AIP - SSM maintenance of Configuration in Active mode Stdby

So, I'm pretty new to the AIP - SSM but not for the ASA. It seems that very few of the AIP module configuration gets copied to the AIP Stdby, nothing else that what appears in the config of the ASA (ACL, etc.). Thus, all elements of specific configuration for the module itself must be manually reproduced on Stdby module, either entered hand or config copies moved between the two?

Planned in the future.

Tags: Cisco Security

Similar Questions

  • Replication of configuration ASA AIP - SSM

    People,

    The AIP - SSM replicates another AIP - SSM ASA/standby configuration?

    I mean, when I change the configuration on the AIP/SSM assets, will change bring replicated to the other AIP - SSM?

    Thank you

    Yes, unfortunately all the IP addresses are the same. Configuration duplicate automatically 1 unit to another.

    Please kindly marks the message as answered if you have any other question. Thank you...

  • transparent mode with AIP-SSM-20

    I currently have an ASA5510 routed with AIP-SSM-20 mode.

    It is necessary to use a connection in optical fiber between the ASA and ASA on the campus, so the AIP - SSM will need to be removed and replaced by the SSM - 4GE.  This section should present no problems.

    However, this will remove the IPS device, and I always want to use IPS.

    So what I think is to get another ASA5510, install the AIP - SSM, configure ASA for transparent and put it between the inside of the ASA routed and my local network.  The ASA transparent would be strictly works in the form of an IPS appliance.

    The installation program should look like this:

    Internal LAN <> ASA transparent with IPS <> routed ASA <> WAN

    The AIP - SSM can always perform with the ASA in transparent mode IPS?

    Is it possible to configure the ASA and AIP - SSM such as traffic to and from a particular server completely ignores the AIP - SSM?

    I have a couple of file servers which generate heavy traffic and can overload the AIP - SSM.

    Kind regards.

    AFAIR, it is no installation AIP in a transparent firewall problem.

    "The SAA in transparent mode can execute an agreement in principle.  In the event that the AIP fails,

    the IPS will fail-open and the ASA will continue to pass traffic.
    
However, if an interface or cable fails, then traffic will stop.  You
    
would need a failover pair to account for this failure event, which
    
means another ASA and matching AIP."

    And no there is no problem to exclude certain hosts/ports/subnets inspection by IPS via MPF.

    http://www.Cisco.com/en/us/docs/security/ASA/asa82/configuration/guide/IPS.html#wp1050744

    What I consider however is however if the ASA 5510 as second level firewall for 5520 s will be enough.

    http://www.Cisco.com/en/us/products/ps6120/prod_models_comparison.html

    HTH,

    Marcin

  • ASA5510 and AIP-SSM-10 module in promiscuous mode

    Hello

    I have a 5510 ASA with the AIP-SSM-10 and want to use just like an ID in promicuous mode.

    ASA 5510: ASA version 7.0 (8)

    AIP-SSM-10: IPS version 5,0000 E2

    At this point, we would like to configure a single interface of ASA to send traffic to the agreement in principle for the inspection of IDS (and continue to use our firewalls third existing). Is this possible?

    The following discussion gives to think this isn't:

    https://supportforums.Cisco.com/message/957351

    22.1.100.2/28 I have it configured on the interface Eth0/0 (outside) and 10.5.100.3/24 on the AIP - SSM management interface and switchports (Cisco 6509) have been configured by SPAN.

    Thanks for your advice in advance.

    Kind regards

    Lay

    You are right. Unfortunately, module AIP on ASA firewall does not listen on traffic SPAN. If you want that SPAN ports, then you can use the IPS (IPS 4200 series appliance) appliance that supports the SPAN traffic to inspect.

    PIX is also a firewall, not a feature of IPS, which cannot be used as an IPS device.

  • Do I need two AIP - SSM modules if I'm failover configuration?

    Is it possible to use a single module AIP - SSM in two ASA that is configured in active / standby?

    I would like to configure the module in the first ASA with the relief setting.  Then, if the ASA first fails, I could physically remove the module AIP - SSM and place it in the second ASA.

    Would there be problems, configure it in this way?

    Would be the active / standby ASA complaining that there is that one module AIP - SSM?

    Thanks in advance.

    Hello

    You must have an AIP - SSM on two SAA in order to be able to run the failover, without it failover will not come to the top (because of incompatibility of hardware)

    Kind regards

    Julio

  • Impossible mode Inline on AIP - SSM

    I try to get my SSM module is running in inline with an ASA5520 mode. In a political configuration service inline mode is selected, however on the IPS says background basket interface Promisicuous.

    Am I missing something obvious?

    Edit:

    The lines of configuration specific all look ok:

    outside-class class-map

    match any

    outside-policy policy-map

    IPS description

    Outdoor category

    IPS inline help

    You encounter a bug in the IDM.

    IDM is incorrectly assuming that the interface is in Promiscuous and promiscuity.

    The sensor itself is considered just an interface monitored rather than online or promiscuity. Each package will have a header attached by the ASA that determines whether or not the packet should be monitored inline or promiscuity.

    This is fixed in IDM then she calls it just a substantive interface basket instead of incorrectly assume that it's an interface of promiscuity.

  • Configuration of AIP SSM to monitor only

    Hi all

    We bought an AIP-SSM-20 for our ASA5520. Is there a way to enable the IPS feature, but not block anything, i.e. just record events? It's just to see if any legitimate business traffic will be blocked.

    Thank you!

    Jacques

    Set the ASA to send traffic to IP addresses in promiscuous mode by using the following command in a sheet of policy:

    IPS hostname(config-pmap-c) # {inline | promiscuity} {failure-closing |}

    rescue} [sensor {sensor_name | mapped_name}]

    http://www.Cisco.com/en/us/docs/security/ASA/asa80/Getting_started/asa5500/quick/guide/aipssm.html

    Geroge

  • AIP - SSM upgrade for ASA active / active

    Hello world!

    I need help on improving the aip - ssm modules to E4 on two s asa who are active/active state. I'll be able to do this without downtime? What are the considerations?

    AIPs are independent of the resumption of the SAA, however, the SAA can consider the status of the AIP in passage of failover, which means it can failover

    If it detects a module AIP descending on the active device.

    The best method for upgrading in this situation will be the status of active failover Setup for all groups on the SAA primary, then upgrade the AIP of the ASA high school.

    Once the agreement in principle of the school is completely updated and functional, then set all groups to be active with the ASA failover secondary.

    Then the primary AIP.

    Once the primary AIP is completely level and working, you can then restore the status of the ASAs failover, by setting the active failover for the Group on the ASAs specific you want them to be active on...

    Kind regards

  • Help configuration AIP - SSM

    I have two questions about the AIP - SSM.

    (1) is the ACL in AIP - SSM has any type of relations to the ASA ACL?

    2) our four interfaces are all used. Is it possible to assign the SSM an IP address in the same subnet as the management interface?

    (3) should then the management interface serve as a gateway for the SSM?

    interface GigabitEthernet0/0

    nameif outside

    security-level 0

    IP address 65.x.x.1 255.255.255.0 watch 65.x.x.2

    !

    interface GigabitEthernet0/1

    nameif dmz

    security-level 50

    IP address 172.16.x.1 255.255.255.0 watch 172.16.x.2

    !

    interface GigabitEthernet0/2

    nameif inside

    security-level 100

    IP address 255.255.255.0 192.168.x.1 watch 192.168.x.2

    !

    interface GigabitEthernet0/3

    STATE/LAN failover Interface Description

    !

    interface Management0/0

    Speed 100

    full duplex

    nameif management

    security-level 100

    IP address 10.0.x.1 255.255.255.0 watch 10.0.x.2

    management only

    Here are the answers to your questions-

    (1) is the ACL in AIP - SSM has any type of relations to the ASA ACL?

    No of years) ACL on SSM is completely independent of the ACLs on the ASA.

    2) our four interfaces are all used. Is it possible to assign the SSM an IP address in the same subnet as the management interface?

    VNA) absolutely. You can assign the SSM management port IP address in the same subnet as your managemnet interface. In this way, all management traffic will remain independent of normal DATA traffic.

    (3) should then the management interface serve as a gateway for the SSM?

    VNA) you're right... :-)

    Hope that helps.

    Kind regards

    Maryse.

  • Module AIP - SSM hung

    Hello

    I recently confgured my module AIP-SSM-40 in my firewall that is configured in HA(Active/Standby). It was working fine. Then, I upgraded the version of the image to IPS, 2.0000 E3.

    It worked fine for a week. Then I found that the secondary firewall was in a State of secondary failure. My AIP - SSM in the secondary firewall fails.

    I couldn't connect the AIP - SSM with command session 1. Display the order watch module

    Model serial number of map mod
    --- -------------------------------------------- ------------------ -----------
    0 ASA 5520 Adaptive Security Appliance, ASA5520

    1. ASA 5500 Series Security Services Module-40 ASA-SSM-40

    MAC mod Fw Sw Version Version Version Hw address range
    --- --------------------------------- ------------ ------------ ---------------
    0 0021.a09a.d1bb for 0021.a09a.d1bf 2.0 1.0 (11) 5 8.0 (4)
    1 0023.5e15.f6c8 to 0023.5e15.f6c8 1.0 1.0 (14) 5

    The Application name of the SSM status Version of the Application of SSM mod
    --- ------------------------------ ---------------- --------------------------

    Data on the State of mod aircraft compatibility status
    --- ------------------ --------------------- -------------
    0 to Sys does not apply
    1 does not not Applicable

    at the end of the failover see command shows

    Slot 1: ASA-SSM-40 rev hw/sw (1.0 /) status (does not/high)

    I suspect module SSM is having the problem. Is it possible to recover.

    Try to stop and reset the module using this command from the ASA:

    HW-module module 1 reset

  • AIP - SSM in cluster

    Hello

    We have a failover cluster ASA, with 2 IPS, each in an ASA AIP - SSM. There is a way of module config mode cluster as ASA IPS, or have a configuration that is mirrored between them?

    Thank you very much.
    Better with respect to Antonello.

    Antonello;

    Configuration mirroring between the AIP-SSMs is not currently available.  You can emulate this process by copying the current configuration of the AIP - SSM active to a FTP server, change the configuration to remove the specific details of the host (IP address, etc) and then copy this configuration on the stand by AIP - SSM.

    Another option would be to invest in Cisco Security Manager (CSM) and create a shared strategy that is applied to the two AIP - SSM.

    Scott

  • Updated AIP-SSM-10 on ASA 5510

    Hello

    I want to upgrade the IPS module in an ASA 5510, and I have a few questions. The AIP - SSM is running E3 479.0 1.0000 and I have a valid account of the ORC etc for this.

    1. What is the version of the software on the question of the ASA?
    2. When I look in the software downloads< ips="" there="" are="" .pkg="" and="" .img="" files.="" i="" want="" to="" upgrade="" to="" 6.3(3)e4.="" do="" i="" have="" to="" re-image="" the="" ips="">
    3. AFAIK redefinition to wipe the device so I just reload the config after, right?
    4. I guess I can apply any update after going to E4?
    5. Can you give me links for this upgrade?

    see you soon

    Let me give some clarification on a few points:

    2. There is no need to recreate the image on the device using the .img file.  You can improve the mechanism of maintenance of your existing configuration using the .pkg file.  It is the recommended method for upgrading to Cisco IPS devices/modules.  The .img file to recreate the image should only be used to restore the default device.

    5 here are links for the upgrade of the probe using a .pkg file.  For updates through the IDM user interface:

    http://www.Cisco.com/en/us/docs/security/IPS/6.2/configuration/guide/IDM/idm_sensor_management.html#wp2126670

    For upgrades via the CLI:

    http://www.Cisco.com/en/us/docs/security/IPS/6.2/configuration/guide/CLI/cli_system_images.html#wp1142504

    Another point of clarification; current releases of IPS software supported on the AIP-SSM-10 are (taking into account you are currently running 6.2 (1) E3):

    6.2 (3) E4

    7.0 (4) E4

    You can go directly to each output.

    Scott

  • AIP - SSM 10 Signature Update license?

    Hi every one.we had an AIP - SSM 10 for our asa5520.actually it is bundle asa5520 + AIP-SSM10. (part number ASA5520-AIP10-K9 =)

    (1) I want to know that if we want to improve our signature aip - ssm we get the Services Cisco IPS download signatures or not with this number of pürt we get it too!

    (2) in the case and we must get the Cisco IPS services separately so where can I find a reference number for the services of this?

    (3) what license that must be installed on the sensor activation? If we get the Cisco Services for FPS then we receive license activation for installation on sensor too? or not if not, can we install signatures on a sensor that it has not been activated yet? guess we can get a few signatures how! (I know JOINT-2 we cannot install any license until the license is installed on the sensor.) Thank you

    CON-SU1-AS2A10K9 would be the correct contract to put all the pieces of the boot under the maintenance contract.

    CON-SU1-ASIP10K9, this is what is used when the AIP-SSM-10 are purchased as spare.

    I don't know if yes or no this Service Cisco IPS contract can be used to cover only the AIP-SSM-10 if it was purchased as part of a package instead of a spare part. You will need to ask your reseller or Cisco sales representative.

  • (ASA) AIP - SSM 10 Inline; Supreme events?

    A 5520 ASA with SSM-10 GOAL is set to inline mode, but the events of the show for 2 hours (sensor > HS event past 02:00) of the Interior of the sensor shows and "promicuous mode", "left promicuous mode'."

    This AIP SSM - 10 has only one gig0/0 and gig0/1 where o/o is taken out of service and a value default virtual sensor (vs0) is assigned to gig0/1. I see the statistics (sensor > sh SEO-engine of analysis) to gig0/1 so I collect statistics.

    If the configuration of the ASA 5520 has the following policy of inline and events log shows that enter and exit in promiscuous mode so how do I check if I am inspection/recovery in inline mode?

    (ASA > sh run access-list IPS)

    IPS list extended access permitted ip DMZ 255.255.255.0 26.26.1.0 255.255.255.0

    (ASA > sh run | b class-map)

    class-map IPS

    corresponds to the IP access list

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the netbios

    inspect the rsh

    inspect the rtsp

    inspect the skinny

    inspect esmtp

    inspect sqlnet

    inspect sunrpc

    inspect the tftp

    inspect the sip

    inspect xdmcp

    inspect the waas

    inspect the icmp

    class IPS

    IPS inline help

    !

    global service-policy global_policy

    (sensor > sh interfaces)

    ...

    Statistics interface GigabitEthernet0/1 MAC

    Function of interface = interface detection

    Description =

    Support type = backplane

    By default Vlan = 0

    Inline = unpaired mode

    Pair of status = n/a

    Circumvention of Capable hardware = no.

    Twin derivation material = n/a

    Link status = upwards

    Link speed = Auto_1000

    Link Duplex = Auto_Full

    Lack of Packet percentage = 0

    Total packets received = 95044

    Total number of bytes received = 8715230

    Total multicast packets received = 0

    Total of broadcast packets received = 0

    Total fat packets received = 0

    Total sousdimensionnés packets received = 0

    Receive the total errors = 0

    Receive FIFO overruns total = 0

    Total packets transmitted = 95044

    Total number of bytes sent = 9047702

    Total multicast packets sent = 0

    Total broadcast packets sent = 0

    Total fat transmitted packets = 0

    Total packets transmitted sousdimensionnés = 0

    Total transmit errors = 0

    Total transmit FIFO overruns = 0

    sensor > sh events last 02:00

    evStatus: eventId = 1203360411830836145 = Cisco vendor

    Author:

    login host: ASA2_IPS

    appName: kernel

    appInstanceId:

    time: 2008-02-20 19:01:46 2008/02/20 19:01:46 UTC

    syslogMessage:

    Description: device ge0_1 entered promiscuous mode

    evStatus: eventId = 1203360411830836146 = Cisco vendor

    Author:

    login host: ASA2_IPS

    appName: kernel

    appInstanceId:

    time: 2008-02-20 19:01:53 2008/02/20 19:01:53 UTC

    syslogMessage:

    Description: the promiscuous mode device ge0_1 left

    The left State events and entered promiscuous mode are usually generated when you do a 'package of display' or 'the capture of packets' command on the CLI of the sensor.

    Track order of the package is promiscuity but is independent of promiscuity or inline followed by analysis of the probe engine.

    If you have inline monitoring using the probe analysis engine.

    And still make command package to the cli for your own monitoring promiscuity of those same packets. Here are 2 independent monitors of the same packages.

    If I remember right inline monitored packets always get returned to the ASA (unless expressly denied), which is not promiscuous packets. So check sensors gig0/1 interface statistics and the number of packets for transmission. If receive and transmit accounts are quite close, then packets are monitored by the analytical engine InLine. If the number of transmission is nil or very low then the packets are likely promiscuous monitored.

    With the configuration of your ASA you are correctly configured for online tracking.

    So I don't think that you are investigating inline, and status messages are specific to your start and stop of the command 'package' on the CLI for your own independent viewing packages promiscuity.

  • AIP-SSM-20 upgrade

    Try to upgrade an AIP-SSM-20.

    We have 2 ASA in a failover configuration, upgrade on the AIP-SSM-20 secondary has been a success.

    On the primary AIP-SSM-20, we get the following error when you try to upgrade via FTP from the same server that we have updated the secondary SSM module of:

    execUpgradeSoftware: permission denied

    The current version is 1,0000 E1, tyring 4,0000 E1 upgrade

    We tried when the module is active and when it's not... same error in both directions. Doesn't seem to be a user FTP error since we get a different when error deliberately hits the user or password.

    Our SSM user has administrator privileges (cisco default user) and we tried to restart the SSM... no luck

    Anyone has any idea on this?

    Thank you

    John Stemke

    I don't know if the error is generated by the sensor itself, or from the ftp server.

    To discover the try running a sniffer of packages on the ftp server or the 'package' command on the CLI for the command of the probe and control interface.

    Run the command to upgrade and see if a ftp connection is still attempted by the sensor.

    If no ftp connection is attempted, then the error would be to the sensor itself, and it would seem that the user doesn't have permissions admin (which doesn't seem to be your case by what you wrote).

    If the ftp connection is attempted, then the error is probably coming from the ftp server. Look at the packages that you have captured and see if an error is coming from the ftp server. The problem may be a permissions issue on the file on the ftp server. The ftp directory or the file itself may not have read permission for the file.

    You can also try a ftp from your own desktop to the same ftp server by using the same user and password used for the sensor and see if you can download it on your own desktop.

    As a work around to get your updated sensor to update and work on this authorization the problem is later to copy the upgrade on your desktop.

    Run IDM and use IDM to repel the upgrade of your desktop directly on the sensor.

Maybe you are looking for

  • upgrade of Apple Watch

    is it possible to upgrade? a Apple Watch with series 2

  • Transfer photos after downgrading to El Capitan in Mountain Lion

    I upgraded my Mac Book Pro (mid2009) to El Capitan about 6 months ago. It was horrible and my computer is slower than molasses. I tried to work with it, the best that I could, because I did not save my system before the upgrade. #badmove Finally, I b

  • Apple Watch issues with training app on constantly

    Since updating to iOS Apple Watch 2.2 Ive noticed that my drive icon is almost constantly on and it empties my watch of Sport of 42mm and the iPhone battery 6. I can't find any information on this anywhere? None of these training options are on what

  • iPod Touch 5th generation stuck in recovery mode

    I don't see anything on this topic anywhere. However, I "brick" my iPod 5th generation Touch while implementing the update to the 9.2.x the 9.3.1. I held 9.3 as people around me ran into a similar problem with their iPhones, but they were able to rec

  • the Rotary ball keeps stalling requests that I try to open them.

    The Rotary ball keeps spinning causing operations app to stall for seconds longer than what it should normally. Finally, the operation will resume. Do you have a few diagnostics... can't to repair. Help!