IPS Signature updates

net buzz · ‎10-14-2013

Hi all!

I have deployed an ASA5512-IPS-K9 unit that has the following 2 licenses installed:

Cisco ASA 5512 SW License Security Plus
Cisco ASA 5512 SW License IPS SSP License

All is working out fine except for the IPS SW module.

When viewing the IPS using ASDM, the Sensor Health is shown as critical and the License status says No License.

However, the ASDM dashboard says that the box has a Security Plus license and the show module ips detail output says the IPS Module Enabled perpetual.

I have even inserted the licenses provided through the CLI using the "activation-key" command where the reponse obtained is that the license provided is the same as the one already in the box.

Please see the attached screenshots and show module ips detail output.

Note that I have configured the Auto/Cisco.com Update settings using my CCO login.

Grateful if someone could shed some light on this issue.

Regards,

Alvin

Patrick Moubarak · ‎10-14-2013

Hi Alvin,

last time i went online to generate the license for the IPS but it failed so I called TAC and they generated it for me.

If i remember correctly, there's a license on ASA to run the IPS module but there's also a license in the IPS software for the IPS itself (which I guess is included but just needs to be generated and added in the IPS software via ASDM/IDM/IME/CLI...)

There's also a subscription required for auto-update of signatures...

From the licensing guide:

http://www.cisco.com/en/US/docs/security/asa/asa91/license/license_management/license.html

The IPS module license lets you run the IPS software module on the ASA.

You must also purchase a separate IPS signature subscription...

Patrick

net buzz · ‎10-15-2013

Hi Patrick!

Thanks for the info.

Actually, the ASA5512-X unit is supposed to be an Cisco ASA 5512-IPS-K9 as per the part number received.

I have checked the link you posted and also found this on the IPS module:

"The IPS module license lets you run the IPS software module on the ASA.

You must also purchase a separate IPS signature subscription; for failover, purchase a subscription for each unit.

To obtain IPS signature support, you must purchase the ASA with IPS pre-installed (the part number must include "IPS")."

"The combined failover cluster license does not let you pair non-IPS and IPS units. For example, if you buy the IPS version of the ASA 5515-X (part number ASA5515-IPS-K9) and try to make a failover pair with a non-IPS version (part number ASA5515-K9), then Cisco will not let you obtain IPS signature updates for the ASA5515-K9 unit, even though it has an IPS module license inherited from the other unit."

Doesn't that imply that the unit I purchased is entitled for IPS signature updates?

Regards,

Alvin

Patrick Moubarak · ‎10-15-2013

Yes when you purchase the IPS bundle edition; the services contract is added automatically:

In CCW, this is the CON-SU...:

ASA5512-IPS-K9 ASA 5512-X with IPS, SW, 6GE Data, 1GE Mgmt, AC, 3DES/AES	$ 6,495.00	1	$ 6,495.00
CON-SU3-A12IPS9 IPS SVC, AR 24X7X4 ASA 5512-X with IPS, SW, 6GE Data, 1GE M. Duration: 12 Month(s)	$ 1,076.99	1	$ 1,076.99

Here are the requirements for updating the signatures:

Signature updates require a valid Cisco Services for IPS subscription and license key. Go to http://www.cisco.com/go/license and click IPS Signature Subscription Service in order to apply for a license key.
A Cisco.com (CCO) user account that is associated with an active Cisco Services for IPS subscription.
Privileges to download cryptographic software. Go tohttp://tools.cisco.com/legal/k9/controller/do/k9Check.x?eind=Y in order to check if you have access.

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bd008f.shtml

Patrick