Re: ASA SSM -20 password recovery with 5.0 image running

arumugasamy · ‎06-04-2012

Hi all,

The customer forgot the password for the ASA SSM-20 ips module installed in ASA 5520 Fw.

show module in customer FW shows it up state. I brought it to our office teat bed. here it show

ASA1# sh module

Mod Card Type Model Serial No.

--- -------------------------------------------- ------------------ -----------

0 ASA 5520 Adaptive Security Appliance ASA5520-K8 JMX1022K03A

1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 JAB101003C2

Mod MAC Address Range Hw Version Fw Version Sw Version

--- --------------------------------- ------------ ------------ ---------------

0 0017.9527.121d to 0017.9527.1221 1.1 1.0(10)0 8.0(5)

1 0015.c695.d25a to 0015.c695.d25a 1.0 1.0(10)0

Mod SSM Application Name Status SSM Application Version

--- ------------------------------ ---------------- --------------------------

Mod Status Data Plane Status Compatibility

--- ------------------ --------------------- -------------

0 Up Sys Not Applicable

1 Unresponsive Not Applicable

!

So now i do not know what to do with this module in my test bed.

I have to take it back to the customer site to use it in their ASA itself to troubleshoot.

There it the status is up and i did use all the hw-module option but no use. The version is 5.0.

This module is more than 5 years old and so far no one upgrade the image. ASA 5520 running 8.2.5.

Any one help me with the workaroud to access the module.

Thanks

swamy

Jennifer Halim · ‎06-04-2012

Here is the only way to recover password if you are running version 5.0:

http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/idm/dmts.html#wp147543

arumugasamy · ‎06-04-2012

i am getting now the below

ASA2# sh module 1 details

Getting details from the Service Module, please wait...

Unable to read details from slot 1

ASA 5500 Series Security Services Module-20

Model: ASA-SSM-20

Hardware version: 1.0

Serial Number: JAB101003C2

Firmware version: 1.0(10)0

Software version:

MAC Address Range: 0015.c695.d25a to 0015.c695.d25a

Data plane Status: Not Applicable

Status: Init

!

not up state

!

After sometime getting

ASA2# sh module 1

Mod Card Type Model Serial No.

--- -------------------------------------------- ------------------ -----------

1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 JAB101003C2

Mod MAC Address Range Hw Version Fw Version Sw Version

--- --------------------------------- ------------ ------------ ---------------

1 0015.c695.d25a to 0015.c695.d25a 1.0 1.0(10)0

Mod SSM Application Name Status SSM Application Version

--- ------------------------------ ---------------- --------------------------

Mod Status Data Plane Status Compatibility

--- ------------------ --------------------- -------------

1 Unresponsive Not Applicable

!

before the try for upgrade it is UP state

!

now shows Unresponsive.

How to do the upgrade using tftp?

I connected the PC directly to the c&c interface and then

PC - 10.193.2.224

C&C IP was according to show module 1 details 10.193.2.223

But i can not ping from PC to the C&C int.

!

i stop the recover using "hw-module module 1 recover stop cmd then

I am getting the Unresponsive instead of UP state.

Help me with the workaround.

Thx

arumugasamy · ‎06-04-2012

jennifer,

Thx for your reply.

Even I put both the c&c int and the pc in the same subnet, why can not ping the c&c interface.

thx

arumugasamy · ‎06-04-2012

jennifer,

tell me why can't i ping C&C ip

ASA2# sh module 1 details

Getting details from the Service Module, please wait...

ASA 5500 Series Security Services Module-20

Model: ASA-SSM-20

Hardware version: 1.0

Serial Number: JAB101003C2

Firmware version: 1.0(10)0

Software version: 5.0(2)S152.0

MAC Address Range: 0015.c695.d25a to 0015.c695.d25a

App. name: IPS

App. Status: Up

App. Status Desc:

App. version: 5.0(2)S152.0

Data plane Status: Up

Status: Up

Mgmt IP addr: 10.193.2.223

Mgmt web ports: 443

Mgmt TLS enabled: true

!

this is mgmt ip, i put the pc in the same subnet assuming class A mask, but i can not ping it.

!

can u give me the exact image name to upgrade with the procedures to follow.

thx

Jennifer Halim · ‎06-04-2012

ok, looks like the IPS is now up, however you still can't ping it.

Maybe it is not class A subnet, can you try class C subnet instead?

If it still doesn't work, you would need to reimage the IPS module, and to reimage, i would suggest that you go to the latest version of 7.0

Here is the reimage procedure for your reference:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_system_images.html#wp1231447

Please kindly be advised that to reimage, it will wipe out the configuration, but since it is running very old version of code, there won't be too many configuration anyway. You just have to reconfigure some basic setting to start with, ie: management IP Address, default gateway, etc. Once you reimage it to the latest version of 7.0, here is the steps to initialize/reconfigure the IPS:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_initializing.html

Hope that helps.

arumugasamy · ‎06-05-2012

Thx

i will post you soon.

Best wishes / Kind regards

Swami K.Nadar

Network Team Lead-Technical Support Services

CCIE R&S & Security (20831)

Bahrain Business Machines

P.O.BOX 10554

Tel: (00973) 17584330

Fax: (00973)17584343

Mob: (00973) 39063271

swami@bh.gbm.ihost.com

http://www.gbm4ibm.com

arumugasamy · ‎06-05-2012

I am working on reimaging now. I will let u know the result soon.

Jennifer Halim · ‎06-05-2012

Great, let us know how it goes.