cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4290
Views
8
Helpful
9
Replies

Error connecting to sensor. Error loading sensor

rebelscum
Level 1
Level 1

Hi, this might be a basic question but I would appreciate any help at all.

I have an ASA 5510 with SSM-10 module. Firewall all working fine, still haven't managed to log in to the IPS module, I keep getting the error

"Error connecting to sensor. Error loading sensor".

I believe the username + pw will be the default cisco pw (they should be, I have gone to Tools > IPS password reset). I just want to verify what would the IP address of the IPS module be? [I have previously changed my management port to 192.168.2.1].

Also where exactly should the SSM-10 ethernet port be connected to, physically? The management port or a switch on my LAN? Or do I activate one of the spare interfaces & connect it to one of those? Sorry just a bit confused.

IPS login.PNG

9 Replies 9

Arsen Gharibyan
Level 1
Level 1

Hello . 1 st you need to connect interface on IPS (Management only) to your switch and have proper routing if it uses different subnet (other than ur LAN)

2. to identify the ip address do following

ASA# show module 1 detail --- it will show all configuration

3. login thru CLI to test the password

ASA# session 1

Thanks very much for your reply, CLI entries below:

Result of the command: "show module 1 detail"

Getting details from the Service Module, please wait...

ASA 5500 Series Security Services Module-10

Model:              ASA-SSM-10

Hardware version:   1.0

Firmware version:   1.0(11)5

Software version:   7.0(2)E4

App. name:          IPS

App. Status:        Up

App. Status Desc: 

App. version:       7.0(2)E4

Data plane Status:  Up

Status:             Up

Mgmt IP addr:       192.168.1.2                                               

Mgmt Network mask:  255.255.255.0                                             

Mgmt Gateway:       192.168.1.1                                               

Mgmt web ports:     443                                                       

Mgmt TLS enabled:   true

- - - - - - - - - - - - - - - -

& when I enter 'session 1' this is what I get:

Result of the command: "session 1"

Opening command session with slot 1.

Connected to slot 1. Escape character sequence is 'CTRL-^X'.

Command session with slot 1 terminated.

Remote card closed command session. Press any key to continue.

- - - - - - -  -- - - - - - - - - -

When I first set up the firewall I changed the default management port interface from 192.168.1.1 to 192.168.2.1 because our voip network is already using 192.168.1.1. However to test if this could be related to the problem I enabled the spare interface & configured it as '192.168.1.1', I could log in to ASDM but couldn't get to IPS.

It sounds like your AIP-SSM is sick. It shouldn't reject a "session 1" connection via the backplane (ASA's CLI).

Check the status of your AIP-SSM with a "show module 1" from the ASA CLI. It should look similar to what's shown below. If the module status is not "Up", you can reset, reload, recover or reimage it.

http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/cli/clissm.html#wp1034193

- Bob

ASA# show module 1

Mod  Card Type                                    Model              Serial No.

---- -------------------------------------------- ------------------ -----------

   1 ASA 5500 Series Security Services Module-10  ASA-SSM-10         JAF5551111

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version

---- --------------------------------- ------------ ------------ ---------------

   1 001a.xxxx.xxxx to 001a.xxxx.xxxx  1.0          1.0(11)2     7.1(6)E4

Mod  SSM Application Name           Status           SSM Application Version

---- ------------------------------ ---------------- --------------------------

   1 IPS                            Up               7.1(6)E4

Mod  Status             Data Plane Status     Compatibility

---- ------------------ --------------------- -------------

   1 Up                 Up

the only way to change the IP address is to login to the IPS module.

If you IPS show all UP

the commands are :

sensor#conf t

service host

network-settings

host-ip  X.X.X.X/24,DefaultGateway

P.S add ACL allowing management from same network

or just reimage the ips

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_system_images.html#wp1332070

I did finally manage to run a 'session 1' via putty, & if I then run 'setup' which takes me through the setup process.

In the 'acl' part of the setup I permitted the management & inside networks. I also tried changing the ip address of the IPS & the gateway to correspond with the management port ip ie 192.168.2.2/24,192.168.2.1

However I still can't log in to IPS via ASDM - same 'error loading sensor'.

I ran a show module 1 (below), which I think looks ok.

Result of the command: "show module 1"

Mod Card Type                                    Model              Serial No.

--- -------------------------------------------- ------------------ -----------

1 ASA 5500 Series Security Services Module-10  ASA-SSM-10         JAF1545555

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version   

--- --------------------------------- ------------ ------------ ---------------

  1 30e4xxxxxxxx to 30e4xxxxxxxxxx  1.0          1.0(11)5     7.0(2)E4

Mod SSM Application Name           Status           SSM Application Version

--- ------------------------------ ---------------- --------------------------

  1 IPS                            Up               7.0(2)E4

Mod Status             Data Plane Status     Compatibility

--- ------------------ --------------------- -------------

  1 Up                 Up                   

**********************

In SSH, when I 1st log in, I get this license notice, is that relevant?

***LICENSE NOTICE***

There is no license key installed on the SSM-IPS10.

The system will continue to operate with the currently installed

signature set.  A valid license must be obtained in order to apply

signature updates.  Please go to http://www.cisco.com/go/license

to obtain a new license or install a license.

**********************

Your "sh mod 1" looks good. It's also a good sign that you can get into your sensor via "session 1".

The ACL you entered in setup is the allowed hosts, and if you included the subnet that your ASA M0/0 interface is on, you should be good. (at this point, you could also leave the ACL empty and accept ALL incoming ssh sessions).

Since your sensor appears to be responding properly (you were able to run the "setup" command), you should check your networking connections next:

Do you have an Ethernet cable plugged into the AIP-SSM Ethernet port?

Can you ping the gateway from the AIP-SSM sensor CLI?

- Bob

Yes I have a standard ethernet cable connecting the AIP-SSM ethernet port to a port on our std Cisco LAN switch.

In putty I can ssh into the firewall, & from there I can ping the gateway. However if I do a 'session 1' & log into the SSM module, I can no longer ping the gateway (100% packet loss).

There's various settings in the SSM 'setup' under Advanced which I have left untouched, does this look right?

Advanced Setup

Modify interface/virtual sensor configuration?[no]: yes

Command control: GigabitEthernet0/0

Unassigned:

  Monitored: GigabitEthernet0/1

Virtual Sensor: vs0

  Anomaly Detection: ad0

  Event Action Rules: rules0

  Signature Definitions: sig0

Rebel -

Your SSM setup looks correct, but your problem is the lack of network connectivity form the Management port (Gi0/0) on your AIP-SSM module. Track down why you can't ping your gateway address from the AIP-SSM.

Does the interface show as "up" in the AIP-SSM CLI (sh int) and your switch?

Does your switch have the correct MAC address entry for the AIP-SSM interface on the switch port? Is it in the correct VLAN?

Do you have a duplicate IP address on your network?

- Bob

thanks very much for your advice Bob, my 'sh int' entry below is showing 'link status = up', as far as I'm aware our switches didn't have any special port configuration but its something I'll need to look into (they are SRW2024s).

# sh int

Interface Statistics

   Total Packets Received = 92794247

   Total Bytes Received = 114114975872

   Missed Packet Percentage = 0

   Current Bypass Mode = Auto_off

MAC statistics from interface GigabitEthernet0/0

   Interface function = Command-control interface

   Description =

   Media Type = TX

   Default Vlan = 0

   Link Status = Up

   Link Speed = Auto_1000

   Link Duplex = Auto_Full

   Total Packets Received = 522437

   Total Bytes Received = 57817209

   Total Multicast Packets Received = 25448

   Total Receive Errors = 0

   Total Receive FIFO Overruns = 0

   Total Packets Transmitted = 36

   Total Bytes Transmitted = 2304

   Total Transmit Errors = 0

   Total Transmit FIFO Overruns = 0

MAC statistics from interface GigabitEthernet0/1

   Interface function = Sensing interface

   Description =

   Media Type = backplane

   Default Vlan = 0

   Inline Mode = Unpaired

   Pair Status = N/A

   Hardware Bypass Capable = No

   Hardware Bypass Paired = N/A

   Link Status = Up

   Admin Enabled Status = Enabled

   Link Speed = Auto_1000

   Link Duplex = Auto_Full

   Missed Packet Percentage = 0

   Total Packets Received = 92794255

   Total Bytes Received = 114114976809

   Total Multicast Packets Received = 0

   Total Broadcast Packets Received = 0

   Total Jumbo Packets Received = 0

   Total Undersize Packets Received = 0

   Total Receive Errors = 0

   Total Receive FIFO Overruns = 0

   Total Packets Transmitted = 92794255

   Total Bytes Transmitted = 114115165919

   Total Multicast Packets Transmitted = 0

   Total Broadcast Packets Transmitted = 0

   Total Jumbo Packets Transmitted = 0

   Total Undersize Packets Transmitted = 0

   Total Transmit Errors = 0

   Total Transmit FIFO Overruns = 0

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: