AIP SSM w / failover

Hi all

I will implement an AIP SSM module with active failover / standby. Someone did this configuration? The ASA active will replicate the IPS config to forward ASA? I'm looking for documentation on the cisco site, but I have not found.

TKS

Unlike the ASA... SSM Modules are not replicated configs there to each other... they are treated as separate units, you must manually set time Modules

Refer... http://www.Cisco.com/en/us/docs/security/IPS/5.1/Configuration/Guide/CLI/cliSSM.html#wpxref34736

See if that helps!

Tags: Cisco Security

Similar Questions

  • AIP - SSM recreate the image in secondary ASA 5500 (failover) with virtual contexts

    Hello guys,.

    The scenario is as follows:

    2 ASA 5500 with virtual contexts for failover.

    The ASA elementary school has the work of the AIP-SSM20.

    ASA school (which is in active / standby) has its SSM20 AIP to work now and everything is in production.

    Someone tried to configure this 2nd AIP - SSM, changed the password and lost, so I tried to re - the image (without authorized passage recovery), but the connection fails on the TFTP server, where is the image of the AIP - SSM.

    Now questions, documentation Cisco re-imaging view orders under ASA #.

    but as this scenario has several virtual contexts the ASA # shell contains no IP address as you know (which I suppose is the reason why the ASA cannot download the image from the TFTP server) and switch to another context (ASA / admin #) re-imaging commands do not work (hw-module module 1... etc...).

    What is the solution? Is there documentation for it (with security contexts)?

    Thank you very much for reading ;) comment on possible solutions.

    Yes,

    Some things to keep in mind.

    (1) run 'debug module start' on the SAA before running the command "hw-module module 1 recover boot. This will show you the ROMMON of the MSS output as it tries to make the new image and you can look for any errors.

    (2) before trying to download from the SSM, first use a machine separate download tftp from your laptop. This will ensure the TFTP on your laptop works and confirm what directory (if any) that you can use as the file location.

    (3) if the tftp download does not SSM, then the SSM is unable to properly connect to your laptop. You need a crossover cable to connect your laptop to the SSM. If you have a crossover cable, then you could try to connect the MSS and your laptop to a small hub, or configure a new vlan on your switch with only 2 ports and connect the MSS and your computer laptop this vlan 2 port.

    (4) also try the download first at the end of the gateway to 0.0.0.0 since your laptop and the SSM will be on the same subnet. If this does not work then you can try a non-existent 30.0.0.4 address as gateway.

    (5) understand that the IP address that you specify for the MSS using the command "configure the hw-module module 1 recover" is just temporary for download. Once an image is installed, then sitting at the module and run the "setup" command in order to configure the permanent address you want ure on external port of the SSM. This address in the "setup" command can the same as that used in the command 'get the 1 hw-module module configure' or a completely new (as in your case). Just make sure that you connect to the network just to what address you give.

  • Do I need two AIP - SSM modules if I'm failover configuration?

    Is it possible to use a single module AIP - SSM in two ASA that is configured in active / standby?

    I would like to configure the module in the first ASA with the relief setting.  Then, if the ASA first fails, I could physically remove the module AIP - SSM and place it in the second ASA.

    Would there be problems, configure it in this way?

    Would be the active / standby ASA complaining that there is that one module AIP - SSM?

    Thanks in advance.

    Hello

    You must have an AIP - SSM on two SAA in order to be able to run the failover, without it failover will not come to the top (because of incompatibility of hardware)

    Kind regards

    Julio

  • Cisco ASA 5510 + license + AIP - SSM

    Hello.

    I have this box.

    I have a few questions about it.

    (1) I'll be able to update the firmware (from 8.2 to 8.3 or greater for example) without smarnet for ASA 5510? And what can not do without smartnet?

    (2) I have only AIP-SSM-10 module this ASA 5510. is there a smartnet, too? And when I buy only one module is it build in a subscription for 1 year for the signatures of the IPS?

    (3) if I have the Cisco ASA 5510 base license, my IPS on AIP-SSM-10 will work?

    (4) as I foresee in a purchase of the year a 5510 more with the same module and mount ther of failover. I really need license Security more than failover (active / standby)? For active/active, I know I need one, Yes?

    Please help me.

    (1) you must Smartnet in order to download the software from the download from cisco.com site.

    (2) Yes, there is also a smartnet for the AIP module. Module AIP does not come with one year subscription, but you can ask for a demo license.

    (3) Yes, the basic license is OK for the AIP module.

    (4) Yes, you would need license security more on the two ASA to be able to run any type of failover on ASA5510.

    Hope that answers your questions.

  • Help configuration AIP - SSM

    I have two questions about the AIP - SSM.

    (1) is the ACL in AIP - SSM has any type of relations to the ASA ACL?

    2) our four interfaces are all used. Is it possible to assign the SSM an IP address in the same subnet as the management interface?

    (3) should then the management interface serve as a gateway for the SSM?

    interface GigabitEthernet0/0

    nameif outside

    security-level 0

    IP address 65.x.x.1 255.255.255.0 watch 65.x.x.2

    !

    interface GigabitEthernet0/1

    nameif dmz

    security-level 50

    IP address 172.16.x.1 255.255.255.0 watch 172.16.x.2

    !

    interface GigabitEthernet0/2

    nameif inside

    security-level 100

    IP address 255.255.255.0 192.168.x.1 watch 192.168.x.2

    !

    interface GigabitEthernet0/3

    STATE/LAN failover Interface Description

    !

    interface Management0/0

    Speed 100

    full duplex

    nameif management

    security-level 100

    IP address 10.0.x.1 255.255.255.0 watch 10.0.x.2

    management only

    Here are the answers to your questions-

    (1) is the ACL in AIP - SSM has any type of relations to the ASA ACL?

    No of years) ACL on SSM is completely independent of the ACLs on the ASA.

    2) our four interfaces are all used. Is it possible to assign the SSM an IP address in the same subnet as the management interface?

    VNA) absolutely. You can assign the SSM management port IP address in the same subnet as your managemnet interface. In this way, all management traffic will remain independent of normal DATA traffic.

    (3) should then the management interface serve as a gateway for the SSM?

    VNA) you're right... :-)

    Hope that helps.

    Kind regards

    Maryse.

  • AIP-SSM-20 upgrade

    Try to upgrade an AIP-SSM-20.

    We have 2 ASA in a failover configuration, upgrade on the AIP-SSM-20 secondary has been a success.

    On the primary AIP-SSM-20, we get the following error when you try to upgrade via FTP from the same server that we have updated the secondary SSM module of:

    execUpgradeSoftware: permission denied

    The current version is 1,0000 E1, tyring 4,0000 E1 upgrade

    We tried when the module is active and when it's not... same error in both directions. Doesn't seem to be a user FTP error since we get a different when error deliberately hits the user or password.

    Our SSM user has administrator privileges (cisco default user) and we tried to restart the SSM... no luck

    Anyone has any idea on this?

    Thank you

    John Stemke

    I don't know if the error is generated by the sensor itself, or from the ftp server.

    To discover the try running a sniffer of packages on the ftp server or the 'package' command on the CLI for the command of the probe and control interface.

    Run the command to upgrade and see if a ftp connection is still attempted by the sensor.

    If no ftp connection is attempted, then the error would be to the sensor itself, and it would seem that the user doesn't have permissions admin (which doesn't seem to be your case by what you wrote).

    If the ftp connection is attempted, then the error is probably coming from the ftp server. Look at the packages that you have captured and see if an error is coming from the ftp server. The problem may be a permissions issue on the file on the ftp server. The ftp directory or the file itself may not have read permission for the file.

    You can also try a ftp from your own desktop to the same ftp server by using the same user and password used for the sensor and see if you can download it on your own desktop.

    As a work around to get your updated sensor to update and work on this authorization the problem is later to copy the upgrade on your desktop.

    Run IDM and use IDM to repel the upgrade of your desktop directly on the sensor.

  • AIP-SSM-10 upgrade question

    I have an AIP-SSM-10 (IPS - K9 - 6.0 - 5 - E2) running inside an ASA (active failover mode / standby). I tried to put a signature update today (version S447, first time) and he said I need engine lvl 3 to update the signature and I am currently at lvl 2.

    Here's my question, what are the versions can I go to? I'm stuck with the versions of level 2 of the engine when using the AIP - SSM or can I put on until the next major release of 2.0000 E3. And is it really a good idea or not. What would you suggest?

    Also, I guess I would need to install the release .pkg file. Is this good?

    Thanks in advance!

    You can switch to the 5,0000 E3, 6,0000 E3 or one of the E3 7.0 images (x). You want the .pkg file.

    Mount the sensor in the CLI:

    conf t

    Update ftp://user:password@/ upgradefilename.pkg

    When the sensor complaines on the upgrade, just say 'yes' to go ahead in any case. This is a known bug, do not believe that the CLI.

  • Module AIP - SSM hung

    Hello

    I recently confgured my module AIP-SSM-40 in my firewall that is configured in HA(Active/Standby). It was working fine. Then, I upgraded the version of the image to IPS, 2.0000 E3.

    It worked fine for a week. Then I found that the secondary firewall was in a State of secondary failure. My AIP - SSM in the secondary firewall fails.

    I couldn't connect the AIP - SSM with command session 1. Display the order watch module

    Model serial number of map mod
    --- -------------------------------------------- ------------------ -----------
    0 ASA 5520 Adaptive Security Appliance, ASA5520

    1. ASA 5500 Series Security Services Module-40 ASA-SSM-40

    MAC mod Fw Sw Version Version Version Hw address range
    --- --------------------------------- ------------ ------------ ---------------
    0 0021.a09a.d1bb for 0021.a09a.d1bf 2.0 1.0 (11) 5 8.0 (4)
    1 0023.5e15.f6c8 to 0023.5e15.f6c8 1.0 1.0 (14) 5

    The Application name of the SSM status Version of the Application of SSM mod
    --- ------------------------------ ---------------- --------------------------

    Data on the State of mod aircraft compatibility status
    --- ------------------ --------------------- -------------
    0 to Sys does not apply
    1 does not not Applicable

    at the end of the failover see command shows

    Slot 1: ASA-SSM-40 rev hw/sw (1.0 /) status (does not/high)

    I suspect module SSM is having the problem. Is it possible to recover.

    Try to stop and reset the module using this command from the ASA:

    HW-module module 1 reset

  • What can I downgrade AIP-SSM-10 of 2.0000 E4 to 2.0000 E3?

    Hello

    I have an AIP-SSM-10 (IPS - K9 - 6.1 - 2 - E3) running inside an ASA (active failover mode / standby).

    My license status is 'not expired until 12,2010."

    When I switch to 2.0000 E4 (because he said I needed engine E4 to the signature update) my license changed to expired.

    Here's my question, what are the versions can I go to?

    I made a mistake? Can I go down to 2.0000 E3 and how?

    Thank you

    Try to remove the license from first service account, and then update the license via cisco.com:

    (1) create a user with the service account name: service of privilege for the user name password

    (2) then SSH to the IP addresses with the service account user name and password created earlier.

    Then by following the steps below:

    'su' to root (same as svc acct PW PW)
    -Remove all the files in the/usr/cids/idsRoot/shared/directory, * EXCEPT host.conf file *.
    -run "/etc/init.d/cids restart" to restart the IPS apps (or reset the sensor)

    (3) from IDM - apply the real license by choosing to update the license via cisco.com.

    Hope that solves this problem.

  • AIP - SSM in cluster

    Hello

    We have a failover cluster ASA, with 2 IPS, each in an ASA AIP - SSM. There is a way of module config mode cluster as ASA IPS, or have a configuration that is mirrored between them?

    Thank you very much.
    Better with respect to Antonello.

    Antonello;

    Configuration mirroring between the AIP-SSMs is not currently available.  You can emulate this process by copying the current configuration of the AIP - SSM active to a FTP server, change the configuration to remove the specific details of the host (IP address, etc) and then copy this configuration on the stand by AIP - SSM.

    Another option would be to invest in Cisco Security Manager (CSM) and create a shared strategy that is applied to the two AIP - SSM.

    Scott

  • transparent mode with AIP-SSM-20

    I currently have an ASA5510 routed with AIP-SSM-20 mode.

    It is necessary to use a connection in optical fiber between the ASA and ASA on the campus, so the AIP - SSM will need to be removed and replaced by the SSM - 4GE.  This section should present no problems.

    However, this will remove the IPS device, and I always want to use IPS.

    So what I think is to get another ASA5510, install the AIP - SSM, configure ASA for transparent and put it between the inside of the ASA routed and my local network.  The ASA transparent would be strictly works in the form of an IPS appliance.

    The installation program should look like this:

    Internal LAN <> ASA transparent with IPS <> routed ASA <> WAN

    The AIP - SSM can always perform with the ASA in transparent mode IPS?

    Is it possible to configure the ASA and AIP - SSM such as traffic to and from a particular server completely ignores the AIP - SSM?

    I have a couple of file servers which generate heavy traffic and can overload the AIP - SSM.

    Kind regards.

    AFAIR, it is no installation AIP in a transparent firewall problem.

    "The SAA in transparent mode can execute an agreement in principle.  In the event that the AIP fails,

    the IPS will fail-open and the ASA will continue to pass traffic.
    However, if an interface or cable fails, then traffic will stop.  You
    would need a failover pair to account for this failure event, which
    means another ASA and matching AIP."

    And no there is no problem to exclude certain hosts/ports/subnets inspection by IPS via MPF.

    http://www.Cisco.com/en/us/docs/security/ASA/asa82/configuration/guide/IPS.html#wp1050744

    What I consider however is however if the ASA 5510 as second level firewall for 5520 s will be enough.

    http://www.Cisco.com/en/us/products/ps6120/prod_models_comparison.html

    HTH,

    Marcin

  • AIP - SSM upgrade for ASA active / active

    Hello world!

    I need help on improving the aip - ssm modules to E4 on two s asa who are active/active state. I'll be able to do this without downtime? What are the considerations?

    AIPs are independent of the resumption of the SAA, however, the SAA can consider the status of the AIP in passage of failover, which means it can failover

    If it detects a module AIP descending on the active device.

    The best method for upgrading in this situation will be the status of active failover Setup for all groups on the SAA primary, then upgrade the AIP of the ASA high school.

    Once the agreement in principle of the school is completely updated and functional, then set all groups to be active with the ASA failover secondary.

    Then the primary AIP.

    Once the primary AIP is completely level and working, you can then restore the status of the ASAs failover, by setting the active failover for the Group on the ASAs specific you want them to be active on...

    Kind regards

  • Updated AIP-SSM-10 on ASA 5510

    Hello

    I want to upgrade the IPS module in an ASA 5510, and I have a few questions. The AIP - SSM is running E3 479.0 1.0000 and I have a valid account of the ORC etc for this.

    1. What is the version of the software on the question of the ASA?
    2. When I look in the software downloads< ips="" there="" are="" .pkg="" and="" .img="" files.="" i="" want="" to="" upgrade="" to="" 6.3(3)e4.="" do="" i="" have="" to="" re-image="" the="" ips="">
    3. AFAIK redefinition to wipe the device so I just reload the config after, right?
    4. I guess I can apply any update after going to E4?
    5. Can you give me links for this upgrade?

    see you soon

    Let me give some clarification on a few points:

    2. There is no need to recreate the image on the device using the .img file.  You can improve the mechanism of maintenance of your existing configuration using the .pkg file.  It is the recommended method for upgrading to Cisco IPS devices/modules.  The .img file to recreate the image should only be used to restore the default device.

    5 here are links for the upgrade of the probe using a .pkg file.  For updates through the IDM user interface:

    http://www.Cisco.com/en/us/docs/security/IPS/6.2/configuration/guide/IDM/idm_sensor_management.html#wp2126670

    For upgrades via the CLI:

    http://www.Cisco.com/en/us/docs/security/IPS/6.2/configuration/guide/CLI/cli_system_images.html#wp1142504

    Another point of clarification; current releases of IPS software supported on the AIP-SSM-10 are (taking into account you are currently running 6.2 (1) E3):

    6.2 (3) E4

    7.0 (4) E4

    You can go directly to each output.

    Scott

  • AIP - SSM 40-level question.

    Hello

    I am trying to upgrade the AIP - SSM software file 'IPS - K9 - 6.0 - 6 - E4' in 'IPS-engine-E4-req-7.0-2 '. But it is not allow.

    "Could not pass the software on the sensor.

    Level the current signature is S698. The current level of the signature must be less than S480 for this installation package. »

    So I tried to update the signature file less than S480, "IPS-GIS-S460-req-E3".

    "Can not upgrade the sensor software be"
    This update can be installed on the sensor with and the version of the 3 engine.

    The currently installed engine version is 4.

    There is no signature file in cisco downloads less S480 in version 4 engine.

    See the version

    AIP - SSM # sho version

    Application partition:

    Cisco Intrusion Prevention System, Version 6,0000 E4

    Host:

    Domain keys key1.0

    Definition of signature:

    Update of the signature S698.0 2013-02-19

    OS version: 2.4.30 - IDS-smp-bigphys

    Platform: ASA-SSM-40

    Serial number:

    License expires: November 3, 2013 UTC

    Sensor time is 3 days.

    Using 4203216896 bytes of available memory (24% of use) 1045143552

    application data using 41.4 M off 167.8 M bytes of disk space available (26% of use)

    startup is using 37.8 M off 70.5 M bytes of disk space available (57% of use)

    MainApp N-NUBRA_2009_JUL_15_01_10_6_0_5_57 (Ipsbuild) 2009-07 - 15 T 01: 15:08 - 0500 Running

    AnalysisEngine NO-NUBRA_E4_2010_MAR_24_22_44_6_0_6 (Ipsbuild) 2010-03 - 24 T 22: 47:53 - 0500 Running

    CLI N-NUBRA_2009_JUL_15_01_10_6_0_5_57 (Ipsbuild) 2009-07 - 15 T 01: 15:08 - 0500

    Upgrade history:

    * IPS - K9 - 6.0 - 6 - E4 21:14:06 UTC Wednesday, March 24, 2010

    IPS-GIS-S698-req - E4.pkg 15:44:43 UTC Sunday, February 24, 2013

    Version 1.1 - 6, 0000 E4 recovery partition

    ____________________________________________________________________________

    Any help will be much appreciated... Thanks in advance.

    Liénard

    If you try the software version Upgrade, try to use the IPS-K9-7, 0-2 - E4.pkg instead of the engine update package.

  • Getting started: ASA5520 w / AIP - SSM

    I'm trying to deploy an ASA5520 to a customer. I have no problem with the piece of implementing firewall, but I don't know where to start with the piece of IPS.

    I searched a bit on the ASA55XX & AIP - SSM, but can't seem to find much on what to do with the AIP - SSM beyond the initial Setup.

    Can someone point me to some beginners IPS documentation that focuses on the AIP - SSM?

    Thank you

    Jeff

    In my view, there is a lack of documentation on how to get the IPS module to work with the ASA. It would be nice if there was a single document on how to get IPS working module with the ASA.

    Start with the documentation of the IPS. It's just on how to configure the IPS himself module. Assign an IP address for management, set the admin password, etc..

    http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids12/index.htm

    Then go to the documentation of the SAA on how to configure ASA to send traffic to IP addresses (via a service-policy):

    http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids11/cliguide/clissm.htm#wp1033926

    There is a free viewer of IPS Cisco event offering to monitor events on the IPS. It can be downloaded from the download page of the Cisco IPS software.

    Finally, read the whitepaper SAFE on the deployment of the IPS and the setting.

    http://www.Cisco.com/en/us/NetSol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00801bc111.shtml

    I hope this helps. Remember messages useful rate. Thank you!

Maybe you are looking for