Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Upgrade IPS problem

Hi,

After upgrading to latest version IPS 7.0(7)E4, the IPS is not up right. In the ASA it appears Not Aplicable and i need to restart the module. Sometime later the IPS appears again Not Aplicable. I can not access via ssh or ASDM, only session 1.

I use Radius to autenthicate and local user if radius fail.

fw1# show module

Mod Card Type                                    Model              Serial No.

--- -------------------------------------------- ------------------ -----------

  0 ASA 5520 Adaptive Security Appliance         ASA5520            JMX1322L003

  1 ASA 5500 Series Security Services Module-10  ASA-SSM-10         JAF1405DBJD

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version

--- --------------------------------- ------------ ------------ ---------------

  0 0024.c49a.52be to 0024.c49a.52c2  2.0          1.0(11)2     8.4(3)

  1 0027.0dd2.cfa8 to 0027.0dd2.cfa8  1.0          1.0(11)5     7.0(7)E4

Mod SSM Application Name           Status           SSM Application Version

--- ------------------------------ ---------------- --------------------------

  1 IPS                            Not Applicable   7.0(7)E4

Mod Status             Data Plane Status     Compatibility

--- ------------------ --------------------- -------------

  0 Up Sys             Not Applicable

  1 Unresponsive       Not Applicable

7 REPLIES
New Member

Upgrade IPS problem

JUST RE-INSERT AND RESTART FIREWALL THEN SEE THE RESULT AND POST THE OUTPUT

REGARDS

RAJAT

Re: Upgrade IPS problem

I did inside asa these commands: hw-module module 1 recover configure and hw-module module 1 boot, after re-image its ok.

Now the problem is w Radius authentication, look the log. This feature was ok before update to last version..

evStatus: eventId=1328710491220984018 vendor=Cisco

  originator:

    hostId: IPS_JLLE_2

    appName: sshd

    appInstanceId: 27584

  time: 2012/02/08 18:47:22 2012/02/08 16:47:22 GMT-03:00

  syslogMessage:

    description: Illegal user ciscoworks from 172.16.100.9

evStatus: eventId=1328710491220984019 vendor=Cisco

  originator:

    hostId: IPS_JLLE_2

    appName: pam_tally

    appInstanceId: 27613

  time: 2012/02/08 18:47:22 2012/02/08 16:47:22 GMT-03:00

  syslogMessage:

    description: pam_tally: pam_get_uid; no such user ciscoworks

evStatus: eventId=1328710491220984020 vendor=Cisco

  originator:

    hostId: IPS_JLLE_2

    appName: sshd

    appInstanceId: 27613

  time: 2012/02/08 18:47:34 2012/02/08 16:47:34 GMT-03:00

  syslogMessage:

    description: pam_radius_helper: Authentication failed

evStatus: eventId=1328710491220984021 vendor=Cisco

  originator:

    hostId: IPS_JLLE_2

    appName: sshd(pam_unix)

    appInstanceId: 27613

  time: 2012/02/08 18:47:34 2012/02/08 16:47:34 GMT-03:00

  syslogMessage:

    description: check pass; user unknown

evStatus: eventId=1328710491220984022 vendor=Cisco

  originator:

    hostId: IPS_JLLE_2

    appName: sshd(pam_unix)

    appInstanceId: 27613

  time: 2012/02/08 18:47:34 2012/02/08 16:47:34 GMT-03:00

  syslogMessage:

    description: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=apl16

evStatus: eventId=1328710491220984023 vendor=Cisco

  originator:

    hostId: IPS_JLLE_2

    appName: sshd

    appInstanceId: 27584

  time: 2012/02/08 18:47:36 2012/02/08 16:47:36 GMT-03:00

  syslogMessage:

    description: error: PAM: Authentication failure

evStatus: eventId=1328710491220984024 vendor=Cisco

  originator:

    hostId: IPS_JLLE_2

    appName: pam_tally

    appInstanceId: 27626

  time: 2012/02/08 18:47:36 2012/02/08 16:47:36 GMT-03:00

  syslogMessage:

    description: pam_tally: pam_get_uid; no such user ciscoworks

evStatus: eventId=1328710491220984025 vendor=Cisco

  originator:

    hostId: IPS_JLLE_2

    appName: monitor

    appInstanceId: 359

  time: 2012/02/08 18:47:43 2012/02/08 16:47:43 GMT-03:00

  healthAndSecurity:

    description: Heartbeat

    healthStatus: green

    securityStatus:

      virtualSensor: vs0

New Member

Upgrade IPS problem

I do have the same issue. Just uupgraded AIP-SSM IPS module from 7.0.5a to 7.0.7 - the module reloaded after upgrade as expected and then went also into unresponsive. A hw-module reload was not possible, than moved (after waiting a period of time) to hw-module shut und reset.

Afterwards the module was running, but login via ASA session, SSH and HTTPS was always denied. I'm also using external radius authentication. Sadly also the local user is not able to login anymore. To make things even worser: I did a password recovery for the cisco users, I'm able not to login via session but the cisco User is read-only. I've always maintained the device with a separate local users, where it seems there is no remote password recovery method.

I'll now look physically with a console cable, if I could find something.

For me it looks like either I've oversean something in the release notes or the new version is not been tested very well? (I've upgrading regularly during the year since at least three years without such issues.)

New Member

Upgrade IPS problem

After removing and reinserting the module was reachable for some time and then went again into unresponsive:

# show module 1 details

Getting details from the Service Module, please wait...

Unable to read details from slot 1

ASA 5500 Series Security Services Module-40

Model:              ASA-SSM-40

Hardware version:   1.0

Serial Number:    

Firmware version:   1.0(14)5

Software version:   7.0(7)E4

MAC Address Range:

App. name:          IPS

App. Status:        Not Applicable

App. Status Desc:   Not Applicable

App. version:       7.0(7)E4

Data plane Status:  Not Applicable

Status:             Unresponsive

Re: Upgrade IPS problem

Unfourtnetly to fix this issue Unresponsive, i did this procedure: http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/cli/cliimage.html#wp1032373

All configuration was lost and after re-image IPS start UP and OK, but the problem with radius continues

Step 1 Log in to the ASA.

Step 2 Enter enable mode:

asa> enable

Step 3 Configure the recovery settings for AIP-SSM:

asa# hw-module module 1 recover configure



Note
If you make an error in the recovery configuration, use the hw-module module 1 recover stop command to stop the system reimaging and then you can correct the configuration.


Step 4 Specify the TFTP URL for the system image:

Image URL [tftp://0.0.0.0/]:

Example:

Step 5 Specify the command and control interface of AIP-SSM:

Port IP Address [0.0.0.0]:

Example:

Port IP Address [0.0.0.0]: 10.89.149.231

Step 6 Leave the VLAN ID at 0.

VLAN ID [0]:

Step 7 Specify the default gateway of the AIP-SSM:

ateway IP Address [0.0.0.0]: 

xample:

Gateway IP Address [0.0.0.0]: 10.89.149.254

Step 8 Execute the recovery:

asa# hw-module module 1 recover boot
New Member

Upgrade IPS problem

Hi Christian,

thank you - quite clear, did excatly the same just some minutes before your post. If reverted back to 7.0.5a, which is now working again as expected. Meaning (for documentation propose if other users do run into the same issue):

- hw-module module 1 shutdown

- hw-module module 1 reset

- hw-module module 1 recover configure

- using IPS-SSM_40-K9-sys-1.1-a-7.0-5a-E4.img

- hw-module module 1 recover boot

- login via session 1 cisco/cisco, set new password and go thru initial setup process

- reconfigure (copy/paste) with old config via cli session

- reset

- done ;-)

Radius Support seems still buggy, as I remeber is has been added some number of versions ago but also never reached the CLI AAA part. So I guess radius is somehow still not fully tested / undervalued. Just a guess.

Regards

Mathias

Re: Upgrade IPS problem

I re-imaged w 7.0.7(4) and all it's ok (only Radius not). Before update i used 7.0.6(4) and Authentication Radius works fine.

699
Views
0
Helpful
7
Replies
CreatePlease login to create content