Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

CSM to update IPS AIP -SSM

Hi all,

I need some help. I am configuring my CSM 3.1 to apply update on my IPS AIP-SSM.

I went to the apply IPS Tab and choose to update from cisco.com. But it is always like processing for a long time.

I tried to enter my username and password for the sensors or the CCO account but still no improvement. Does anyone knows how to configure this. I tried reading the user guide there is no examples.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: CSM to update IPS AIP -SSM

Both IPS-K9-5.1-8.pkg abd IPS-SSM_10-K9-sys-1.1-a-5.1-8-E3.img will re-image both the recovery partition and application partition.

The System Image will erase everything before starting the imaging process.

The Service Pack Upgrade file will first take the current configuration and convert it to work with the new version and save it off. Also several other special files on the sensor (such as the license file) will be saved off. The imaging process will be run, and then the saved off files will be automatically re-applied to the sensor.

10 REPLIES
New Member

Re: CSM to update IPS AIP -SSM

No at a directed answer on your question: Since the last released of the IPS software the sensors are able to manage the update thereselfs. We are therefor not using CSM for updates anymore which worked really fine.

New Member

Re: CSM to update IPS AIP -SSM

No at a directed answer on your question: Since the last released of the IPS software the sensors are able to manage the update thereselfs. We are therefor not using CSM for updates anymore which worked really fine.

New Member

Re: CSM to update IPS AIP -SSM

What is the different between IPS Service Pack Upgrade File and IPS E2 Engine Update?

DO you have to upgrade the Engine IPS-engine-E2-req-5.1-7 before u install the IPS-K9-5.1-8-E2 service pack?

Thanks

Cisco Employee

Re: CSM to update IPS AIP -SSM

The IPS-engine-E2-req-5.1-7.pkg Engine Update file is just to upgrade an existing 5.1(7)E1 sensor to 5.1(7)E2.

It only changes the "engine" features of the sensor that are necessary for installing signature updates requiring E2. It does not change other files on the sensor.

The IPS-K9-5.1-8-E2.pkg Service Pack file is for upgrading the entire image to the next service pack level as well as upgrading the "engine" features. So you get all of the latest bug fixes.

So which to use?

If you are running 5.1(7)E1 then you will eventually want to get to 5.1(8)E2. But the upgrade to 5.1(8)E2 WILL require a reboot and so if running in an inline mode it should only be done during a scheduled network downtime. For most networks this could be a week or even a month before the downtime can be scheduled to do this type of upgrade. So the IPS-engine-E2-5.1-7.pkg file is a short term solution to get you to the E2 level required for signature updates, until you can schedule the upgrade to 5.1(8)E2.

The IPS-engine... file will NOT reboot the sensor. It will temporarilly stop analysis and if Software ByPass is set to auto then traffic will be allowed to pass through the sensor unanalyzed while the engine update takes place. Because the traffic will continue to flow with Software ByPass most companies will allow an Engine update to be installed without having to schedule network downtime.

Of course, the above discussion was really only applicable when E2 was the latest Engine release. Now that E3 is out, the discussion really becomes how to get to E3.

There is Not an IPS-engine-E3-req-5.1-7.pkg engine update file.

So you must get to 5.1(8)E3 if you want to keep getting recent signature updates.

So then it just depends on your current IPS version.

If you are running 5.1(7)E2 or earlier version then you must schedule a downtime and install the IPS-K9-5.1-8-E3.pkg file in order to install the latest E3 required signature updates.

If you are running 5.1(8)E2 already, then you need to install the IPS-engine-E3-req-5.1-8.pkg file because the only thing needing to be upgraded is the Engine level to E3.

General Rules of Thumb:

Always ensure you are at the latest Service Pack level for the major/minor version train you are using. (5.1(8) in this case)

If you are running the latest Service Pack then you will be able to simply install an Engine Update when the next Engine Update comes out without having to schedule downtime.

If you are not at the latest Service Pack level then you will want to schedule a network downtime to do that upgrade within 60 days of the Service Pack being released.

If an Engine Update comes out before you get a chance to upgrade to the next Service Pack, then install the Engine Update for the prior Service Pack (that you should at least be at) as a temporary measure to keep getting signature updates. And schedule a Service Pack upgrade as soon as possible.

Why 60 days?

If a new Engine Update is released within 60 of a Service Pack release, then the Engine Update will be released for both the latest Service Pack AND the one prior. But if the new Engine Update is longer than 60 days after the latest Service Pack, then an Engine Update will be created only for the latest Service Pack and not for the prior. This is why E3 was only released for 5.1(8). E3 was released more than 60 days after 5.1(8) so there was not an E3 for the prior 5.1(7).

So you see that an Engine Update for a prior Service Pack should be considered a temporary measure until you can get the next Service Pack installed.

If you wait too long another Engine Update might come out, and you might be forced into an immediate network downtime to get to the latest Service Pack.

As for do you HAVE to install IPS-engine-E2-req-5.1-7.pkg before installing IPS-K9-5.1-8-E2.pkg (or more importantly IPS-K9-5.1-8-E3.pkg).

The answer is NO.

You can go directly from any 5.0 or 5.1 version directly to IPS-K9-5.1-8-E3.pkg.

New Member

Re: CSM to update IPS AIP -SSM

To change a sensor is at E1 to get to E3 for example can just update the engine using IPS-engine-E2-req-5.1-7.pkg and followed by

IPS-engine-E3-req-5.1-8.pkg or can just update the IPS-K9-5.1-8-E3.pkg cause will reimage the whole sensor and the config will be gone.

Doing a show configuration and later pasting it to the new image sensor using config mode will that auto configure the sensor after an service pack (e.g IPS-K9-5.1-8-E3.pkg)or there is a better measure as there is no copy config tftp in the IPS?

Thanks

Cisco Employee

Re: CSM to update IPS AIP -SSM

A sensor that is currently at 5.1(7)E1

a) CAN be updated to 5.1(7)E2 using IPS-engine-E2-req-5.1-7.pkg.

b) CAN NOT be updated to 5.1(8)E3 using just IPS-engine-E3-req-5.1-8.pkg. The "req" in the filename means "requires". So IPS-engine-E3-req-5.1-8.pkg can only be installed on top of a 5.1(8)E2 and not a 5.1(7)E2 sensor.

c) CAN be update to 5.1(8)E3 by first upgrading to 5.1(8)E2 using IPS-K9-5.1-8-E2.pkg, and then upgraded to 5.1(8)E3 by using IPS-engine-E3-req-5.1-8.pkg.

d) CAN be directly updated to 5.1(8)E3 by using IPS-K9-5.1-8-E3.pkg It installs the service pack and the engine update at one time.

As for the configuration question. You should always save your configuration off using "copy current-config ftp://x.x.x.x/directory/configfile" to copy it to a ftp server (or an scp server). When doing a service pack or an engine upgrade your current configuration will be automatically converted to work with the new upgrade. So your copy will not have to be manually applied if the upgrade is successful. Your copy is only needed if a problem happens during the upgrade.

NOTE: There are also System Image files for the same versions. System Image files should not be confused with the "Upgrade" files. Both will get you to the same version, but the System Image will clear out all config settings and reformat the compact flash (or harddrive). So with a System Image you would have to re-apply/re-create your configuration. While with an "Upgrade" file, the upgrade will automatically convert your config to work with the new version if the upgrade is successful.

System Imaging should only be used when the sensor is corrupted or you need to install an older version. System Images have "-sys-" in the name.

New Member

Re: CSM to update IPS AIP -SSM

Applying an IPS-K9-5.1-8-E3 will not reimage the whole sensor and cause the config to be gone but only when u use the image file IPS-SSM_10-K9-sys-1.1-a-5.1-8-E3.img. Is it?

Thanks alot

Cisco Employee

Re: CSM to update IPS AIP -SSM

Both IPS-K9-5.1-8.pkg abd IPS-SSM_10-K9-sys-1.1-a-5.1-8-E3.img will re-image both the recovery partition and application partition.

The System Image will erase everything before starting the imaging process.

The Service Pack Upgrade file will first take the current configuration and convert it to work with the new version and save it off. Also several other special files on the sensor (such as the license file) will be saved off. The imaging process will be run, and then the saved off files will be automatically re-applied to the sensor.

New Member

Re: CSM to update IPS AIP -SSM

Hi

we have the same problem with auto-download the signatures. We could download from cisco.com and then load to the IPS, but if we try to use the check box "enable signatures and engine update from cisco.com and put the username and password. The auto download does not work.

The model of the device is:

5510 Adaptive Security Appliance ASA5510

5500 Series Security Services Module-10 ASA-SSM-10

Cisco Employee

Re: CSM to update IPS AIP -SSM

I assume you are talking about configuring the sensor itself to automatically pull updates from cisco.com? (Rather than configuring CSM to pull down the updates and CSM then pushing the updates to the sensor.)

If so then try executing "show statistics host" on the sensor's CLI. It should provide you statistics about it's attempts to download the updates. Here is an example output for a sensor where the username/password are incorrect for logging into cisco.com:

Auto Update Statistics

lastDirectoryReadAttempt = 14:00:00 CST Thu Jan 22 2009

= Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locl

= Error: invalid user name/password combination

lastDownloadAttempt = N/A

lastInstallAttempt = N/A

nextAttempt = 15:00:00 CST Thu Jan 22 2009

Check the output of your sensor and see if it is attempting updates, and what the status of the last update is.

579
Views
0
Helpful
10
Replies
CreatePlease to create content