Cisco ASA 5510 + AIP-SSM

Unanswered Question
Dec 26th, 2008
User Badges:

My Setup consist of:


Cisco ASA 5510 v8.0(2)

Cisco ASA-SSM10 IPS ver 5.0(2)S152.0


Q: I would like to know what is needed to upgrade the IPS to the latest Software version. There is currently no license present in my IPS.


Is it possible for me to upgrade from 5.0(2) straight to the latest 6.1(2)ES

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
konasanimurali Fri, 12/26/2008 - 22:37
User Badges:



http://www.cisco.com/en/US/docs/security/ips/5.0/installation/guide/hwssm.html

Hardware and Software Requirements says it is supported to upgrade.


You need to obtain AIP-SSM image and follow the instruction given in the section "Reimaging AIP-SSM Using the recover configure/boot Command "


http://www.cisco.com/en/US/docs/security/ips/6.2/installation/guide/hw_system_images.html#wp1230355




I would highly recommend you to use "http://tftpd32.jounin.net/ " tftp server for the tftp operations.


Licenses is must to get live signature updates, you can request a Trail one from the IDM/licensing/Update License option.


Hope this helps you!


J_Vansen_S Thu, 01/01/2009 - 19:10
User Badges:

Thanks for your reply.


I did a reimage as according to the cisco doc.

My AIP-SSM module is now on status recover and i can no longer session to my module.


I did a mistake, i did not configure its port ip address, that is the ip address of the IPS.


What can i do to recover my image? I cannot session to my module to set its ip address.



marcabal Mon, 01/05/2009 - 08:19
User Badges:
  • Cisco Employee,

On the ASA CLI you can execute "debug module-boot" which will help you see what settings are being used for the TFTP download, and what TFTP errors may be happening.


If you need to change a setting (like the IP Address), then you can execute "hw-module module 1 recover stop".


Then execute "hw-module module 1 recover configure" to correct the configuration.


Then execute "hw-module module 1 recover boot" again to try the recovery again.

(NOTE: You might have to wait till the module is Up or has timed out and Unresponsive before executing the "recover boot".)


--------


As a side note.

If you run "hw-module module 1 recover stop", and the module actually makes it to an Up state, then you have another alternative.


The recover method you are using above really only needs to be used when the SSM has experiences a problem and needs to be recovered.


The recovery method should generally not be used for upgrading to higher versions.

The recovery method will erase all configuration from the SSM.


If your SSM is running properly, then you can do an "upgrade" instead of a "recover".


For upgrade instructions refer to:

http://www.cisco.com/en/US/partner/docs/security/ips/6.1/configuration/guide/cli/cli_system_images.html#wp1142504


An SSM sensor running 5.0(2) IS able to upgrade to 6.1(2)E3 directly.


You will want to use the IPS-K9-6.1-2-E3.pkg upgrade file:

http://www.cisco.com/cgi-bin/tablebuild.pl/ips6


The easiest method is to actually push the upgrade to the sensor using IDM:

http://www.cisco.com/en/US/partner/docs/security/ips/5.0/configuration/guide/idm/dmadmin.html#wp1030863

Place the IPS-K9-6.1-2-E3.pkg file on your own desktop, then in IDM use the "Update is located on this client" option (Step 3 in the directions) to push that update to the sensor.




Actions

This Discussion