Re: Analysis Engine Not running for IPS in AIPSSM Module

kiran.raj1 · ‎02-13-2011

Hi all,

The Analysis Engine is not running for IPS module in AIPSSM Module. Please let me know how can i resolve this issue and get the analysis engine of IPS to running status.

Regards

Kiran

Jennifer Halim · ‎02-13-2011

Reload should resolve the issue, however, if you would like to further investigate why it's not running, I would suggest that you open a case with the TAC.

kiran.raj1 · ‎02-13-2011

Hi,

How do i reload the sensor? Is it through ASA? . Can you please let me know the exact command to do the same.

If i relaod the sensor , does it have any effect on the ASA as it is a AIPSSM module. Let me know if any backup needs to be taken.

Regards

Kiran

Jennifer Halim · ‎02-13-2011

Multiple ways to reload the IPS:

1) If you are connected via IDM, you can go to Configuration --> Reboot Sensor --> and the "Reboot Sensor" button.

2) If you are in the IPS CLI, you can issue: reset

3) If you only have access to the ASA, then you can issue: hw-module module 1 reload

Are you running the ASA in failover mode? if it is, you can manually failover the ASA prior to the reload of the AIP module. Otherwise, it will automatically failover to the standby ASA when you reload the module.

If you are only running a single ASA, I would suggest that you reload the IPS during after hour, or double check if your policy map for redirecting the traffic towards the IPS says: "fail-open".

kiran.raj1 · ‎02-21-2011

Hi All,

I have reloaded the IPS module in AIPSSM, Still no luck, the analysis engine is still not running.Can you please help me out to solve this.

Regards

Kiran

Siddharth Chandrachud · ‎02-21-2011

Hello,

I work in the TAC IDS team.

The command " asa#hw-module module 1 reload " will not be useful under this condition since it only does a software reset.

This may not be useful in conditions of a software crash.

Issue the command below to do a hardware reset of the module. This should bring the module back up.

asa#hw-module module 1 reset

If you want to investigate the reason behind the crash, please open a TAC case.

Regards,

Sid

kiran.raj1 · ‎02-21-2011

Hi,

I have also tried with the command "hw-module module 1 reset". But still the analysis engine is not running. Will re-imaging solve the issue or do guide me if there are any other methods to resolve the same.

Also please share me the steps for re-imaging

Regards

Kiran

Siddharth Chandrachud · ‎02-21-2011

Hi Kiran,

Ideally, what you can do is to remove the configuration on the ASA that sends traffic to IPS.

The crash in sensorapp or analysis engine might be traffic, configuration related.

We can try to reboot the IPS with no load on it by stopping sending traffic to it.

You can remove the IPS policy from the ASA configuration.

http://tools.cisco.com/squish/2f7A3

What this will do is stop ASA from sending any traffic to IPS.

Now do the hw-module module 1 reset command.

See if the IPS module comes back up.

If that also fails, then you can re-image the module.

This will however erase the configuration on the module.

The re-image procedure for SSM module:

http://tools.cisco.com/squish/ee66a

Hope this helps.

Sid