Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cannot upgrade software on sensor due to digital signature update file

Attached is a jpg of the error message when trying to apply update through IDM for the latest version: 

IPS-SSM_20-K9-sys-1.1-a-7.0-6-E4.img

I've downloaded the image twice now from Cisco.  I've done a token reboot but that didnt help.

I did apply the recovery image right before this with no issues.

Any ideas?

Thanks,

J

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Cannot upgrade software on sensor due to digital signature updat

You've experience a very common area of confusion.

There are multiple different file types of the same version.

Some of which can be applied through IDM and CLI, and otherwise which can only be applied through other methods.

Basic Types:

System Images

Recovery Packages

Uprgade Packages

System Images have "-sys-" in the filename and generally end in .img.

These files can Not be installed through IDM or the CLI.

These files will erase the entire compact flash and install a completely new image on the system.

These files are generally only used when trying to get back to an Older image, or when you believe that the current image on the sensor has been Corrupted.

They are not recommended for upgrading as the configuration of the sensor will be completely removed during erasing of the compact flash.

They are installed through either ROMMON (on appliances), from the hw-module recover command of the ASA (on ASA IPS modules), through the bootloader (on AIM and NME router modules), or through the maintenance partition (in the IDSM2 Cat 6K module).

In your case it was a System Image you were trying to install through IDM, which is not allowed.

Recovery Packages have "-r-" in the filename and end in .pkg.

They will re-image the Recovery partition of the sensor.

They are installed using IDM or the CLI upgrade command.  (.pkg files work with the Upgrade command)

The "recover" command on the sensor can then be used to boot to the Recovery Partition and re-image the Application partition to that version.

The "recover" can be done from a remote box through an SSH connection to the sensor.  Unlike System Images which often require a Console connection or connection to the hosting device.

Recovery Packages are recommended when you believe that the current image on the sensor has been Corrupted.

They can often be used for Downgrading to an older version, but this is not officially supported (and will sometimes fail, if it fails then you need to use a System Image instead).

Upgrade Packages come in different types.

Major, Minor, and Service Pack upgrade files do not have a designator in their name, and usually just have the platform and version.

Signature Updates have "-sig-" in the name.

Engine Updates have "-engine-" in the name.

All Upgrade Packages end in .pkg.

Upgrade Packages can be installed using IDM or the CLI upgrade command.

In your situation you want to download the Upgrade file for 7.0-6-E4 instead of the System Image file.

Because the SSM-20 has the common architecture it will use the standard upgrade file that does not list the platform name.

The package you want is IPS-K9-7.0-6-E4.pkg.

6 REPLIES
Gold

Cannot upgrade software on sensor due to digital signature updat

J -

It seems unlikely that your download would be corrupted twice.

You are trying to update an AIP-SSM20, right?

What version of software do you have on your AIP-SSM module now?

- Bob

New Member

Cannot upgrade software on sensor due to digital signature updat

Hi Bob,

Yes it is an SSM20.

Current: 7.0(5a)E4

Platform: ASA-SSM-20

License is valid till 2012.

I'm a newbie to IPS's so it's possible I'm missing something basic here.

Jason

Gold

Cannot upgrade software on sensor due to digital signature updat

Jason -

You should be able to apply a software upgrade even with an expired license (not that your's is expired).

You should be able to apply 7.0(6)E4 on a sensor running 7.0(5)E4 too.

Here are some possible solutions/things to try:

Check the Checksum on the files you downloaded to verify they are not currupt.

Download and apply the 7.0(5)E4 recovery image (your 7.0(4)E4 recover image applied properly)

Try applying the upgrade via the CLI on the sensor:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/ime/ime_system_images.html#wp1088691

- Bob

New Member

Cannot upgrade software on sensor due to digital signature updat

Hi Bob,

Let's do this...let's forget I ever posted anything about this.  cool? 

It ranks in the PEBKAC, ID10t, and Layer 8 category.

Cisco Employee

Cannot upgrade software on sensor due to digital signature updat

You've experience a very common area of confusion.

There are multiple different file types of the same version.

Some of which can be applied through IDM and CLI, and otherwise which can only be applied through other methods.

Basic Types:

System Images

Recovery Packages

Uprgade Packages

System Images have "-sys-" in the filename and generally end in .img.

These files can Not be installed through IDM or the CLI.

These files will erase the entire compact flash and install a completely new image on the system.

These files are generally only used when trying to get back to an Older image, or when you believe that the current image on the sensor has been Corrupted.

They are not recommended for upgrading as the configuration of the sensor will be completely removed during erasing of the compact flash.

They are installed through either ROMMON (on appliances), from the hw-module recover command of the ASA (on ASA IPS modules), through the bootloader (on AIM and NME router modules), or through the maintenance partition (in the IDSM2 Cat 6K module).

In your case it was a System Image you were trying to install through IDM, which is not allowed.

Recovery Packages have "-r-" in the filename and end in .pkg.

They will re-image the Recovery partition of the sensor.

They are installed using IDM or the CLI upgrade command.  (.pkg files work with the Upgrade command)

The "recover" command on the sensor can then be used to boot to the Recovery Partition and re-image the Application partition to that version.

The "recover" can be done from a remote box through an SSH connection to the sensor.  Unlike System Images which often require a Console connection or connection to the hosting device.

Recovery Packages are recommended when you believe that the current image on the sensor has been Corrupted.

They can often be used for Downgrading to an older version, but this is not officially supported (and will sometimes fail, if it fails then you need to use a System Image instead).

Upgrade Packages come in different types.

Major, Minor, and Service Pack upgrade files do not have a designator in their name, and usually just have the platform and version.

Signature Updates have "-sig-" in the name.

Engine Updates have "-engine-" in the name.

All Upgrade Packages end in .pkg.

Upgrade Packages can be installed using IDM or the CLI upgrade command.

In your situation you want to download the Upgrade file for 7.0-6-E4 instead of the System Image file.

Because the SSM-20 has the common architecture it will use the standard upgrade file that does not list the platform name.

The package you want is IPS-K9-7.0-6-E4.pkg.

New Member

Cannot upgrade software on sensor due to digital signature updat

Thank you for the detailed explanation.  I was indeed trying to install the .img file. I downloaded the pkg file and amazingly it worked.

1016
Views
8
Helpful
6
Replies
CreatePlease to create content