понедельник, 4 июня 2012 г.

ASA: Troubleshoot AIP-SSM

Introduction

This document describes how to troubleshoot the unresponsive state of the Advanced Inspection and Prevention Security Services Module (AIP-SSM) in the Cisco 5500 series Adaptive Security Appliance (ASA).

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on the AIP-SSM in the Cisco 5500 Series ASA.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Troubleshooting

Unresponsive State

Problem:
The AIP-SSM goes into an unresponsive state, fails to respond to HTTP or ASDM access but is accessible from CLI, as shown:
show module

Mod Card Type                                    Model              Serial No. 
--- -------------------------------------------- ------------------ -----------
  0 ASA 5510 Adaptive Security Appliance         ASA5510            JMX0934K021
  1 ASA 5500 Series Security Services Module-10  ASA-SSM-10         JAB093203S3

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version     
--- --------------------------------- ------------ ------------ ---------------
  0 0013.c480.a11d to 0013.c480.a121  1.0          1.0(10)0     7.0(2)
  1 0013.c480.b204 to 0013.c480.b204  1.0          1.0(10)0     5.0(2)S152.0

Mod Status            
--- ------------------
  0 Up Sys            
  1 Unresponsive
Solution:
Issue the hw-module module 1 reset command on your ASA. This command performs a hardware reset of the AIP-SSM. It is applicable when the card is in any of these states:
  • up
  • down
  • unresponsive
  • recover
If you reboot the ASA in an unresponsive state, your SSM must be re-imaged. Refer to the Installing the AIP-SSM System Image section of Upgrading, Downgrading, and Installing System Images for more information and steps on how to re-image the AIP-SSM.
Note: Refer to the Reloading, Shutting Down, Resetting, and Recovering AIP-SSM section of Configuring ASA-SSM for more information about the various commands available to troubleshoot the AIP-SSM.
This problem is due to Cisco bug ID CSCts58648 (registered customers only) .

Unable to Access the AIP SSM through ASDM

Problem:
This error message is seen on the GUI.
Error connecting to sensor. Error Loading Sensor error
Solution:
Check the IPS SSM management interface is up/down, and check its configured IP address, subnet mask and default gateway. This is the interface to access the Cisco Adaptive Security Device Manager (ASDM) Software from the local machine. Try to ping the management interface IP address of IPS SSM from the local machine that you want to access the ASDM. If unable to ping check the ACLs on the sensor.
Problem:
The cannot communicate with main app error message appears while you attempt to connect to the AIP SSM module.
Solution:
Reload the ASA or the AIP SSM module in order to resolve this error.

Unable to Upgrade/Update the IPS SSM

Problem:
The Error: execUpgradeSoftware Connection failed error message is seen on the CLI.
Solution:
Check that the IPS SSM management interface is up/down and that it is the interface through which the ASA-IPS attempts to contact in order to download the software. This is not a backplane connection between the ASA and IPS-SSM; it is the Ethernet connection on the AIP-SSM module itself, which needs to be connected to a switch port and configured with a IP address, subnet mask and default gateway. If http still does not work, try to use the FTP or SCP option with the upgrade command.

Upgrade Error : execUpgradeSoftware

Problem:
The Error: execUpgradeSoftware The update requires 60340 KB in /usr/cids/idsRoot/var/updates, there are only 57253 KB available. error message is seen during upgrade.
Solution 1:
In order to fix this issue, you need to log into the CLI of the sensor with a service account. If you do not have a service account, you can create one with these commands:
configure terminal 
user (username) priv service password (pass)
 exit
Once you log into the service account, issue these rm /usr/cids/idsRoot/var/*pmz commands and log out of the service account. Then check that the upgrade completes.
Solution 2:
This error occurs because of the less space available on the IPS module since the recovery files occupy more space on Module. Complete these steps in order to remove recovery files and resolve this error:
bash-2.05b# cd /usr/cids/idsRoot/var/updates/

bash-2.05b# ls -l

drwxr-xr-x    2 cids     cids         1024 Jul  1 22:35 backups
drwxr-xr-x    2 cids     cids         1024 Oct 19 15:26 download
drwxrwxr-x    2 cids     cids         1024 Oct 19 15:26 logs
-rw-r--r--    1 root     root          183 Sep  6 21:54 package
-rw-r--r--    1 cids     cids     27587840 Jul  9  2009 recovery.gz
drwxr-xr-x    2 cids     cids         1024 Jul  1 22:35 scripts

bash-2.05b# rm recovery.gz

Unable to connect to the IPS with the IPS event viewer (IEV)

Problem:
This error message appears:
Cannot send xml document to sensor.
java.security.cert.CertificateExpiredException: NotAfter:
Solution:
This issue can be resolved if you regenerate the tls certificate with this command:
sensor(config)#tls generate-key

Unable to access AIP-SSM

Problem:
When you try to access SSM, this error message is displayed.
Opening command session with slot 1.
Card in slot 1 did not respond to session request
Solution:
Issue the hw-module module 1 recover command in order to resolve this problem. Refer to Recovering AIP-SSM for more information on this command.

Error when the AIP-SSM module is plugged into the ASA

Problem:
When you try to insert the AIP SSM module into the ASA, this error message is displayed.
module in slot 1 experienced a channel communication failure
Solution:
Reload the ASA in order to resolve the issue. If issue still exists, contact TAC for further help.

AIP-SSM fails after signature update

Problem:
AIP-SSM fails after the signature is updated. The signature update causes the AIP-SSM to run out of memory and become unresponsive when the number of signatures enabled is high.
Solution:
Reset the signature definition in order to resolve the issue. If too many signatures are enabled, then try to reset the signature definition. SSH to the sensor and use these commands:
configure terminal

service signature-definition sig0

default signatures

exit

exit

Latency issues with IPS sensor

Problem:
Latency issue occurs with the IPS sensor.
Solution:
The latency issue occurs when the deny action inline and deny packet are enabled for every signature in VS0. If you enable all the signatures, this results in latency as IPS inspects every single packet through which that passes. It is good to enable only the specific signature required as per the network traffic flow in order to resolve the latency issue.

Комментариев нет:

Отправить комментарий