ASA-SSM-10 Unresponsive

Unanswered Question
Jul 18th, 2012

Hi,

I've installed an ASA-SSM-10 module into my ASA 5510 firewall but it's in "Unresponsive" state. I tried to reset and recover the module but nothing seems to work. Below you may find information about the system and details about what I did. Any help is greatly appreciated.

Firewall:

ASA5510-K8, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

System image file is "disk0:/asa843-k8.bin"

Device Manager Version 6.4(3)

IPS Module:

ASA 5500 Series Security Services Module-10  ASA-SSM-10

Hw Version: 1.0

Sw Version: 6.2(2)E4

SSM Application Version: 6.2(2)E4

I have 2 IPS images at my TFTP server:

IPS-SSC_5-K9-sys-1.1-a-6.2-2-E4.img

IPS-SSM_10-K9-sys-1.1-a-7.1-5-E4.img

I tried the command: hw-module module 1 reset

At first module status changes to "Inıt" but after then it goes back to "Unresponsive"

I used the command "hw-module module 1 recover configure" for 2 different images mentioned above by the same order and then tried:

"hw-module module 1 recover boot"

Module status changes to "Recover" and stays like that for hours. I've waited for 2 hours for 2 different images. And then I issued the command: hw-module module 1 recover stop and the module goes back to "Unresponsive" state.

The Module's network interface is connected to the same switch where the TFTP server is connected. When I run a sniffer on the TFTP server (Linux, tcpdump), there's no TFTP activity. But I can use this TFTP server from ASA (Connected to the Inside interface).

ASA Inside interface IP Address: X.X.X.1

TFTP Server IP Address: X.X.X.8

"show module 1 recover" command output:

Module 1 recover parameters...

Boot Recovery Image: Yes

Image URL:           tftp://X.X.X.8/IPS-SSC_5-K9-sys-1.1-a-6.2-2-E4.img

Port IP Address:     X.X.X.2

Gateway IP Address:  X.X.X.1

VLAN ID:             0

(There are no VLANs used on this network.)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
emrecan.ural Wed, 07/18/2012 - 23:22

Thanks for your response. As I mentioned earlier in my email, I tried 2 different images (IPS-SSC_5-K9-sys-1.1-a-6.2-2-E4.img and IPS-SSM_10-K9-sys-1.1-a-7.1-5-E4.img) without any success. Since there are no packets coming from IPS on the TFTP server, I think the problem is something else.

When I run the "debug cplane 255" command, I see some errors mentioned below:

asa(config)# debug cplane 255

debug cplane  enabled at level 255

asa(config)#

cp_connect: Connecting to card 1, socket 3, port 7000

cp_connect: Error - cp_connect() returned -1

cp_check_connection: handle -1, conflicts with connection 1 (-1)

cp_check_connection: handle -1, conflicts with connection 2 (-1)

cp_check_connection: handle -1, conflicts with connection 3 (-1)

cp_update_connection: Error updating connection_id 0

Is this a hardware issue?


Jennifer Halim Wed, 07/18/2012 - 23:56

How did you connect the AIP module to the tftp server?

You would need to use the port on the module itself to connect it to the network or directly to your tftp server.

You can't use the backplane on the ASA for management traffic towards the AIP module.

emrecan.ural Thu, 07/19/2012 - 00:06

As I mentioned in my first email;

The Module's network interface is connected to the same switch where the TFTP server is connected. When I run a sniffer on the TFTP server (Linux, tcpdump), there's no TFTP activity. But I can use this TFTP server from ASA (Connected to the Inside interface).

ASA Inside interface IP Address: X.X.X.1

TFTP Server IP Address: X.X.X.8

Jennifer Halim Thu, 07/19/2012 - 00:14

If the module does not come up as "UP" state after resetting it, you might need to get an RMA of the module.

I understand that you have tried to reset the module, did you also try to reload the module?

hw-module module 1 reload

If all fails, then RMA would be the way to go.

emrecan.ural Thu, 07/19/2012 - 00:20

Yes, I tried to reset the module. Since it is in "Unresponsive" state, hw-module module 1 reload command does not work. I will power cycle the ASA and try to recover the module again before contacting RMA. Thanks for your help.

kerryjcox Fri, 11/01/2013 - 08:14

Emrecan,

Did you ever get this problem resolved?  I am havign the exact same issue on my ASA 5510.  Did you have to RMA it or did a re-seat of the module solve the problem. Just wondering if you fixed it.

Thanks.

Kerry

emrecan.ural Sun, 11/03/2013 - 23:29

Hi Kerry,

Yes, I did fix it. I had to power cycle the ASA then reimage the IPS module. That solved my problem.

jsoudah Thu, 07/26/2012 - 16:17

Is it my imagination or has 7.1-5-E4 been withdrawn?

Actions

Login or Register to take actions

This Discussion

Posted July 18, 2012 at 2:19 AM
Stats:
Replies:10 Avg. Rating:
Views:2262 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 816
2 668
3 603
4 526
5 367
Rank Username Points
5
5
5
5
5