06-04-2012 07:26 AM - edited 03-11-2019 04:15 PM
Hi all,
The customer forgot the password for the ASA SSM-20 ips module installed in ASA 5520 Fw.
show module in customer FW shows it up state. I brought it to our office teat bed. here it show
ASA1# sh module
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5520 Adaptive Security Appliance ASA5520-K8 JMX1022K03A
1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 JAB101003C2
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
0 0017.9527.121d to 0017.9527.1221 1.1 1.0(10)0 8.0(5)
1 0015.c695.d25a to 0015.c695.d25a 1.0 1.0(10)0
Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
Mod Status Data Plane Status Compatibility
--- ------------------ --------------------- -------------
0 Up Sys Not Applicable
1 Unresponsive Not Applicable
!
So now i do not know what to do with this module in my test bed.
I have to take it back to the customer site to use it in their ASA itself to troubleshoot.
There it the status is up and i did use all the hw-module option but no use. The version is 5.0.
This module is more than 5 years old and so far no one upgrade the image. ASA 5520 running 8.2.5.
Any one help me with the workaroud to access the module.
Thanks
swamy
06-04-2012 07:53 AM
Here is the only way to recover password if you are running version 5.0:
http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/idm/dmts.html#wp147543
06-04-2012 09:38 AM
i am getting now the below
ASA2# sh module 1 details
Getting details from the Service Module, please wait...
Unable to read details from slot 1
ASA 5500 Series Security Services Module-20
Model: ASA-SSM-20
Hardware version: 1.0
Serial Number: JAB101003C2
Firmware version: 1.0(10)0
Software version:
MAC Address Range: 0015.c695.d25a to 0015.c695.d25a
Data plane Status: Not Applicable
Status: Init
!
not up state
!
After sometime getting
ASA2# sh module 1
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 JAB101003C2
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
1 0015.c695.d25a to 0015.c695.d25a 1.0 1.0(10)0
Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
Mod Status Data Plane Status Compatibility
--- ------------------ --------------------- -------------
1 Unresponsive Not Applicable
!
before the try for upgrade it is UP state
!
now shows Unresponsive.
How to do the upgrade using tftp?
I connected the PC directly to the c&c interface and then
PC - 10.193.2.224
C&C IP was according to show module 1 details 10.193.2.223
But i can not ping from PC to the C&C int.
!
i stop the recover using "hw-module module 1 recover stop cmd then
I am getting the Unresponsive instead of UP state.
Help me with the workaround.
Thx
06-04-2012 10:59 AM
jennifer,
Thx for your reply.
Even I put both the c&c int and the pc in the same subnet, why can not ping the c&c interface.
thx
06-04-2012 11:11 AM
jennifer,
tell me why can't i ping C&C ip
ASA2# sh module 1 details
Getting details from the Service Module, please wait...
ASA 5500 Series Security Services Module-20
Model: ASA-SSM-20
Hardware version: 1.0
Serial Number: JAB101003C2
Firmware version: 1.0(10)0
Software version: 5.0(2)S152.0
MAC Address Range: 0015.c695.d25a to 0015.c695.d25a
App. name: IPS
App. Status: Up
App. Status Desc:
App. version: 5.0(2)S152.0
Data plane Status: Up
Status: Up
Mgmt IP addr: 10.193.2.223
Mgmt web ports: 443
Mgmt TLS enabled: true
!
this is mgmt ip, i put the pc in the same subnet assuming class A mask, but i can not ping it.
!
can u give me the exact image name to upgrade with the procedures to follow.
thx
06-04-2012 05:39 PM
ok, looks like the IPS is now up, however you still can't ping it.
Maybe it is not class A subnet, can you try class C subnet instead?
If it still doesn't work, you would need to reimage the IPS module, and to reimage, i would suggest that you go to the latest version of 7.0
Here is the reimage procedure for your reference:
Please kindly be advised that to reimage, it will wipe out the configuration, but since it is running very old version of code, there won't be too many configuration anyway. You just have to reconfigure some basic setting to start with, ie: management IP Address, default gateway, etc. Once you reimage it to the latest version of 7.0, here is the steps to initialize/reconfigure the IPS:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_initializing.html
Hope that helps.
06-05-2012 12:07 AM
Thx
i will post you soon.
Best wishes / Kind regards
Swami K.Nadar
Network Team Lead-Technical Support Services
CCIE R&S & Security (20831)
Bahrain Business Machines
P.O.BOX 10554
Tel: (00973) 17584330
Fax: (00973)17584343
Mob: (00973) 39063271
swami@bh.gbm.ihost.com
http://www.gbm4ibm.com
06-05-2012 10:56 PM
I am working on reimaging now. I will let u know the result soon.
06-05-2012 11:02 PM
Great, let us know how it goes.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide