ASA & AIP-SSM IPS

Unanswered Question
Nov 13th, 2009

ANy help is appreciated.

Getting ready to upgrade a ASA 5520 from 7.2 code to 8.x, all because of the IPS module needs to be upgraded from 6.1 to 7.x.

Two question:

(1) Should I expect a smooth upgrade (from 7.2 to 8.x) on the ASA box? Anyone runs into problem, gotcha kind of thing? ANy problem on the config file not being converted correctly?

(2) For the IPS part, do you or do you not to use the upgrade command within the IPS module? From the IPS's doc. it says to use the upgrade command. From ASA's doc. it says to use: hw-module command. If I understand this correctly, by using hw-module command to upgrade the IPS from within the ASA, it would wipe my IPS config file.Don't want to do that if I can help it.

Thank you.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mkharban Mon, 11/16/2009 - 10:26

Hi,

There should not be any issues upgrading ASA from 7.2 to 8.x code. I would suggest going to the latest interim for 8.0(4) version as it has fixes for many caveats.

Also in case an upgrade is performed on the module the configuration will not be wiped out.

Also, the upgrade command is used for performing signature upgrade for the module. You can not upgrade the version for the module with the upgrade command.

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a0080816cb4.shtml#upgrade2

Hope this helps!

Thanks,

Manish

Cisco TAC

ewong0088 Mon, 11/16/2009 - 11:09

mkharban, thank you for the info.

SO what you are saying is that in order to go from 6.1.x to 7.x IPS, no matter what, I have to REIMAGE the IPS and therefore wipe my IPS config? Upgrade command within IPS won't work?

Thanks.

Panos Kampanakis Mon, 11/16/2009 - 10:37

(1) the upgrade should go smoothly and convert the config ok.

(2) if you upgrade the IPS from the ASA ("hw module" command) than it will re-image the module and wipe it is config, that is correct. Make sure you keep a copy of it. And I suggest to upgrade from the module with the patch in order to avoid a full reimage.

I hope it helps.

PK

ewong0088 Mon, 11/16/2009 - 11:14

pkampana, thank you for the info.

So you are saying upgrade command does work within the IPS going from version 6.1.x to 7.x?

These statement are contradictory. See above.

Thank you for the help.

Actions

This Discussion