Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA 5510 + AIP-SSM

My Setup consist of:

Cisco ASA 5510 v8.0(2)

Cisco ASA-SSM10 IPS ver 5.0(2)S152.0

Q: I would like to know what is needed to upgrade the IPS to the latest Software version. There is currently no license present in my IPS.

Is it possible for me to upgrade from 5.0(2) straight to the latest 6.1(2)ES

3 REPLIES
New Member

Re: Cisco ASA 5510 + AIP-SSM

http://www.cisco.com/en/US/docs/security/ips/5.0/installation/guide/hwssm.html

Hardware and Software Requirements says it is supported to upgrade.

You need to obtain AIP-SSM image and follow the instruction given in the section "Reimaging AIP-SSM Using the recover configure/boot Command "

http://www.cisco.com/en/US/docs/security/ips/6.2/installation/guide/hw_system_images.html#wp1230355

I would highly recommend you to use "http://tftpd32.jounin.net/ " tftp server for the tftp operations.

Licenses is must to get live signature updates, you can request a Trail one from the IDM/licensing/Update License option.

Hope this helps you!

New Member

Re: Cisco ASA 5510 + AIP-SSM

Thanks for your reply.

I did a reimage as according to the cisco doc.

My AIP-SSM module is now on status recover and i can no longer session to my module.

I did a mistake, i did not configure its port ip address, that is the ip address of the IPS.

What can i do to recover my image? I cannot session to my module to set its ip address.

Cisco Employee

Re: Cisco ASA 5510 + AIP-SSM

On the ASA CLI you can execute "debug module-boot" which will help you see what settings are being used for the TFTP download, and what TFTP errors may be happening.

If you need to change a setting (like the IP Address), then you can execute "hw-module module 1 recover stop".

Then execute "hw-module module 1 recover configure" to correct the configuration.

Then execute "hw-module module 1 recover boot" again to try the recovery again.

(NOTE: You might have to wait till the module is Up or has timed out and Unresponsive before executing the "recover boot".)

--------

As a side note.

If you run "hw-module module 1 recover stop", and the module actually makes it to an Up state, then you have another alternative.

The recover method you are using above really only needs to be used when the SSM has experiences a problem and needs to be recovered.

The recovery method should generally not be used for upgrading to higher versions.

The recovery method will erase all configuration from the SSM.

If your SSM is running properly, then you can do an "upgrade" instead of a "recover".

For upgrade instructions refer to:

http://www.cisco.com/en/US/partner/docs/security/ips/6.1/configuration/guide/cli/cli_system_images.html#wp1142504

An SSM sensor running 5.0(2) IS able to upgrade to 6.1(2)E3 directly.

You will want to use the IPS-K9-6.1-2-E3.pkg upgrade file:

http://www.cisco.com/cgi-bin/tablebuild.pl/ips6

The easiest method is to actually push the upgrade to the sensor using IDM:

http://www.cisco.com/en/US/partner/docs/security/ips/5.0/configuration/guide/idm/dmadmin.html#wp1030863

Place the IPS-K9-6.1-2-E3.pkg file on your own desktop, then in IDM use the "Update is located on this client" option (Step 3 in the directions) to push that update to the sensor.

711
Views
0
Helpful
3
Replies