Solved: AIP SSM Module Licensing Question

agent2007 · ‎06-26-2011

Hello,

If I put 2 AIP SSM Modeules in to a 2 Cisco ASA which are clustered, do I need a new license for the firewall? In the ASDM it complains about no valid license installed although the firewall picks up the cards and allows me to configure in CLI.

Help please

Jennifer Halim · ‎06-26-2011

Yes you do.

AIP SSM module is independant from the ASA. Each AIP SSM module would need its own license as it is tied to the serial number of the AIP SSM module.

View solution in original post

tiwang · ‎06-26-2011

hi again

Yes you do - they are seperate from the ASA's - remember also that even you have the ASA's in a fail-over cluster you need to maintain the configs on the IPS-blades manually - they are not synchroniced...

best regards /ti

View solution in original post

Jennifer Halim · ‎06-27-2011

You would need to apply the license from the AIP module itself.

Once the management interface on the AIP module is configured, then you can HTTPS (IDM) to the AIP module.

From there, it's pretty itutitive, just go to the License update section and it will connect to cisco.com and retrieve the license.

View solution in original post

tiwang · ‎06-27-2011

IF you get trouble with the Java for that "%¤#"% IDM it is also quite simple to load the license (and config, updates etc) via the CLI -> from ASA issue the command session 1 - where you can logon to the AIP - from there you can load config and license files with the copy command and upgrade the os and signatyure files with the upgrade command

best regards /ti

View solution in original post

Jennifer Halim · ‎06-26-2011

Yes you do.

AIP SSM module is independant from the ASA. Each AIP SSM module would need its own license as it is tied to the serial number of the AIP SSM module.

agent2007 · ‎06-26-2011

Tks so much for quick reply

tiwang · ‎06-26-2011

hi again

Yes you do - they are seperate from the ASA's - remember also that even you have the ASA's in a fail-over cluster you need to maintain the configs on the IPS-blades manually - they are not synchroniced...

best regards /ti

agent2007 · ‎06-27-2011

really? I didnt know that. Thanks for pointing that out

agent2007 · ‎06-27-2011

Could I ask you one more question. When I sort out the licensing for the module, how do I go about appplying it to the asa. is ther a how to guide?

Jennifer Halim · ‎06-27-2011

You would need to apply the license from the AIP module itself.

Once the management interface on the AIP module is configured, then you can HTTPS (IDM) to the AIP module.

From there, it's pretty itutitive, just go to the License update section and it will connect to cisco.com and retrieve the license.

tiwang · ‎06-27-2011

IF you get trouble with the Java for that "%¤#"% IDM it is also quite simple to load the license (and config, updates etc) via the CLI -> from ASA issue the command session 1 - where you can logon to the AIP - from there you can load config and license files with the copy command and upgrade the os and signatyure files with the upgrade command

best regards /ti

agent2007 · ‎06-27-2011

Thanks guys

tiwang · ‎06-27-2011

ps: you can easlily keep the config updated between the two AIP's by using the copy command - load the config file from the one AIP to the other and do not overwrite the network settings

agent2007 · ‎06-27-2011

Thanks again for the tips.

What is the latest software version available for the AIP SSM and if it needed be upgraded is straight forward enough. also just one more question :-) how does it keep its signatures up to date?

tiwang · ‎06-27-2011

if you look in cisco.com/support for the AIP sw under ASA5500 you'll find that the latest version is some 7.0(5a).E4 - not sure what these extensions means

The module has some automatic upgrade feature for the signatures - I have newer tried this - we always do it the manual way - more not to forget the modules I think..