11-01-2011 03:12 AM - edited 03-10-2019 05:32 AM
Hi,
We have two AIP-SSM module installed at Cisco ASA 5540 running at Active/Standby mode.We are able to log in at our Primary AIP-SSM module, but after log in we are unable to issue any command as the prompt is not coming back. We have issue the following command to check the errors:
Primary ASA# show failover history
06:08:32 IST Sep 4 2011
Standby Ready Just Active Service card in other unit has failed
06:08:32 IST Sep 4 2011
Just Active Active Drain Service card in other unit has failed
06:08:32 IST Sep 4 2011
Active Drain Active Applying Config Service card in other unit has failed
06:08:32 IST Sep 4 2011
Active Applying Config Active Config Applied Service card in other unit has failed
06:08:32 IST Sep 4 2011
Active Config Applied Active Service card in other unit has failed
Secondary ASA# show module
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5540 Adaptive Security Appliance ASA5540 JMX1311L0U6
1 ASA 5500 Series Security Services Module-40 ASA-SSM-40 JAF1307AACC
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
0 0021.a0ed.203b to 0021.a0ed.203f 2.0 1.0(11)5 8.0(4)
1 0024.14d0.4407 to 0024.14d0.4407 1.0 1.0(14)5
Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
Mod Status Data Plane Status Compatibility
--- ------------------ --------------------- -------------
0 Up Sys Not Applicable
1 Unresponsive Not Applicable
While trying to log in with session command at ASA, the following output given by ASA:
Secondary ASA # session 1
Opening command session with slot 1.
Card in slot 1 did not respond to session request.
SSEL-DCKOL-FWIN-MT05-01#
Module Details
Secondary ASA # show module 1 details
Getting details from the Service Module, please wait...
Unable to read details from slot 1
ASA 5500 Series Security Services Module-40
Model: ASA-SSM-40
Hardware version: 1.0
Serial Number: JAF1307AACC
Firmware version: 1.0(14)5
Software version:
MAC Address Range: 0024.14d0.4407 to 0024.14d0.4407
Data plane Status: Not Applicable
Status: Unresponsive
After log in at IPS, only following output is coming. Command prompt is not coming back
login as: admin
Using keyboard-interactive authentication.
Password:
Last login: Tue Nov 1 15:37:40 2011 from 172.21.15.12
***NOTICE***
This product contains cryptographic features and is subject to United States
and local country laws governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-party authority to import,
export, distribute or use encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and local country laws. By using
this product you agree to comply with applicable laws and regulations. If you
are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
Please help me solve this issue.
Thanks a lot in advance.
Regards
Dipak
11-01-2011 08:52 AM
Dipak -
It appears your AIP-SSM module is hung. It should be reporting a Software Version and the Status should be UP. Your module shows:
Software version:
...
Status: Unresponsive
I would first attempt to reset your module, if that doesn't solve your problem, you should reimage your module.
http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliSSM.html#wp1034193
- Bob
11-01-2011 10:18 AM
Hi,
Do resetting AIP-SSM module will have any impact on IPS configuration. Please suggest, as we have very rare knowledge about IPS. Can be resetting be done on production enviroment( If resetting has no impact on production enviroment) if yes, the we will take downtime.
Thanks a lot for your support.
Regards
Dipak
11-01-2011 11:08 AM
Dipak -
Resetting an IPS Module will not change the configuration on that module.
Resetting your IPS mdoule will cause a failover to yoru standby ASA if the AIP-SSM module is configured for In-Line operation.
If you do not wish to have a failover, you can remove the IPS configuration section from the ASA config.
During the time the IPS module is rebooting, you will not have any IPS inspection taking place.
- Bob
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide