I am working remotely, so my IP address changes. Just for initial setup I have the access-list set to 0.0.0.0/0 so thats not what is stopping it. I can ssh to the ASA, then go to session 1, and I am in the IPS-SSM. I cannot https directly to the sensor. The control interface, gi0/0 is up. From the sensor I can ping the gatewayand the ASA inside address.

I keep getting an error:

error connecting to sensor. error loading sensor

When you say you are working remotely, are you connecting from the internet? or are you VPN in and then trying to access the IPS module?

Can you pls share the ASA config too. Thx

I am running ASDM and Putty from the internet. AnyConnect is setup and works. Config file is attached.

PS. I notice in the older support forum posts that this problem was common in version 6 and not so much in  version 7. Should I just load version 7 on the IPS-SSM?

great idea.. pls upgrade to the latest version of 7.x

I tried to upgrade, but I could not do it remotely. The ASA could not reach my laptop with tftp. I used AnyConnect to start a VPN session that I thought would carry the tftp, then opened a Putty session to the ASA outside address. I could not ping the tftp server from the ASA.

So I must have an error in the firewall configuration, which is probably the root cause of my original problem. I looked at the NAT section and the outside ACL and made a change but it didn't help. On the ACL I added a permit from the vpn subnet to the inside subnet. In NAT I added a static translation from the IPS management address to the vpn subnet in both directions.

Any ideas?

The config that you have earlier should already allow access to the IPS via AnyConnect. Pls remove the config that you have just added as it sounds incorrect.

Can you ping the IPS from the AnyConnect client?

I assume that you can ping 192.168.0.31 and 192.168.0.4 when you are connected via AnyConnect, right?

If you can, then you should be able to ping 192.168.0.12 as well. I also assume that the port on the module is connected to the same switch where the ASA inside interface is connected.

Can you install a TFTP server on a host on your inside network, and transfer the image to the IPS module via an inside host. I assume you can RDP to an inside host once you are connected via AnyConnect.

No I cannot ping either address from the AnyConnect client. They are connected to the same switch on the inside.

Meaning, your AnyConnect is never working?? or are you able to access anything with your AnyConnect?

Which tunnel-group do you use?

I am using tunnel group=Creamery AnyConnect which uses GroupPolicy_Creamery Anyconnect. Most of the tunnel groups are from the original PIX that this ASA is replacing and only do IPSEC.

Pls add the following:

access-list split-creamery-acl permit 192.168.0.0 255.255.255.0

group-policy "GroupPolicy_Creamery Anyconnect" attributes

   split-tunnel-policy tunnelspecific

   split-tunnel-network-list value split-creamery-acl

Jennifer,

That didn't work either. I still can't ping. I am going to convert this to a TAC case.

Thanks

Mike

Jennifer,

Thanks for all your help. There was nothing wrong with the ASA after all. It turned out to be a routing statement in the core switch.