cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7184
Views
0
Helpful
12
Replies

ASA-SSM-10 Unresponsive

Emrecan Ural
Level 1
Level 1

Hi,

I've installed an ASA-SSM-10 module into my ASA 5510 firewall but it's in "Unresponsive" state. I tried to reset and recover the module but nothing seems to work. Below you may find information about the system and details about what I did. Any help is greatly appreciated.

Firewall:

ASA5510-K8, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

System image file is "disk0:/asa843-k8.bin"

Device Manager Version 6.4(3)

IPS Module:

ASA 5500 Series Security Services Module-10  ASA-SSM-10

Hw Version: 1.0

Sw Version: 6.2(2)E4

SSM Application Version: 6.2(2)E4

I have 2 IPS images at my TFTP server:

IPS-SSC_5-K9-sys-1.1-a-6.2-2-E4.img

IPS-SSM_10-K9-sys-1.1-a-7.1-5-E4.img

I tried the command: hw-module module 1 reset

At first module status changes to "Inıt" but after then it goes back to "Unresponsive"

I used the command "hw-module module 1 recover configure" for 2 different images mentioned above by the same order and then tried:

"hw-module module 1 recover boot"

Module status changes to "Recover" and stays like that for hours. I've waited for 2 hours for 2 different images. And then I issued the command: hw-module module 1 recover stop and the module goes back to "Unresponsive" state.

The Module's network interface is connected to the same switch where the TFTP server is connected. When I run a sniffer on the TFTP server (Linux, tcpdump), there's no TFTP activity. But I can use this TFTP server from ASA (Connected to the Inside interface).

ASA Inside interface IP Address: X.X.X.1

TFTP Server IP Address: X.X.X.8

"show module 1 recover" command output:

Module 1 recover parameters...

Boot Recovery Image: Yes

Image URL:           tftp://X.X.X.8/IPS-SSC_5-K9-sys-1.1-a-6.2-2-E4.img

Port IP Address:     X.X.X.2

Gateway IP Address:  X.X.X.1

VLAN ID:             0

(There are no VLANs used on this network.)

12 Replies 12

Jennifer Halim
Cisco Employee
Cisco Employee

You can't use IPS-SSC_5-K9-sys-1.1-a-6.2-2-E4.img on AIP-10 module as that image is for AIP-SSC-5 module on ASA 5505.

Pls use system image IPS-SSM_10-K9-sys-1.1-a-7.1-5-E4.img to recover it.

Thanks for your response. As I mentioned earlier in my email, I tried 2 different images (IPS-SSC_5-K9-sys-1.1-a-6.2-2-E4.img and IPS-SSM_10-K9-sys-1.1-a-7.1-5-E4.img) without any success. Since there are no packets coming from IPS on the TFTP server, I think the problem is something else.

When I run the "debug cplane 255" command, I see some errors mentioned below:

asa(config)# debug cplane 255

debug cplane  enabled at level 255

asa(config)#

cp_connect: Connecting to card 1, socket 3, port 7000

cp_connect: Error - cp_connect() returned -1

cp_check_connection: handle -1, conflicts with connection 1 (-1)

cp_check_connection: handle -1, conflicts with connection 2 (-1)

cp_check_connection: handle -1, conflicts with connection 3 (-1)

cp_update_connection: Error updating connection_id 0

Is this a hardware issue?


How did you connect the AIP module to the tftp server?

You would need to use the port on the module itself to connect it to the network or directly to your tftp server.

You can't use the backplane on the ASA for management traffic towards the AIP module.

As I mentioned in my first email;

The Module's network interface is connected to the same switch where the TFTP server is connected. When I run a sniffer on the TFTP server (Linux, tcpdump), there's no TFTP activity. But I can use this TFTP server from ASA (Connected to the Inside interface).

ASA Inside interface IP Address: X.X.X.1

TFTP Server IP Address: X.X.X.8

If the module does not come up as "UP" state after resetting it, you might need to get an RMA of the module.

I understand that you have tried to reset the module, did you also try to reload the module?

hw-module module 1 reload

If all fails, then RMA would be the way to go.

Yes, I tried to reset the module. Since it is in "Unresponsive" state, hw-module module 1 reload command does not work. I will power cycle the ASA and try to recover the module again before contacting RMA. Thanks for your help.

Emrecan,

Did you ever get this problem resolved?  I am havign the exact same issue on my ASA 5510.  Did you have to RMA it or did a re-seat of the module solve the problem. Just wondering if you fixed it.

Thanks.

Kerry

Hi Kerry,

Yes, I did fix it. I had to power cycle the ASA then reimage the IPS module. That solved my problem.

Hey Emrecan,

 

I appear to have the same issue.  Tried re-imaging the module itself, but appears to not get ANY traffic, looks to be exactly what your issue was.  Was there anything else you did, besides rebooting the ASA to get it to take the image?  Mine just does this :

 


ciscoasa(config)# hw module 1 recover boot

The module in slot 1 will be recovered.  This may
erase all configuration and all data on that device and
attempt to download a new image for it.
Recover module in slot 1? [confirm]
Recover issued for module in slot 1


ciscoasa(config)#


And just sits there.

Hi,

I don't remember doing anything else than powering cycling the ASA and reimaging the module. If your module is still in unresponsive state, you might need to send it to RMA.

Did you try "debug cplane 255" command? This might help you to see what's going on with the module..

Is it my imagination or has 7.1-5-E4 been withdrawn?

Yes 7.1.5-E4 has been withdrawn

https://supportforums.cisco.com/thread/2162447?tstart=0

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
Review Cisco Networking for a $25 gift card