Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1792
Views
8
Helpful
6
Replies

Cannot upgrade software on sensor due to digital signature update file

Go to solution
jasonpuskarich
Level 1
Level 1

‎11-07-2011 05:58 AM - edited ‎03-10-2019 05:32 AM

Attached is a jpg of the error message when trying to apply update through IDM for the latest version: 

IPS-SSM_20-K9-sys-1.1-a-7.0-6-E4.img

I've downloaded the image twice now from Cisco.  I've done a token reboot but that didnt help.

I did apply the recovery image right before this with no issues.

Any ideas?

Thanks,

J

Labels:
Preview file
23 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marcabal
Cisco Employee
Cisco Employee
In response to jasonpuskarich

‎11-08-2011 09:16 AM

You've experience a very common area of confusion.

There are multiple different file types of the same version.

Some of which can be applied through IDM and CLI, and otherwise which can only be applied through other methods.

Basic Types:

System Images

Recovery Packages

Uprgade Packages

System Images have "-sys-" in the filename and generally end in .img.

These files can Not be installed through IDM or the CLI.

These files will erase the entire compact flash and install a completely new image on the system.

These files are generally only used when trying to get back to an Older image, or when you believe that the current image on the sensor has been Corrupted.

They are not recommended for upgrading as the configuration of the sensor will be completely removed during erasing of the compact flash.

They are installed through either ROMMON (on appliances), from the hw-module recover command of the ASA (on ASA IPS modules), through the bootloader (on AIM and NME router modules), or through the maintenance partition (in the IDSM2 Cat 6K module).

In your case it was a System Image you were trying to install through IDM, which is not allowed.

Recovery Packages have "-r-" in the filename and end in .pkg.

They will re-image the Recovery partition of the sensor.

They are installed using IDM or the CLI upgrade command.  (.pkg files work with the Upgrade command)

The "recover" command on the sensor can then be used to boot to the Recovery Partition and re-image the Application partition to that version.

The "recover" can be done from a remote box through an SSH connection to the sensor.  Unlike System Images which often require a Console connection or connection to the hosting device.

Recovery Packages are recommended when you believe that the current image on the sensor has been Corrupted.

They can often be used for Downgrading to an older version, but this is not officially supported (and will sometimes fail, if it fails then you need to use a System Image instead).

Upgrade Packages come in different types.

Major, Minor, and Service Pack upgrade files do not have a designator in their name, and usually just have the platform and version.

Signature Updates have "-sig-" in the name.

Engine Updates have "-engine-" in the name.

All Upgrade Packages end in .pkg.

Upgrade Packages can be installed using IDM or the CLI upgrade command.

In your situation you want to download the Upgrade file for 7.0-6-E4 instead of the System Image file.

Because the SSM-20 has the common architecture it will use the standard upgrade file that does not list the platform name.

The package you want is IPS-K9-7.0-6-E4.pkg.

View solution in original post

6 Replies 6

Go to solution
rhermes
Level 7
Level 7

‎11-07-2011 09:07 AM

J -

It seems unlikely that your download would be corrupted twice.

You are trying to update an AIP-SSM20, right?

What version of software do you have on your AIP-SSM module now?

- Bob

0 Helpful

Go to solution
jasonpuskarich
Level 1
Level 1
In response to rhermes

‎11-07-2011 09:12 AM

Hi Bob,

Yes it is an SSM20.

Current: 7.0(5a)E4

Platform: ASA-SSM-20

License is valid till 2012.

I'm a newbie to IPS's so it's possible I'm missing something basic here.

Jason

0 Helpful

Go to solution
rhermes
Level 7
Level 7
In response to jasonpuskarich

‎11-07-2011 09:27 AM

Jason -

You should be able to apply a software upgrade even with an expired license (not that your's is expired).

You should be able to apply 7.0(6)E4 on a sensor running 7.0(5)E4 too.

Here are some possible solutions/things to try:

Check the Checksum on the files you downloaded to verify they are not currupt.

Download and apply the 7.0(5)E4 recovery image (your 7.0(4)E4 recover image applied properly)

Try applying the upgrade via the CLI on the sensor:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/ime/ime_system_images.html#wp1088691

- Bob

0 Helpful

Go to solution
jasonpuskarich
Level 1
Level 1
In response to rhermes

‎11-08-2011 09:00 AM

Hi Bob,

Let's do this...let's forget I ever posted anything about this.  cool? 

It ranks in the PEBKAC, ID10t, and Layer 8 category.

Go to solution
marcabal
Cisco Employee
Cisco Employee
In response to jasonpuskarich

‎11-08-2011 09:16 AM

You've experience a very common area of confusion.

There are multiple different file types of the same version.

Some of which can be applied through IDM and CLI, and otherwise which can only be applied through other methods.

Basic Types:

System Images

Recovery Packages

Uprgade Packages

System Images have "-sys-" in the filename and generally end in .img.

These files can Not be installed through IDM or the CLI.

These files will erase the entire compact flash and install a completely new image on the system.

These files are generally only used when trying to get back to an Older image, or when you believe that the current image on the sensor has been Corrupted.

They are not recommended for upgrading as the configuration of the sensor will be completely removed during erasing of the compact flash.

They are installed through either ROMMON (on appliances), from the hw-module recover command of the ASA (on ASA IPS modules), through the bootloader (on AIM and NME router modules), or through the maintenance partition (in the IDSM2 Cat 6K module).

In your case it was a System Image you were trying to install through IDM, which is not allowed.

Recovery Packages have "-r-" in the filename and end in .pkg.

They will re-image the Recovery partition of the sensor.

They are installed using IDM or the CLI upgrade command.  (.pkg files work with the Upgrade command)

The "recover" command on the sensor can then be used to boot to the Recovery Partition and re-image the Application partition to that version.

The "recover" can be done from a remote box through an SSH connection to the sensor.  Unlike System Images which often require a Console connection or connection to the hosting device.

Recovery Packages are recommended when you believe that the current image on the sensor has been Corrupted.

They can often be used for Downgrading to an older version, but this is not officially supported (and will sometimes fail, if it fails then you need to use a System Image instead).

Upgrade Packages come in different types.

Major, Minor, and Service Pack upgrade files do not have a designator in their name, and usually just have the platform and version.

Signature Updates have "-sig-" in the name.

Engine Updates have "-engine-" in the name.

All Upgrade Packages end in .pkg.

Upgrade Packages can be installed using IDM or the CLI upgrade command.

In your situation you want to download the Upgrade file for 7.0-6-E4 instead of the System Image file.

Because the SSM-20 has the common architecture it will use the standard upgrade file that does not list the platform name.

The package you want is IPS-K9-7.0-6-E4.pkg.

Go to solution
jasonpuskarich
Level 1
Level 1
In response to marcabal

‎11-08-2011 09:21 AM

Thank you for the detailed explanation.  I was indeed trying to install the .img file. I downloaded the pkg file and amazingly it worked.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card