Solved: Re: ssm-ips on asa

suthomas1 · ‎10-16-2010

2 asa's with ips module are in place at our centres. one of the modules in them seem to be not present.
however both acl's for ips on primary & secondary asa's have hitcnts increasing.
these were configured by one of my previous colleagues and i am not exposed to ips things.
Appreciate if someone can help me understand why the acl shows hits in asa with no ips actually present & what is it registering at present , if so how to find them out.

I would like to configure the ips fully in the primary asa and to see its results. please advise how this can be done with
any commands to check about configuration or what else needs to be configured .

Primary FW:

Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
1 IPS Not Applicable 5.1(2)S240.0

access-list chk-Ips extended permit ip any any (hitcnt=2945667)

++++++++++++++++++++

Secondary FW:

Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------

access-list chk-Ips extended permit ip any any (hitcnt=1984842)

praprama · ‎10-16-2010

Hi,

The failover is still working fine because the IPS modules on both the ASAs are "down". Also, on the secondary though you see acl hit count increasing, there are no packets being redirected to the IPS modules as seen from "show service-policy".

I am not sure why the "show modu" output does not show any IPS module though we can see it in "show failover" and "show modu 1 det". It seems like the IPS in the secondary ASA has no image installed on it. Try reseating and re-imaging the IPS module on the secondary and the primary and see if it helps bring the status UP.

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_system_images.html#wp1230355

Thanks and Regards,

Prapanch

View solution in original post

praprama · ‎10-16-2010

Hi,

First off, are the 2 ASAs in failover? If so, please post the output of "show failover" from both the ASAs.

Second, when you give the command "show service-policy", do you see the counters increasing for packets being redirected to the IPS module? Please post the output of "show modu 1 det", "show run policy-map" and "show run service-policy" from both the ASAs.

Thanks and Regards,

Prapanch

suthomas1 · ‎10-16-2010

Hi,

both asa's are in failover state.command results are as seen:

( some informations have been changed for resons known ). Thank You

Primary -

Failover On
Failover unit Primary
Failover LAN Interface: failover Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at Apr 11 2010
        This host: Primary - Active
                Active time: 18135322 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
                  Interface local (x.x.x.x): Normal
                  Interface demili (x.x.x.x): Link Down (Not-Monitored)
                  Interface public (x.x.x.x: Normal
                slot 1: ASA-SSM-10 hw/sw rev (1.0/5.1(2)S240.0) status (Down/Up)
                  IPS, 5.1(2)S240.0, Not Applicable
        Other host: Secondary - Standby Ready
                Active time: 4903690 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
                  Interface local (x.x.x.x) Normal
                  Interface demili (x.x.x.x) Normal (Not-Monitored)
                  Interface public (x.x.x.x) Normal
                slot 1: ASA-SSM-10 hw/sw rev (1.0/) status (Down/Up)

Stateful Failover Logical Update Statistics
        Link : failover Management0/0 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         268398284 0          37804364   2
        sys cmd         2938478    0          2938478    0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        263264819 0          34508386   0
        UDP conn        1085810    0          205        0
        ARP tbl         1109177    0          357295     2
        Xlate_Timeout   0          0          0          0
        VPN IKE upd     0          0          0          0
        VPN IPSEC upd   0          0          0          0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     0          0          0          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       4       42707786
        Xmit Q:         0       1       285533931

----
Interface Inside:
Service-policy: chk-Ips-PMAP
    Class-map: chk-Ips-CMAP
      IPS: card status Down, mode promiscuous fail-open
        packet input 0, packet output 8221, drop 0, reset-drop 0

Interface outside:
Service-policy: chk-Ips-PMAP
    Class-map: chk-Ips-CMAP
      IPS: card status Down, mode promiscuous fail-open
        packet input 0, packet output 0, drop 0, reset-drop 0
-----
sh module 1 details
Getting details from the Service Module, please wait...
Unable to read details from slot 1
ASA 5500 Series Security Services Module-10
Model:              ASA-SSM-10
Hardware version:   1.0
Firmware version:   1.0(10)0
Software version:   5.1(2)S240.0
App. name:          IPS
App. Status:        Not Applicable
App. Status Desc:   Not Applicable
App. version:       5.1(2)S240.0
Data plane Status: Not Applicable
Status:             Down
-----
policy-map chk-Ips-PMAP
class chk-Ips-CMAP
ips promiscuous fail-open
-----
service-policy global_policy global
service-policy chk-Ips-PMAP interface local
service-policy chk-Ips-PMAP interface public

____________________________________________________________________________________________

Secondary-

Failover On
Failover unit Secondary
Failover LAN Interface: failover Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at Apr 11 2010
        This host: Secondary - Standby Ready
                Active time: 3546444 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
                  Interface local (x.x.x.x): Normal
                  Interface demili (x.x.x.x): Link Down (Not-Monitored)
                  Interface public (x.x.x.x): Normal
                slot 1: ASA-SSM-10 hw/sw rev (1.0/) status (Down/Up)
        Other host: Primary - Active
                Active time: 17135843 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
                  Interface local (x.x.x.x): Normal
                  Interface demili (x.x.x.x): Normal (Not-Monitored)
                  Interface public (x.x.x.x): Normal
                slot 1: ASA-SSM-10 hw/sw rev (1.0/5.1(2)S240.0) status (Down/Up)
                  IPS, 5.1(2)S240.0, Not Applicable

Stateful Failover Logical Update Statistics
        Link : failover Management0/0 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         37804480   0          268398837 0
        sys cmd         2938552    0          2938552    0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        34508426   0          263265290 0
        UDP conn        205        0          1085781    0
        ARP tbl         357297     0          1109214    0
        Xlate_Timeout   0          0          0          0
        VPN IKE upd     0          0          0          0
        VPN IPSEC upd   0          0          0          0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     0          0          0          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       10      285535063
        Xmit Q:         0       26      42707906
---
Interface Inside:
Service-policy: chk-Ips-PMAP
    Class-map: chk-Ips-CMAP
      IPS: card status Down, mode promiscuous fail-open
        packet input 0, packet output 0, drop 0, reset-drop 0

Interface outside:
Service-policy: chk-Ips-PMAP
    Class-map: chk-Ips-CMAP
      IPS: card status Down, mode promiscuous fail-open
        packet input 0, packet output 0, drop 0, reset-drop 0
----
Getting details from the Service Module, please wait...
Unable to read details from slot 1
ASA 5500 Series Security Services Module-10
Model:              ASA-SSM-10
Hardware version:   1.0
Firmware version:   1.0(10)0
Software version:
Data plane Status: Not Applicable
Status:             Down
-----
policy-map chk-Ips-PMAP
class chk-Ips-CMAP
ips promiscuous fail-open
------
service-policy global_policy global
service-policy chk-Ips-PMAP interface local
service-policy chk-Ips-PMAP interface public

praprama · ‎10-16-2010

Hi,

The failover is still working fine because the IPS modules on both the ASAs are "down". Also, on the secondary though you see acl hit count increasing, there are no packets being redirected to the IPS modules as seen from "show service-policy".

I am not sure why the "show modu" output does not show any IPS module though we can see it in "show failover" and "show modu 1 det". It seems like the IPS in the secondary ASA has no image installed on it. Try reseating and re-imaging the IPS module on the secondary and the primary and see if it helps bring the status UP.

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_system_images.html#wp1230355

Thanks and Regards,

Prapanch

suthomas1 · ‎10-16-2010

thanks for that. It is likely( i was told so) that secondary asa has faulty ips , which is either taken out from the module or not working due to the problem.

i had not any chance to physically see the status.

since one of the asa has the ips packet being directed to it. how can we check what are these counts or packets that are being inspected by ips.

any links for reference would also help. we need to see what is ips detecting and how to mitigate if it is threat.

thanks .

praprama · ‎10-16-2010

Hi,

Well all IP packets are being redirected to the IPS module as per the access-list configuration (permit ip any any). But i am not sure if the IPS is actually inspecting anything as the IPS on the primary ASA is "down" too.

If you manage to get GUI(IDM/IME) access to the module (https://IP_address_of_IPS), you can go to "Monitoring" and view all events being generated based on the packets being inspected by the IPS module.

Regards,

Prapanch

suthomas1 · ‎10-16-2010

is there a way to get the ip for ips with any command from asa.

thanks

praprama · ‎10-16-2010

The "show modu 1 det" on the ASA will give those details. But since the IPS is "down" as seen below:

sh module 1 details
Getting details from the Service Module, please wait...
Unable to read details from slot 1
ASA 5500 Series Security Services Module-10
Model:              ASA-SSM-10
Hardware version:   1.0
Firmware version:   1.0(10)0
Software version:    5.1(2)S240.0
App. name:          IPS
App. Status:        Not Applicable
App. Status Desc:   Not Applicable
App. version:        5.1(2)S240.0
Data plane Status: Not Applicable
Status:              Down

we are not able to see those details. I would suggest reseating the module and then re-imaging it as well if it doesn't help.

Regards,

Prapanch

suthomas1 · ‎10-16-2010

Appreciate your help , i wil follow the advise and see the result.

Thank You.

praprama · ‎10-16-2010

Sure. Do let me know how it goes.

Thanks and Regards,

Prapanch