How to monitor ASA5510 with AIP-SSM remotely?

Unanswered Question
Apr 2nd, 2007

Hi all,

Last week I purchased a brand new ASA 5510 with AIP-SSM (ASA5510-AIP10-K9). It came in with ASA version 7.2(2) and IPS version 5.1(1)S205.0.

I cannot monitor the IPS from within ASDM because IPS 6.0.1 or higher is required. My questions:

1. Why was the new unit shipped with IPS 5.1? Shouldn't I got IPS 6.0.1 in the first place?

2. Do I need a support contract to be able to upgrade to IPS 6.0.1? I want to update the signatures too. What contract would I need?

3. What is the best approach to remotely monitor the AIP-SSM with IPS 5.1 on it? Better upgrade to 6.0.1, right?

Hope someone can shed some light.

Kind regards,

Mark Loman

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
markloman Mon, 04/02/2007 - 23:16

Thanks for the quick response! I appreciate it. The https:// is only working when I'm connected to SSM managment port. I am not planning to connect anything to that port (or must I?). I've read the following concerning another module, the CSC SSM:

"The management port of the CSC SSM must be connected to your network to allow management of and automatic updates to the CSC SSM software. Additionally, the CSC SSM uses the management port for email notifications and syslogging."

Is this the same for AIP-SSM? (it's not mentioned in the manual)

In my situation, the AIP-SSM has IP address and has access for it. But the ASA has defined as outside while is actually defined inside (on the ASA). The log states:

"Teardown TCP connection 1494 for outside: to outside: duration 0:00:00 bytes 0 Flow is a loopback" is defined on ASA Ethernet0/1 (nameif inside), but - as mentioned above - I do not want to physically connect AIP-SSM with that network (I would need to purchase a switch, just to manage AIP-SSM). I just want to manage the AIP-SSM over a Site-to-Site VPN ( I cannot find any information on this.



jwjorgensen Sun, 04/08/2007 - 09:03

Either way you want to manage it(asdm integrated or idm), you will need to connect the management port of the aip-ssm to the network. When you upgrade the code to 6.0 and try to connect, the idm will not be able to connect if the management port is not on the network. Any time I set it up, I will connect the aip-ssm to a switchport and place that switchport in a management vlan. That way you can filter all the traffic that you do not want to enter that vlan.

PAUL GILBERT ARIAS Wed, 06/06/2007 - 21:06


If you want to manage your AIP remotly using the IDM you will need to have the managment interface connected to the network so that it can be reached by ip. IF you don't want to do it like that then you can connect remotly to the ASA and then log in into the AIP but using the CLI only.

hoogen_82 Thu, 06/07/2007 - 04:48

Hmm.. for one my customer i had deployed the ASA with the CSC-SSM module. From outside i was able to log into the ASDM and manage the asa, but since the CSC module has a internal Private ip address, i dont get to manage the CSC SSM from the asdm. I then connected the CSC SSM to the public ip and tried accessing it and still not able to do so.

Any ideas



This Discussion