will reloading an ASA-SSM effect the Firewall itself?

Answered Question

We've lost the login info for the IPS-SSM on our ASA 5520. It looks like we will need to re image the module with a newer software version. It currently is not in use i.e. no rules for it on the the firewall. Will this process take the firewall off line at all?

Output from sh command:

Firewall03# show module 1

Mod Card Type Model Serial No.

--- -------------------------------------------- ------------------ -----------

1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 xxxxxxx

Mod MAC Address Range Hw Version Fw Version Sw Version

--- --------------------------------- ------------ ------------ ---------------

1 001b.0ce2.xxxx to 001b.0ce2.xxxx 1.0 1.0(11)2 5.1(5)E1

Mod SSM Application Name Status SSM Application Version

--- ------------------------------ ---------------- --------------------------

1 IPS Up 5.1(5)E1

Mod Status Data Plane Status Compatibility

--- ------------------ --------------------- -------------

1 Up Up

Firewall03# show module 1 recover

Module 1 recover parameters...

Boot Recovery Image: No

Image URL: tftp://0.0.0.0/

Port IP Address: 0.0.0.0

Gateway IP Address: 0.0.0.0

VLAN ID: 0

I have this problem too.
0 votes
Correct Answer by acomiskey about 8 years 10 months ago

No, it should not affect the firewall operation at all. It would only be affected if you were running it in inline mode with fail closed enabled.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
acomiskey Fri, 01/18/2008 - 11:22

No, it should not affect the firewall operation at all. It would only be affected if you were running it in inline mode with fail closed enabled.

jan.nielsen Mon, 01/21/2008 - 18:06

If you are running active/standby the asa will failover when you reload the SSM module, which is required for the reimaging. Just a note to remember, with version 8.0.3 i think it was there has been introduced some kinda keepalive function on the backplane to keep the asa from failing over when rebooting the module.

So it will have an effect on the firewall, causing it to fail over?

Also I am having a hard time understanding the recovery process as it seems the device needs to be configured to allow the recovery image to be used. I have no idea how if at all the device is configured, we have zero access to the device as we have none of the passwords for it and no idea how it's configured.

from looking at the above (1st post) you can there is no recovery location set. How do I recover with no info on the device?

Firewall03# sh module 1 details

Getting details from the Service Module, please wait...

ASA 5500 Series Security Services Module-20

Model: ASA-SSM-20

Hardware version: 1.0

Serial Number: JAF111XXXXX

Firmware version: 1.0(11)2

Software version: 5.1(5)E1

MAC Address Range: 001b.0ce2.XXXX to 001b.0ce2.XXXX

App. name: IPS

App. Status: Up

App. Status Desc:

App. version: 5.1(5)E1

Data plane Status: Up

Status: Up

Mgmt IP addr: 10.1.9.201

Mgmt web ports: 443

Mgmt TLS enabled: true

Firewall03# sh module 1 recover

Module 1 recover parameters...

Boot Recovery Image: No

Image URL: tftp://0.0.0.0/

Port IP Address: 0.0.0.0

Gateway IP Address: 0.0.0.0

VLAN ID: 0

Firewall03#

Actions

This Discussion