Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

AIP SSM 20 ver-5.1(6)E1, ASA 5520 ver-8.0(2), password recovery


I have ASA 5520 running ver 8.0(2) and AIP-SSM-20 version 5.1(6)E1. I lost the password and in the process to recover I tried loading the image on AIP-SSM-20. The image I am trying to load is IPS-SSM-K9-sys-1[1].1-a-6.0-3-E1.img but the status on ASA still shows Recover. I am using the following configuration.


AUFWMEL01# sh module 1 recover

Module 1 recover parameters...

Boot Recovery Image: Yes

Image URL: tftp://andrewl-IP/IPS-SSM-K9-sys-1[1].1-a-6.0-3-E1.img

Port IP Address:

Gateway IP Address: H-



Under Port IP Address I have given the IP address of IPS (I was not sure what this means). Status "Recover" did not change for a day and then I stopped it. Tried again and the status is still the same.

What could be the issue and what is the solution to this problem. The document does not mention the time it will take to recoever and there is no way to monitor the progress. Any help / pointers in the right direction appreciated.



Cisco Employee

Re: AIP SSM 20 ver-5.1(6)E1, ASA 5520 ver-8.0(2), password recov

which password have you lost SSM or ASA ?

Cisco Employee

Re: AIP SSM 20 ver-5.1(6)E1, ASA 5520 ver-8.0(2), password recov

Execute "debug module-boot".

The SSM runs a ROMMON similar to the ASA.

However, the user does not have direct access to the SSM Rommon.

The "debug module-boot" allows users to see the SSM ROMMON messages from the ASA console.

Watch the SSM ROMMON output and you maybe able to see what error is happening. More than likely something is misconfigured in your recovery configuration. If ROMMON is not able to download the file, the SSM reboots and ROMMON tries again. It continues to repeat this cycle until you stop it or fix the recover configuration.

My best guess in looking at your output from the post is that your filename may be incorrect.

Your filename listed is:


But it should likely be:


without the "[1]" in the name.

In addition you need to use an IP Address for the tftp server. It looks like you may have used a machine name instead of an IP.

You are correct that the port IP is the same IP you used for the SSM management IP.

Other usual problems are using the wrong directory location on the tftp server.

New Member

Re: AIP SSM 20 ver-5.1(6)E1, ASA 5520 ver-8.0(2), password recov


Your post was really helpful in identifying whats happening in the backend. But I keep getting this error. I have tried with different versions of the image. I am using tftpd32 (recommended by Cisco).


AUFWMEL01# sh debug

debug module-boot enabled at level 1

AUFWMEL01# Slot-1 9> Cisco Systems ROMMON Version (1.0(11)2) #0: Thu Jan 26 10:43:08 PST 2006

Slot-1 10> Platform ASA-SSM-20

Slot-1 11> GigabitEthernet0/0

Slot-1 12> Link is UP

Slot-1 13> MAC Address: 001b.d588.865b

Slot-1 14> ROMMON Variable Settings:

Slot-1 15> ADDRESS=

Slot-1 16> SERVER=

Slot-1 17> GATEWAY=

Slot-1 18> PORT=GigabitEthernet0/0

Slot-1 19> VLAN=untagged

Slot-1 20> IMAGE=IPS-SSM-K9-6-0-3-E1.img

Slot-1 21> CONFIG=

Slot-1 22> LINKTIMEOUT=20

Slot-1 23> PKTTIMEOUT=4

Slot-1 24> RETRY=20

Slot-1 25> tftp IPS-SSM-K9-6-0-3-E1.img@ via

Slot-1 26> TFTP failure: Packet verify failed after 20 retries

Slot-1 27> Rebooting due to Autoboot error ...

Slot-1 28> Rebooting....


Thanks for your help.



New Member

Re: AIP SSM 20 ver-5.1(6)E1, ASA 5520 ver-8.0(2), password recov

For the benefit of others I am giving below the resolution of this problem.

In the setup, IPS and ASA inside network were the same and ASA inside IP was the default gateway. So when I configured the "hw-module module 1 recover config" I gave the ASA inside IP address as the default gateway (which was not wrong). Because my tftp was also on the same subnet there was no need of a default gateway. So if you give the IP address of TFTP server as your default gateway the problem will be resolved.

Important please ensure the Network cable is connected to the AIP-SSM module and can reach the tftp server.



CreatePlease to create content