Failover IPS upgrade not working. Pulling out my hair!

Unanswered Question
Apr 27th, 2007

We just recently put in a failover ASA 5520/IPS SSM-20. I'm trying to upgrade it to the same version as the primary, 5.1(5)-E1, however, when I attempt to go from 5.0(2), it doesn't let me. So I tried to go from 5.0(2) to 5.1(3), but get this when I try:

sensor# config t

sensor(config)# upgrade ftp://10.x.x.x/IPS-K9-sp-5.1-3.pkg

User: user

Password: *****

Warning: Executing this command will apply a service pack to the application partition. The system may be rebooted to complete the upgrade.

Continue with upgrade? []: yes

Error: execUpgradeSoftware : This doesn't seem like a nice ftp-server response


I don't know where to go from here, please help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
marcabal Fri, 04/27/2007 - 14:07

When you say "it doesn't let me" when trying to go from 5.0(2) to 5.1(5)E1 what specifically do you mean? Is it the same error message you are showing for trying to go from 5.0(2) to 5.1(3)?

If so then the sensor is not properly recognizing the responses from your ftp server. The sensor will recognize the standard ftp responses to the vast majority of ftp servers. But if the ftp server responses have been modified by your system administrator then the sensor can often have a problem with these modified responses.

If instead you are talking about seeing a warning about unrecognized file type, then you can ignore the warning and have it continue to try and install 5.1(5)E1 anyway.

To work around the ftp error you would want to try an alternative method for doing the upgrade.

You could try using scp instead of ftp.

Or a better alternative is to put the 5.1(5)E1 file on your own PC. Then web browse to the sensor IP to start IDM. Then in IDM there is an option to push the 5.1(5)E1 from your PC directly to the sensor.

5.1(5)E1 can be directly installed on 5.0(2). So using IDM for the upgrade should work for you if the ftp responses are your only problem.

Understand, however, that there could be other problems as well.

Before attempting the upgrade try the following 2 commands:

"show version" and look to ensure that AnalysisEngine is "Running". If AnalysisEngine is "Not Runnin" then the sensor is not able to upgraded yet.

"iplog-status" and ensure you get a response from Analysis Engine of either a list of iplogs, or a statement that there are no iplogs. If you get an error that sensorApp or AnalysisEngine is busy then the sensor is not ready for an upgrade.

To try and correct both of the issues above "reset" the SSM. Give the SSM a few minutes to reboot and re-initialize itself (I recommend waiting 30 minutes after the reboot just to be sure the sensor has finished initialization since you were previously seeing an issue). Then log back into the CLI and run the same 2 commands again. Hopefully AnalysisEngine will be Running and will respond to "iplog-status"; in which case you can then attempt the 5.1(5)E1 upgrade through IDM.

If it is still Not Running after the reset or still not responding to "iplog-status" then either contact the TAC or consider a complete System Re-Image instead of an upgrade. A complete System Re-Image can be done on a box regardless of any problems on the running system, but an Upgrade requires that the System be functioning properly before the upgrade.

If you want to do a System Re-Image refer to this document:

And use this System Image file:


ttrevino1 Mon, 04/30/2007 - 06:02

Thanks for the help. The Analysis Engine is running, but I think what might be part of the problem is I just discovered this failover IPS doesn't have a license associated with it. So when I tried to use the IDM to update it, it didn't even have the options for that. I've submitted a TAC case about the license, once this is resolved I'll try it again.

Thanks for the help, I'll let you know what I find out.


This Discussion