AIP-SSM re-image in Secondary ASA 5500 (failover) with virtual contexts

Answered Question
May 20th, 2008

Hello guys,

The scenario is this:

2 ASA 5500 with virtual contexts in failover.

The primary ASA has the AIP-SSM20 working.

The secondary ASA (which is in Active/StandBy) needs its AIP-SSM20 to be working now and everything is in production.

Someone tried to configure this 2nd AIP-SSM, changed the password and lost it, so I tried to re-image it (no pass recovery allowed), but the connection fails to the TFTP server where the AIP-SSM image is.

Now the questions, all the re-imaging Cisco documentation show commands under ASA#

but as this scenario has multiple virtual contexts the ASA# shell has no IP as you know (which I assume is the reason why the ASA cant download the image from the TFTP server), and upon changing to other context (ASA/admin#) the re-imaging commands do not work (hw-module module 1 ... etc ...).

What is the solution? Is there documentation for this (with security contexts)??

Many Thanks for reading ;) please comment possible solutions.

I have this problem too.
0 votes
Correct Answer by marcabal about 8 years 6 months ago

Yes,

Some things to keep in mind.

1) Execute "debug module-boot" on the ASA before executing the "hw-module module 1 recover boot" command. This will show you the ROMMON output of the SSM as it tries to do the re-image and you can watch for any errors.

2) Before trying to download from the SSM, first use a separate machine to tftp download from your laptop. This will ensure the tftp server on your laptop is working, and confirm what directory (if any) that you need to use as the file location.

3) If the tftp download doesn't work from the SSM, then the SSM may not be linking properly to your laptop. You may need a crossover cable to connect your laptop to the SSM. If you don't have a crossover cable then you might try connecting both the SSM and your laptop to a small hub, or configure a new vlan on your switch with just 2 ports and plug both the SSM and your laptop into that 2 port vlan.

4) Also try the download first with leaving the gateway at 0.0.0.0 since your laptop and the SSM will be on the same subnet. If that doesn't work then you might try a non-existent 30.0.0.4 address as the gateway.

5) Understand that the IP address you specify for the SSM using the "hw-module module 1 recover configure" command is just temporary for the download. Once an image is installed, then session to the module and execute the "setup" command in order to configure the permanent address you want to ure on the SSM's external port. This address in the "setup" command can the same as used in the "hw-module module 1 recover configure" command or a completely new one (as in your case). Just ensure you connect it to the right network for whatever address you give it.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
marcabal Wed, 05/21/2008 - 06:15

The confusion is on how the download works.

The ASA itself does not do the tftp download.

Instead all of the parameters for the tftp download are passed to ROMMON on the SSM module, and the SSM module will do the download.

Here are the instructions you likely have already found:

http://www.cisco.com/en/US/partner/docs/security/ips/6.1/configuration/guide/cli/cli_system_images.html#wp1231447

When executing the "hw-module module 1 recover configure" command you will be prompted for a Port IP Address. This IP Address is the address you want to use for the SSM (not the ASA) and will be assigned to the external interface of the SSM. It is from this IP that the tftp download will take place. So ensure you have that external interface of the SSM connected to the correct network for which you are giving it an IP address.

You will also be prompted for a gateway IP address. This gateway needs to be on the same subnet as the IP address above that you set for the SSM external interface. This is the gateway the SSM needs to use in order to get packets routed to the tftp server. Depending on your network configuration this gateway could be one of the interfaces from one of your ASA contexts, or if the SSM is inside your network it might be an internal router in your network. If the tftp server is on the same subnet as your SSM you might even try leaving the gateway as 0.0.0.0 since no routing would be needed between the SSM and tftp server.

Since the IP is assigned to the SSM and the SSM does the download there is no requirement for the system context to have an IP address. The same commands for re-imaging are used in the system context (when in multi-context mode) as for when the firewall is in single mode.

martinv2008 Wed, 05/21/2008 - 10:27

Thanks a lot for taking the time to put those words in such a clean order.

So I can connect my laptop (publishing a TFTP server) directly to the SSM interface and put both same network IP addresses (30.0.0.2/24 and 30.0.0.3/24), then re-image AIP-SSM via CLI commands and later change the AIP-SSM IP address.

Many thanks

Correct Answer
marcabal Wed, 05/21/2008 - 10:44

Yes,

Some things to keep in mind.

1) Execute "debug module-boot" on the ASA before executing the "hw-module module 1 recover boot" command. This will show you the ROMMON output of the SSM as it tries to do the re-image and you can watch for any errors.

2) Before trying to download from the SSM, first use a separate machine to tftp download from your laptop. This will ensure the tftp server on your laptop is working, and confirm what directory (if any) that you need to use as the file location.

3) If the tftp download doesn't work from the SSM, then the SSM may not be linking properly to your laptop. You may need a crossover cable to connect your laptop to the SSM. If you don't have a crossover cable then you might try connecting both the SSM and your laptop to a small hub, or configure a new vlan on your switch with just 2 ports and plug both the SSM and your laptop into that 2 port vlan.

4) Also try the download first with leaving the gateway at 0.0.0.0 since your laptop and the SSM will be on the same subnet. If that doesn't work then you might try a non-existent 30.0.0.4 address as the gateway.

5) Understand that the IP address you specify for the SSM using the "hw-module module 1 recover configure" command is just temporary for the download. Once an image is installed, then session to the module and execute the "setup" command in order to configure the permanent address you want to ure on the SSM's external port. This address in the "setup" command can the same as used in the "hw-module module 1 recover configure" command or a completely new one (as in your case). Just ensure you connect it to the right network for whatever address you give it.

Actions

This Discussion