IPS (7.0 (7) E4) on ASA-SSM-10 block DNS without alerts

Similar Questions

• ASA-SSM-20/40 IPS Software upgrade quesiton

  I'm looking to upgrade the IPS modules (ASA-SSM-20 and ASA-SSM-40) on two different ASA to ver 7.1 (11) E4 under this field notice:

  http://www.Cisco.com/c/en/us/support/docs/field-notices/640/fn64080.html

  My question is around if traffic through the firewall is affected during this update and subsequent restart of the IPS module.

  On the ASAs, a service policy is in place that will allow the traffic in the case where the IPS module becomes unavailable.  It comes, it will actually happen during the update?

  Suggestions and comments are welcome.

  Thanks in advance.

  John

  If your IPS is inline and as a whole do not open then the traffic through the ASA (in assuming an ASA standalone and do not form part of a pair of HA) will not be affected when the service IPS module reload.

  If an SAA is in a pair of HA and a service (ips, cxsc, or sfr) module fails, it will be by default triggers a failover event. (ASA 9.5 introduces the possibility to change this behavior.) The result is the same - no service interruption (Although TCP connections may need to restore if you have not configured stateful failover).

• Recording capacity for ASA firewall using ASA-SSM-20 IPS module.

  Hello

  Please could someone give some tips on how to get the ASA-SSM-20 to record information about something like Kiwi Syslog services etc. We just need to get the IPS alerts to generate the SMS/email feature to alert the various intervention teams.

  Thank you

  unfortantely, no syslog support

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807335ca.shtml

  You can configure rules to send snmp traps, and you can pull events using CETS, IPS Manager Express and Cisco.

  If you have logging enabled on the ASA a syslog msg appears when the IPS is asking or blocking traffic.

  Here is a link to IPS configuration guides

  http://www.Cisco.com/en/us/products/HW/vpndevc/PS4077/tsd_products_support_configure.html

• 20 IPS ASA - SSM password reset

  Hi all

  Must reset/recover the password to get rid, for some reason, we lost the password for the IPS 20 ASA - SSM module

  Please let us know the procedure that the reset of password hw-module command does not work.

  Use the reset passwrod hw-module command, you must have ASA 7.2.2 or later version.

• Update license of IPS ASA - SSM

  Hello

  We have an ASA-SSM-20 IPS, the license has expired and we purchased a Smartnet contract for the device.

  I would like to know how to upgrade the license.

  We tried to do the ASDM, and chose the option updates to cisco.com.we got the following error.

  internal error. Unable to send the license request. -4: unable to proxy transparent tunnel. Proxy returns "HTTP/1.1 403 Forbidden.

  How to solve this problem or how to do when you use the other option, how to get the license file.

  Best regards

  It seems that your AIP-SSM20 is configured to use an http proxy to connect to the Internet. If you allow the IP address of the AIP-SSM20 management in your web proxy, it may solve your problem.

  If this isn't the issue, you can always apply a license manually. Download your license file here:

  https://Tools.Cisco.com/swift/LicensingUI/home

  and apply via the ASDM or the CLI

  -Bob

• ASA-SSM-10 improvement no license or signatures

  I successfully upgraded our ASA-5510 with the latest version of the software.

  Our IPS module however ASA-SSM-10 seems to be the settings to factory default with only an IP address that is configured without any permission or certificates. The ASA-SSM-10 module can be improved with the lack of licenses or certificates? In addition, by using PuTTY I am able to connect to the ASA-SSM-10 module and ping the module and my laptop that I have connected via the management port. I am unable to ping from the laptop to the module of ASA-SSM-10 well.

  Continuing the investigation in addition to the configuration of the management port IP address there is no VLAN, GW, image url or ip address of the configured port. Is there a simple way to upgrade the software on the ASA-SSM-10 without affecting our two ASA - 5510 that are configured for failover?

  I suppose I can do up to a VLAN, GW and port address to get my cell phone to ping to the ASA-SSM-10 module to upgrade without affecting our ASA-5510 that are configured for failover. ***

  You can attach more licenses for the legacy IPS until April 26. But the question is whether it is worth spending time and money in the present. The IPS legacy is dead and you should focus on firepower for IPS. But who does not work on your hardware.

• recharge an ASA - SSM the firewall itself effect?

  We lost the connection information for the IPS - SSM on our ASA 5520. It seems we should re image module with a version more recent software. It is currently not in use i.e. no rules for it on the firewall. This process will take the firewall offline at all?

  Sh command output:

  See the module of Firewall03 # 1

  Model serial number of map mod

  --- -------------------------------------------- ------------------ -----------

  1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 xxxxxxx

  MAC mod Fw Sw Version Version Version Hw address range

  --- --------------------------------- ------------ ------------ ---------------

  1 001b.0ce2.xxxx to 001b.0ce2.xxxx 1.0 1.0 (11) 2 5,0000 E1

  The Application name of the SSM status Version of the Application of SSM mod

  --- ------------------------------ ---------------- --------------------------

  1 FPS up to 5.1 (5) E1

  Data on the State of mod aircraft compatibility status

  --- ------------------ --------------------- -------------

  1 up Up

  Firewall03 # display module 1 recover

  Module 1 retrieve parameters...

  Start the recovery Image: No.

  Image URL:ftp://0.0.0.0/ t

  Port IP address: 0.0.0.0

  IP gateway address: 0.0.0.0

  VLAN ID: 0

  No, it should not affect the operation of the firewall at all. He would suffer only if you use it inline with firm failure mode is activated.

• ASA-SSM-20 on the active failover configuration

  You can synchronize configuration between two IPS systems data?

  I have two ASA-SSM-20 (6.1.1 E3) one in each of my the SAA. Of the SAA is the shift in assets. During the configuration of the IPS module I always make these same changes also in the standby unit. Is it possible to synchronize to the top of these two survey periods, so when it is configured the other is updated?

  Thank you very much

  Unlike the SAA, there not an automatic function to preserve the configuration synchronization through SSMs 2.

  A few options:

  You can use the command copy to copy the configuration of a sensor to a ftp/scp server.

  Then use the copy on the second sensor command to copy the configuration on the second sensor. During the copy, it will ask whether to change the IP of the probe to what is in the configuration file. You will need to tell it to NOT change IP of the probe, otherwise you end up with 2 SSMs with the same IP address and are struggling to connect to them.

  Another option is to use the CSM. CSM has configuration that applies to simple sensors, but also the group configuration that can be applied across multiple sensors.

  If you have used the group configuration, then you could make one change to the configuration of the Group and apply it in all the sensors in the Group (you will place your SSMs 2 in the same group).

• ASA-SSM-10 inspection load 100% (version 7.0 (5 a) E4)

  Hi all

  I have a challenge with the IPS module in ASA5520, ASA-SSM-10. When we start a try to connect to Web servers, I get a load of 100% inspection and will slow down the traffic/performance.

  We test with 63000 sessions per minute making a load of: the test-servers (clients) on the web servers of 20,000 Kbps and traffic from servers web-back to the test-servers (clients) 75.000 kbits/sec.

  Can you please advise what to do because we cannot live with this environment only when this is fixed.

  Thanks in advance,

  Erik Verkerk.

  We have not used charge of inspection in order to determine the appropriate sensor performance, instead, we have relied on "percentage of failed package" reported by the sensor. When the sensor gets into trouble, that they will begin to run out of packets for inspection, this causes the sensor wrong determination of the TCP State for some of the connections. This causes the sensor to use more resources than necessary to inspect traffic, leading to lack more packages.

  It is its called the "death spiral" and we try to avoid it as much as possible.

  Cisco has a long and proud history of providing performance numbers 'blue sky' for their products. We used to refresh their numbers of performance of the IPS sensor by half, but they made improvements over the years and now we take only about 1/3 wide of reported values. You can see for yourself with real, live production traffic.

  I'm havn; t found the number of signatures in a meaningful way sensor effect performance unless you touch abnormally difficult or lit a large number or tuned to perform many actions per second.

  -Bob

• Cisco ASA-SSM-20 analysis engine error...

  I get this error on my IPS, I restarted the couple times sensor but it stops again and signature updates do not move during this time, or it looks like.  I've heard great Cisco ID: CsCuc34812 but there isn't really any information available on this subject.  Any another race ASA-SSM-20 has experienced this problem and managed to resolve it?

  

  

  Hello

  All sensors should have a virtual sensor attributed to them, so they can inspect the traffic.

  I have connected the IPS2 and ran the following commands to assign the virtual sensor

  service-analysis engine

  vs0 virtual sensor

  physical interface gi0/1

  That's right!

  I guess that's how it should be?  How 2 IPS has managed to send me notifications if there is no virtual sensors assigned to him?

  We need to determine the type of notifications witch was the sending IPS (could be linked to the IPS himself, system notifications)

  Is there a CLI to confirm the IPS is active?  I have to assume that my upgrade caused these problems?

  The SAA

  Do sh-service policy and determine the number of packets is exchanged between IP addresses and ASA

  Kind regards

• Equivalent to show disk0: ASA-SSM-10

  Hi, are you able to see the contents of the disc on an ASA-SSM-10 module? As the show disk0: command on my 5510? I know that it is an internal flash drive... Is that where the image files and configuration and software? Can we see these files and copy them to TFTP server?

  See you soon

  Phil

  Hi Philippe,.

  You can view this content through the service of IPS account. The downside is that you can access only with the supervision of TAC. If you want to see the configuration you can do a show config; If you want to see what version you are using you can do this through the show version command.

  HTH

  Luis Silva

  "If you need IDP (planning, design, implementation) assistance do not hesitate to contact us.

  http://www.Cisco.com/Web/partners/tools/pdihd.html

• Step how to configure ASA 5500 Series Security Services Module-10 (model: ASA-SSM-10)

  Dear support,

  I need to configure Security Services Module-10 (model: ASA-SSM-10) on my ASA 5510 firewall. Could you provide configuration step and how to connect to the module?

  Here is the information on the module

  ciscoasa (config) # sh Details of module 1
  The details of the Service module, please wait...
  ASA 5500 Series Security Services Module-10
  Model: ASA-SSM-10
  Hardware version: 1.0
  Serial number: JAF1115066U
  Firmware version: 1.0 (11) 2
  Software version: 1.0000 E1
  MAC address range: 001a.e268.5aa9 to 001a.e268.5aa9
  App name: IPS
  App status. : to the top
  App status. / / Desc:
  App version: 1.0000 E1
  Data of aircraft status: Up
  Status: to the top
  Mgmt IP addr: 133.1.9.144
  Web to MGMT ports: 443
  Mgmt TLS enabled: true

  your help is very appreciate.

  Thank you

  Best regards

  Hi Sothengse,

  Please find the samlpe on AIP SSM module configurations. You can go through this to begin with.

  http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

  https://www.YouTube.com/watch?v=FgYU5ZXwk4g

  Concerning

  Knockaert

• Upgrade path 5500 series ASA-SSM-10

  Can anyone provide the proper for the 5500 series ASA-SSM-10 upgrade path of

  6.0 (5) E2

  TO

  7.1 (10) E4

  The release notes state that you must run just least 6,0000 e4 could so I just spend 6,0000 E4 5,0000 E2 then directly to 7.1 (10) E4?

  Also, the SSM-10 is able to effectively run the 7.1 (10) E4?

  Hello

  Yes, you can directly upgrade 6.0.5E2 to 6.0.6 E4 and then directly to version 7.1. (10) E4. After the upgrade for the latter, you might even go to latest available patch as well.

  -Yes, SSM1 - is able to effectively execute the 7.1.0E4.

  Kind regards

  Akshay Rouanet

• the upgrade of IPS chains, ASA-SSM - 10 module

  I'll have a difficult time, the upgrade of the module ASA IPS SSM-10. I down loaded the IPS-GIS-s327-req - e1.pkg to the FTP Win XP (my workstation). The following does not work: http://download-sj.cisco.com/cisco/ciscosecure/ips/6.x/sigup/IPS-sig-S327.readme.txt

  "error: execUpgradeSoftware: connection failed. Any suggestion would be appreciated.

  Also, have you been able to update your signature?

• Cisco IPS ASA SSM - 10

  I use an IPS SSM - 10 ASA. Currently he is recording these event alerts.

  Whence the IPS keeps all the event logs? In disk space?

  Where can I see how much space I left?

  Is he got off, if the space is full?

  You don't need to delete it, its CIRCULAR and will replace itself. More information can be found here:

  http://www.Cisco.com/en/us/docs/security/IPS/6.0/Configuration/Guide/CLI/cliArch.html#wp1010399

  The command is "clear events.

  You cannot remove "individual" events Its all or nothing.

  Yes, the best way is to set the IP addresses for the false positives either edit/disable unwanted signature or use event action filters.

  Concerning

  Farrukh