cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5840
Views
5
Helpful
9
Replies

AIP SSM-10 is unresponsive

zafar12233
Level 1
Level 1

Hi,

I am having problem with my AIP SSM 10 which is installed in ASA 5510, the following output comes when i issue command "show module"

Mod Card Type                                    Model              Serial No.

--- -------------------------------------------- ------------------ -----------

  0 ASA 5510 Adaptive Security Appliance         ASA5510            xxxxxxxxxxx

  1 ASA 5500 Series Security Services Module-10  ASA-SSM-10  xxxxxxxxxxx

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version

--- --------------------------------- ------------ ------------ ---------------

  0 0021.a0ec.e807 to 0021.a0ec.f80b  2.0          1.0(11)5     8.0(4)

  1 0021.a0af.dbdf to 0021.a0af.cbdf  1.0            1.0(11)5

Mod SSM Application Name           Status           SSM Application Version

--- ------------------------------ ---------------- --------------------------

Mod Status             Data Plane Status     Compatibility

--- ------------------ --------------------- -------------

  0 Up Sys                Not Applicable

  1 Unresponsive       Not Applicable

ASA#

i have searched the relavent docs from cisco's site, and issued commands to resolve the issues i.e.
ASA# hw module 1 reset
The module in slot 1 should be shut down before
resetting it or loss of configuration may occur.
Reset module in slot 1? [confirm]
Reset issued for module in slot 1
No positive result.
ASA-A# Reload module in slot 1?
ERROR: % Unrecognized command
ASA-A# Reload module in slot 1 [confirm]
Module in slot 1 can not be reloaded, not in Up state.
please help.
regards
Zafar

9 Replies 9

Panos Kampanakis
Cisco Employee
Cisco Employee

Enable "debug module" and do a "hw module 1 reset". If you don't see a debug after a bit saying "Booting...", try reseating the module if it is still in Unresponsive status. It is hot-swappable if it is already in the ASA.

I hope it helps.

PK

Is it really hot-swappable? Below links states you need to shutdown the module and power off the ASA  before removing the SSM.

http://www.cisco.com/en/US/docs/security/ips/5.1/installation/guide/hwSSM.html#wp1040424

You need to power down the ASA ONLY if it is the first time you are putting the module in.

If the module is still in there you can reseat it without powering down the ASA.

I hope it makes sense.

PK

Daniela Herrera
Level 1
Level 1

I also had the idea that the AIP-SSM was not hot-swap, can't assure otherwise. But I agree that pulling it out and in again on the ASA should fix the problem.I've done it by shuting down the ASA. It's real quick.

You can also try the "hw-module recover" option (which you have to configure first) in case the module allows it. This will restore the module to factory defaults so it's really important to realize that configuration will  be gone and that a copy of the license information is needed to re-activate the module.

The debug they mention earlier is really useful during this process since you won't be seeing anything on the ASA and the module will take a while to get back up.

Hope this is useful.

Regards,

It is hot-swappable if it is already on the ASA.

Only the first time you put it in do you need to turn off the ASA.

PK

That IS really good to know.

Should the service-policy be disabled on the ASA to do that?

Thanks and regards!

No need to remove the policy either if you have "ips fail-open".

Please mark the question as resolved, if it is, so other benefit from it in the future.

PK

Thanks for the information. I can't select the correct answer since it was not my question. Let's hope the user who created it had his problem resolved.

Regards,

No need to remove the policy either if you have "ips fail-open".

Trying to clarify the above statement. Our documentation mentions that the modules are not hot-swappable. Even though experience has shown that you can hot-swap a module if the module is already in the ASA, we would not recommend to do it because it is not oficially tested and supported.

PK

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: