ASA device forwarding traffic to AIP-SSM? I'm not taking abt Configuration part like Class-map, policy-map and service policy....want to understand the traffic flow from ASA once traffic matched with ACL to AIP-SSM.
  From one of Cisoc document, understood that the module using a Cisco Propietary protocol for communicating with ASA appliance.
  ================================================================================================================
  FYR from Cisco Website:
  Q. How does the Cisco ASA AIP-SSM plug into and communicate with the appliance?
  A. The Cisco ASA AIP-SSM plugs directly into the SSM slot in the Cisco ASA appliance's chassis. This provides a direct connection to the appliance's backplane. Once the module is installed, a proprietary protocol runs over the bus and controls data flow and messaging between the module and appliance.
  ================================================================================================================
  Regards,
  S.Vinoth

  Hey ,
  as you mentioned above , it uses a cisco Probietary protocol for that communication , there are two interfaces , control channel and data channnel , data channel is where the traffic being forwarded , the backplane is the connection between the ASA and the IPS interface .
  Hope that this helps .
  Mohammad.

• AIP-SSM-10 status: Unreponsive

  Hye All,
  wish to know what can result in an AIP-SSM-10 to be in an unreponsive mode.
  Thanks ye all.

  Power cycle the ASA. If the AIP-SSM console port doesn't come back to life, RMA it with a Cisco TAC case.
  - Bob

• AIP-SSM (Not Applicable)

  Hi Experts,
               We have 2ASA and each one have AIP-SSM,with 2nd ASA AIP-SSM I tried to upload latest image for AIP-SSM 20 but didnt worked and now i see module is dead...pls check the detials below.....pls help me out how to make it up or work properly so that i can config other stuff.Pls its very imp and urgent help me out....
  ASA-A:
  251-DBSi-ASA5540# sh module 1
  Mod Card Type                                    Model              Serial No.
    1 ASA 5500 Series Security Services Module-20  ASA-SSM-20         JAF11370608
  Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
    1 0007.0e11.e13b to 0007.0e11.e13b  1.0          1.0(11)2     5.1(6)E1
  Mod SSM Application Name           Status           SSM Application Version
    1 IPS                            Up               5.1(6)E1
  Mod Status             Data Plane Status     Compatibility
    1 Up                 Up
  ASA-B:
  251-DBSi-ASA5540# sh module 1
  Mod Card Type                                    Model              Serial No.
    1 ASA 5500 Series Security Services Module-20  ASA-SSM-20         JAF1137060C
  Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
  1 001d.4524.a414 to 001d.4524.a414  1.0          1.0(11)2     5.1(6)E1
  Mod SSM Application Name           Status           SSM Application Version
    1 IPS                            Not Applicable   5.1(6)E1
  Mod Status             Data Plane Status     Compatibility
    1 Recover            Not Applicable

  Please try rebooting the module, if it does not work recovery it using the following procedure
  http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/cli/cliimage.html#wpxref68481
  Regards
  Farrukh

• AAA for AIP-SSM-40

  Hi,
  Can AAA be activated with the IPS module of the ASA (AIP-SSM card). if so, please let me know how?
  Thx in advance
  Ihssan

  Please see the following URL:
  http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/idm/idm_setup.html#wp1245416
  As stated here, Authentication and Authorization are supported, but Accounting messages aren't sent to the RADIUS backend.

• What To Expect With MDT 2013 Multicast from WDS 2008 R2?

  I am having a hard time finding out what to expect when setting this up.  I don't think anyone has posted a demo video showing it in action or even a detailed blog with screenshots.  The only multicast videos I have seen were old ones of WDS multicasting
  that had no reference to MDT.
  What I understand is, once I have working WDS integration with PXE boot, all I need to do is go into properties of the deployment share then select the option to enable multicast support and then update the deployment share.  After that everything is
  supposed to work as long as the network supports multicasting.
  So, how does it work from there?  How do you take advantage of it?
  When I boot up a workstation to deploy to, where do I configure the specific deployment task to use multicasting (or not if I am just imaging a single system)?  When I boot the second and third machine to image, what are the steps to join the ongoing
  multicast? Do you pick the deployment task from the wizard again or does any machine booted to MDT join any in-progress multicast automatically?
  Can you use the wizard to select different optional installed applications for different machines when using a multicast?
  If you are imaging 30 workstations, can you configure it start the multicast when the 30th connection is made or does it start as soon as the first one joins?

  Once multicasting is set in the deployment share it will become the default method of deploying an image for clients connecteing to that deployment point. As far as I'm aware the boot disk does not need to be updated for this to take affect.
  Multicasting in WDS is a rolling session.. It will start as soon as the first client connects and will end when the last machine finishes.  Machines can come and go throughout the session.
  There are more options that can be applied (such as number of machines to wait for) but you need to change registry settings to do this.
  I did have a GUI for this on my to do list.. but never got around to it.  Maybe it's worth another look.

• Best practices for using Normalizer in ASA and in AIP-SSM

  Both PIX OS 7.x and IPS 5.x software have a concept of "traffic normalization". PIX OS on ASA can do virtual reassembly, IPS on SSM (so far as I know) can do physical reassembly and fragmentation of IP packets. Also, both ASA and SSM can do TCP normalization. For example, they both can "check inconsistent retransmissions" and protect against "TTL evasion attacks". I realize that PIX OS has only basic normalization functions and the SSM is much more configurable.
  The question is: what are the best practices here? Is it better to disable some IP/TCP PIX OS checks / IPS signatures on ASA and/or SSM? Is it better to use just SSM for traffic normalization? Does anybody has personal experience here?
  Also, there is a BugID CSCsd04327 - "ASA all out of order packets are dropped when sending to ssm"
  "When ips ssm is inline slowness is reported. show service-policy shows that the number of out of order packets reported match exactly the number of no buffer drops (even with queue-limit option). Performance hit is not the result of tcp normalization (on IPS 5.x ssm) in this case, but rather an issue with asa normalizer."
  To me it seems to be more logical to have normalization function on the firewall, but there may be drawbacks in doing this.
  So, those who're using ASA with SSM, please share your experience.
  Thx.

  Yes, this is almost correct ;)
  TCP SRP (Stream Reassemly Processor) is turned OFF on the SSM and cannot be enabled, contrary to 4200 appliances, but IP FRP (Fragmentation Reassembly Processor) is functioning on the SSM.
  The testing of 7.2(1) shows the following:
  When you configure "policy-map" to send packets to the SSM the "tcp-map" parameter "queue-limit", which has the value of zero by default, is set to an X (the X is unknown). This means that the ASA now only accepts the TCP segments which are sent in the correct order. More specifically, the gaps in SEQs are not allowed anymore. When for example, the ASA receives a TCP segment which has a SEQ within the window, but the previous TCP segment has been lost, it sends an ACK to the sender to enforce retransmition of the lost segment. As a result the sender retransmits both segments. Only after that the ASA forwards both segments to the SSM. This basically means that SSM always sees in-order TCP segments. That it is why SRP is not needed on the SSM.
  There are at least two problems however.
  The first problem is the performance impact.
  ASA now acts almost like a proxy. And, so far as I know, it doesn't support SACK (Selective ACKs). First, when the ASA does TCP SEQ randomization it doesn't change SEQ values within the SACK TCP Option. This simply breakes SACK. Second, even if you turn randomization mechanism OFF, then, I believe, the ASA will not selectively ACK the lost TCP segments, as it simply doesn't support this mechanism.
  The second problem is THE SECURITY HOLE.
  By default the ASA doesn't check TCP checksums. The 4200 appliances do check by default. But as we now know the SRP is turned OFF on the SSM... So, this means that SSM module can easily be evaded. The hacker only needs to mix attacking traffic with the random TCP segments that have bad TCP checksum. The SSM module will see the mixture of the two and will not recognize the attack. The target host will drop TCP segments with the bad checksums and see only attacking traffic... This has been successfully verified in the lab.
  Of course, this security hole can be closed with the "tcp-map" parameter "checksum-verification", but it will definitely has performance impact.
  The last note: All of the above has never been documented by Cisco. So, use at your own risk, etc.
  I hope, you will read this message, Marcoa. All of this MUST be documented. Once again, the default behaviour of the ASA opens up a big security hole.
  Regards,
  Oleg Tipisov,
  REDCENTER,
  Moscow

• ASA failover with 1 AIP SSM in Active/Standby?

  I have a customer with two ASAs; in Active/Standby. They want to purchase one AIP. Will failover (without the AIP functionality) to the Standby work if the AIP is configured for Promiscuous mode? Thanks, Bob

  The only connection to the SSM that can be done internally through the ASA is a "session". This is an internal telnet to the SSM and can be used to access the SSM's CLI.
  This is very usefull when you manage your SSM directly through the CLI.
  However, most customers prefer to use a graphics based tool like IDM, ASDM, or CSM for managing the configuration of the SSM, and prefer to use a graphics based tool like IEV or CS MARS for monitoring of the alerts from the SSM.
  All of these graphics based tools need network access to the SSM through a web port (https on port 443 by default). Access to this port is not allowed internally through the ASA direct to the SSM.
  All web connections must be made to the External Management interface of the SSM.
  If you are not using all 4 of your ASA interfaces you could choose to wire the External SSM interface directly to one of your ASA interfaces, and create a small subnet for the ASA and IPS IP Addresses. So then all external connections to the SSM would be routed into the ASA, then out of the ASA, and into the external port of the SSM.
  That subnet of just the ASA and SSM could be made using a network reserved for local IPs (like a 10, or 172, or 192 network) and then use NAT/PAT for translation on the other network interfaces of the ASA.
  But it does still require that wire connected to the external port of the SSM.

• What is AIP-SSM-20

  I have been quoted for a ASA 5520 with AIP-SSM-20 and one with AIP-SSM-10 what is this?
  Thanks

  Andy
  This link has a chart which provides some information and some comparisons of the various models:
  http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
  Based on the description I would think that the -10 would be sufficient for your requirements.
  HTH
  Rick

• Hello my name is Omar Andres Santacruz, finished iMedicalOffice buy a program you have in the app store but what he said on the page is not what I expected, I was very disappointed that, frustrated and reweighed when I check my account had gained 139.99 f

  Hello my name is Omar Andres Santacruz, finished iMedicalOffice buy a program you have in the app store but what he said on the page is not what I expected, I was verydisappointed that, frustrated and reweighed when I check my account had gained139.99 for 7 times, I do not understand what has happened that is not the first time I buy something ustedeses thank you very much for your help

  Wow, Karan Taneja, you've just embarrassed yourself on a worldwide support forum.  Not only is your post ridiculous and completely inappropriate for a technical support forum, but it also shows your ignorance as to whom you think the audience is.  Apple is not here.  It's users, like you. 
  If you would have spent half the time actually reading the Terms of Use of this forum that YOU agreed to by signing up to post, as you did composing that usesless, inappropriate post, you (and the rest of us on this forum) would have been much better off.

• Single AIP-SSM in Cisco ASA Failover Active / Standby Mode

  Hi,
  I can add single AIP-SSM on Cisco ASA in failover active / standby mode?

  No, both units need the same hardware, that includes the installed modules.
  Sent from Cisco Technical Support iPad App

• What should I expect when opening an SR?

  Over this past year, I believe I have opened (4) SR's. One of them was an incredible experience when we lost an entire Cluster Resource and the Novell Engineer helped us in building the new one and taught us much in the course of the rebuild.
  My first SR was to finalize our documentation regarding the creation of Cluster Resources. Overall, the assistance was pretty good other than the Tech did not inform me about the use of "Cluster Scan for New Devices." Which ultimately led us to losing an entire Cluster Resource.
  A few weeks back I opened a ticket on a CIFs issue that had been bothering us for over a year. While working with the Tech DSTRACES were required. The Tech could not get one to complete properly. I, have only worked with Netware for 2 years, was also not that versed in using DSTRACE. But, after I saw what he was attempting to do I ran the trace and determined the issue on my own. Input that was provided and or suggested at the time was questionable at best. The Tech was also very slow from my perspective in attempting to resolve this issue. It was not a down issue but it would be days between contact at times. Overall, I would have to say this Tech's abilities are not what I feel I should expect when opening an SR with Novell. I feel I should be getting someone with some experience. I feel DSTRACE should be a tool that all Netware Support Tech's should be very well versed in.
  And now for my current ticket..... Every since I have been here, we have had issues with not being able to install certificates into our Netware Cluster. I finally took the bull by the horns and opened an SR for this nagging issue. I was initially assigned one Tech and we had a phone conversation regarding the issue that went great and I felt the best way for resolution to be achieved was to write him an email of what we had tried and what we were trying to achieve so we were all on the same page. I did this. A day or so later I received an email from another Tech saying he was taking over my SR because the first Tech was on leave for a while. The second Tech did not have a copy of the email I sent the first. So, yesterday I am working with the new Tech on our Certificate Issue, but all he ended up doing was sending me TID's to read. I have RTFM'd everything I can find on Certificates and Netware Cluster and Resources. We have beaten ourselves about the head on this issue.... When opening an SR should I expect someone to sit there and search through the knowledge base which I have already done, or should I be working with a Tech that actually knows how to resolve the issue? My expectation is the later of the two....

  Phillip, sorry we're not making good progress. Sounds like we need a more experienced Support Engineer working with you. Call into the Support line, 1-800-858-4000, and ask to talk to the Mgr. Review the details with the Mgr and they can get a person assigned. This might even need to be escalated to the Backline team, but the Mgr can help determine this with you.
  Regards,
  -Todd
  Todd Abney
  Technical Support Director
  Novell