Introduction
This document describes how to troubleshoot the unresponsive state of the Advanced Inspection and Prevention Security Services Module (AIP-SSM) in the Cisco 5500 series Adaptive Security Appliance (ASA).Prerequisites
Requirements
There are no specific requirements for this document.Components Used
The information in this document is based on the AIP-SSM in the Cisco 5500 Series ASA.The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.Troubleshooting
Unresponsive State
Problem:The AIP-SSM goes into an unresponsive state, fails to respond to HTTP or ASDM access but is accessible from CLI, as shown:
Solution:show module Mod Card Type Model Serial No. --- -------------------------------------------- ------------------ ----------- 0 ASA 5510 Adaptive Security Appliance ASA5510 JMX0934K021 1 ASA 5500 Series Security Services Module-10 ASA-SSM-10 JAB093203S3 Mod MAC Address Range Hw Version Fw Version Sw Version --- --------------------------------- ------------ ------------ --------------- 0 0013.c480.a11d to 0013.c480.a121 1.0 1.0(10)0 7.0(2) 1 0013.c480.b204 to 0013.c480.b204 1.0 1.0(10)0 5.0(2)S152.0 Mod Status --- ------------------ 0 Up Sys 1 Unresponsive
Issue the hw-module module 1 reset command on your ASA. This command performs a hardware reset of the AIP-SSM. It is applicable when the card is in any of these states:
- up
- down
- unresponsive
- recover
Note: Refer to the Reloading, Shutting Down, Resetting, and Recovering AIP-SSM section of Configuring ASA-SSM for more information about the various commands available to troubleshoot the AIP-SSM.
This problem is due to Cisco bug ID CSCts58648 (registered customers only) .
Unable to Access the AIP SSM through ASDM
Problem:This error message is seen on the GUI.
Solution:Error connecting to sensor. Error Loading Sensor error
Check the IPS SSM management interface is up/down, and check its configured IP address, subnet mask and default gateway. This is the interface to access the Cisco Adaptive Security Device Manager (ASDM) Software from the local machine. Try to ping the management interface IP address of IPS SSM from the local machine that you want to access the ASDM. If unable to ping check the ACLs on the sensor.
Problem:
The cannot communicate with main app error message appears while you attempt to connect to the AIP SSM module.
Solution:
Reload the ASA or the AIP SSM module in order to resolve this error.
Unable to Upgrade/Update the IPS SSM
Problem:The Error: execUpgradeSoftware Connection failed error message is seen on the CLI.
Solution:
Check that the IPS SSM management interface is up/down and that it is the interface through which the ASA-IPS attempts to contact in order to download the software. This is not a backplane connection between the ASA and IPS-SSM; it is the Ethernet connection on the AIP-SSM module itself, which needs to be connected to a switch port and configured with a IP address, subnet mask and default gateway. If http still does not work, try to use the FTP or SCP option with the upgrade command.
Upgrade Error : execUpgradeSoftware
Problem:The Error: execUpgradeSoftware The update requires 60340 KB in /usr/cids/idsRoot/var/updates, there are only 57253 KB available. error message is seen during upgrade.
Solution 1:
In order to fix this issue, you need to log into the CLI of the sensor with a service account. If you do not have a service account, you can create one with these commands:
Once you log into the service account, issue these rm /usr/cids/idsRoot/var/*pmz commands and log out of the service account. Then check that the upgrade completes.configure terminal user (username) priv service password (pass) exit
Solution 2:
This error occurs because of the less space available on the IPS module since the recovery files occupy more space on Module. Complete these steps in order to remove recovery files and resolve this error:
bash-2.05b# cd /usr/cids/idsRoot/var/updates/ bash-2.05b# ls -l drwxr-xr-x 2 cids cids 1024 Jul 1 22:35 backups drwxr-xr-x 2 cids cids 1024 Oct 19 15:26 download drwxrwxr-x 2 cids cids 1024 Oct 19 15:26 logs -rw-r--r-- 1 root root 183 Sep 6 21:54 package -rw-r--r-- 1 cids cids 27587840 Jul 9 2009 recovery.gz drwxr-xr-x 2 cids cids 1024 Jul 1 22:35 scripts bash-2.05b# rm recovery.gz
Unable to connect to the IPS with the IPS event viewer (IEV)
Problem:This error message appears:
Solution:Cannot send xml document to sensor. java.security.cert.CertificateExpiredException: NotAfter:
This issue can be resolved if you regenerate the tls certificate with this command:
sensor(config)#tls generate-key
Unable to access AIP-SSM
Problem:When you try to access SSM, this error message is displayed.
Solution:Opening command session with slot 1. Card in slot 1 did not respond to session request
Issue the hw-module module 1 recover command in order to resolve this problem. Refer to Recovering AIP-SSM for more information on this command.
Error when the AIP-SSM module is plugged into the ASA
Problem:When you try to insert the AIP SSM module into the ASA, this error message is displayed.
Solution:module in slot 1 experienced a channel communication failure
Reload the ASA in order to resolve the issue. If issue still exists, contact TAC for further help.
AIP-SSM fails after signature update
Problem:AIP-SSM fails after the signature is updated. The signature update causes the AIP-SSM to run out of memory and become unresponsive when the number of signatures enabled is high.
Solution:
Reset the signature definition in order to resolve the issue. If too many signatures are enabled, then try to reset the signature definition. SSH to the sensor and use these commands:
configure terminal service signature-definition sig0 default signatures exit exit
Latency issues with IPS sensor
Problem:Latency issue occurs with the IPS sensor.
Solution:
The latency issue occurs when the deny action inline and deny packet are enabled for every signature in VS0. If you enable all the signatures, this results in latency as IPS inspects every single packet through which that passes. It is good to enable only the specific signature required as per the network traffic flow in order to resolve the latency issue.
Комментариев нет:
Отправить комментарий