cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1898
Views
5
Helpful
17
Replies
Beginner

ASA-SSM-20 query...

I have an ASA-SSM-20 module seems to be faulty on an ASA. I've been looking around the net and it looks like these modules usually come in 2 flavours - AIP-SSM-20 and CSC-SSM-20. The output from the ASA doesn't specifiy whether it is either of these.

Are these variances determined by a license of software installed? Or is there something I'm missing?

I want to replace the hardware but need to know the above....

Can anyone advise?

17 REPLIES 17
Engager

ASA-SSM-20 query...

Can you provide the output of "shwo module", this would let you know wat device it is....

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Beginner

ASA-SSM-20 query...

EUDR-SunG-ASA-01# sh module

Mod Card Type                                    Model              Serial No.

--- -------------------------------------------- ------------------ -----------

  0 ASA 5520 Adaptive Security Appliance         ASA5520            JMX1421L3XS

  1 ASA 5500 Series Security Services Module-20  ASA-SSM-20         JAF1418BGLD

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version    

--- --------------------------------- ------------ ------------ ---------------

  0 5475.d026.e462 to 5475.d026.e466  2.0          1.0(11)5     8.2(4)8

  1 68ef.bdd0.d5bc to 68ef.bdd0.d5bc  1.0          1.0(11)5    

Mod SSM Application Name           Status           SSM Application Version

--- ------------------------------ ---------------- --------------------------

Mod Status             Data Plane Status     Compatibility

--- ------------------ --------------------- -------------

  0 Up Sys             Not Applicable        

1 Down               Not Applicable           Not powered on completely

Engager

ASA-SSM-20 query...

It is an IPS module.

Thanks, Varun Rao Security Team, Cisco TAC
Beginner

ASA-SSM-20 query...

how can you tell whether it is an AIP or CSC?

Engager

Re: ASA-SSM-20 query...

Hi,

I checked it with the Serial Number at my end. The device is currently not powered on hence it is not showing whether it is an IPS or CSC since ASA is not able to detect.

In that case you can either check the ASA datasheet or the hardware guides to identify which module is it, moreover, if were you using this module earlier ??, if yes, then "show run policy" would definitely let you know if it was configured for IPS or CSC.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Beginner

ASA-SSM-20 query...

you should first try reseating the module and see if it comes up

if it does not come up try to reimage the module

if reimage does not resolve the issue then you can proceed with the hardware replacement.

correct part no. for this is

ASA-SSM-AIP-20-K9=
Beginner

ASA-SSM-20 query...

have already tried reseating....

how can i reimage if it isnt working?

Beginner

ASA-SSM-20 query...

ASA-SSM-20 is always a IPS module and the full part ID is ASA-SSM-AIP-20-K9

where in K9 is the license installed on this module.

hope this resolves you query

Beginner

ASA-SSM-20 query...

reimage will work even if the module is down.

refer to the below link for reimage.

http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/cli/cliimage.html#wpxref68481

Beginner

Re: ASA-SSM-20 query...

AHHHH link is dead... Well that was in 2012 (now 2019) , I am sure it did work once. It redirected, I will see if I can pull anything I can use from that. Thanks!
Hall of Fame Master

Re: ASA-SSM-20 query...

Here's a working link:

https://www.cisco.com/c/en/us/td/docs/security/ips/7-1/configuration/guide/cli/cliguide71/cli_troubleshooting.pdf

Reference page C-62.

Here's the relevant text (of course substitute your tftp server, gateway address and img file that you are using):

 

If you have problems with reimaging the ASA 5500 AIP SSM, use the debug module-boot command
to see the output as the module boots. Make sure you have the correct IP address for the TFTP server
and you have the correct file on the TFTP server. Then use the hw-module module 1 recover command
again to reimage the module:

asa(config)# hw-module module 1 recover configure
Image URL [tftp://0.0.0.0/]: tftp://192.0.2.0/IPS-SSM-K9-sys-1.1-a-5.1-0.1.i$
Port IP Address [0.0.0.0]: 10.89.150.227
VLAN ID [0]:
Gateway IP Address [0.0.0.0]: 10.89.149.254
asa(config)# debug module-boot
debug module-boot enabled at level 1
asa(config)# hw-module module 1 recover boot
The module in slot 1 will be recovered. This may erase all configuration and all data on
that device and attempt to download a new image for it.
Recover module in slot 1? [confirm]
Recover issued for module in slot 1
asa(config)# Slot-1 140> Cisco Systems ROMMON Version (1.0(10)0) #0: Fri Mar 25 23:02:10
PST 2005
Slot-1 141> Platform ASA-SSM-10
Slot-1 142> GigabitEthernet0/0
Slot-1 143> Link is UP
Slot-1 144> MAC Address: 000b.fcf8.0176
Slot-1 145> ROMMON Variable Settings:
Slot-1 146> ADDRESS=10.89.150.227
Slot-1 147> SERVER=10.89.146.1
Slot-1 148> GATEWAY=10.89.149.254
Slot-1 149> PORT=GigabitEthernet0/0
Slot-1 150> VLAN=untagged
Slot-1 151> IMAGE=IPS-SSM-K9-sys-1.1-a-5.1-0.1.img
Slot-1 152> CONFIG=
Slot-1 153> LINKTIMEOUT=20
Slot-1 154> PKTTIMEOUT=4
Slot-1 155> RETRY=20
Slot-1 156> tftp IPS-SSM-K9-sys-1.1-a-5.1-0.1.img@10.89.146.1 via 10.89.149.254
Slot-1 157> TFTP failure: Packet verify failed after 20 retries
Slot-1 158> Rebooting due to Autoboot error ...
Slot-1 159> Rebooting....
Slot-1 160> Cisco Systems ROMMON Version (1.0(10)0) #0: Fri Mar 25 23:02:10 PST 2005
Slot-1 161> Platform ASA-SSM-10
Slot-1 162> GigabitEthernet0/0
Slot-1 163> Link is UP
Slot-1 164> MAC Address: 000b.fcf8.0176
Slot-1 165> ROMMON Variable Settings:
Slot-1 166> ADDRESS=10.89.150.227
Slot-1 167> SERVER=10.89.146.1
Slot-1 168> GATEWAY=10.89.149.254
Slot-1 169> PORT=GigabitEthernet0/0
Slot-1 170> VLAN=untagged
Slot-1 171> IMAGE=IPS-SSM-K9-sys-1.1-a-5.1-0.1.img
Slot-1 172> CONFIG=
Slot-1 173> LINKTIMEOUT=20
Slot-1 174> PKTTIMEOUT=4
Slot-1 175> RETRY=20
Slot-1 176> tftp IPS-SSM-K9-sys-1.1-a-5.1-0.1.img@10.89.146.1 via 10.89.149.254

 

Beginner

Re: ASA-SSM-20 query...

Hi,

 

I have a SSM-20 module, but I can't reimage because this does not have an IP address.

 

ciscoasa# show module 1 details
Getting details from the Service Module, please wait...
Unable to read details from module 1

Card Type: ASA 5500 Series Content Security Services Module-20
Model: ASA-SSM-CSC-20-K9
Hardware version: 1.0
Serial Number: JAF1333XXXX
Firmware version: 1.0(11)5
Software version:
MAC Address Range: 0026.0bXX.XXXX to 0026.0bXX.XXXX
Data Plane Status: Not Applicable
Status: Unresponsive

 

ciscoasa#hw-module module 1 recover configure
Image URL [tftp://172.16.2.3/csc6.6.1164.0.bin]:
Port IP Address [0.0.0.0]: (This does not have an IP address and not accept 0.0.0.0)
VLAN ID [0]:
Gateway IP Address [0.0.0.0]:
ciscoasa#

 

Do you know how can I repair this problem?

 

Thanks,


Alexandre

Highlighted
Hall of Fame Master

Re: ASA-SSM-20 query...

You should be able to copy the image to your ASA and recover from that image.

Why are you trying to setup a very very old and past-end-of-life module though? It does not provide effective security against modern threats and no current certification track requires that you know it.

Beginner

ASA-SSM-20 query...

amit - a show inventory gives the following:

Name: "module 1", DESCR: "ASA 5500 Series Security Services Module-20"

PID: ASA-SSM-20        , VID: V02     , SN: JAF1418BGLD

it doesnt have the same PID as being what you listed above?