cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4709
Views
0
Helpful
2
Replies

ASA5512-X IDS trial licence

Stuart Patton
Beginner
Beginner

Hi,

Hope someone can help me.

I recently ordered an ASA5512-X without IDS and want to take advantage of the 60 day trial licence to see whether to buy 5512-X instead of 5510s in the future.  I have applied for, and received, trial licences from Cisco and these have been received as 2x .LIC files.  Rather confusingly, the two emails show the products are "IPS-Trial" and "IPS trial license"

Within the emails with each licence file, the instructions say to access the IPS using either IDM or the command line to upload these files.  Looking through the quick-start guide (http://www.cisco.com/en/US/docs/security/asa/quick_start/ips/ips_qsg.html) it says the IPS is available using management0/0 with the IP address 192.168.1.2 but I cannot get any response from this IP address.  Similarly, if I try to contact the IPS from the command line, I get the following:

ciscoasa# session ips                                                          

Opening command session with module ips.                                       

Module ips did not respond to session request.

Am I missing something here?  If I do a "sh ver", the licenced features show the IPS as disabled:

IPS Module                        : Disabled       perpetual

So, is there a third licence with an activation tuple needed to enable this for 60 days?  If so, where do I apply for this?  My reseller are being less than helpful but that's a different story.

Any help gratefully appreciated!

Thanks,
Stuart

2 Replies 2

Todd Pula
Rising star
Rising star

For the 5500-X integrated platform, there are two license that will be required to enable IPS.  First, you will need the IPS feature license for the ASA.  This will allow you to redirect traffic to the IPS for inspection.  Second, you will need an IPS signature license to allow you to update the IPS to the latest signature package.  In both cases, the serial # that you want to reference when requesting the license keys will be the one found in the "sh version" or "sh inventory" output. 

Because the ASA was ordered without the IPS enabled, you will need to take one additional step in order to get the IPS online.  Below is a quick overview of the steps:

  • Visit CCO and download the IPS-SSP_5512-K9-sys-1.1-a-7.1-4-E4.aip software image
  • Copy the above image to disk0: on the ASA
  • Issue the following from enable mode on the ASA:   sw-module module ips recover configure image disk0:/IPS-SSP_5512-K9-sys-1.1-a-7.1-4-E4.aip
  • Issue the following from enable mode on the ASA:  sw-module module ips recover boot
  • This will load the latest IPS software onto the 5512
  • Issue the "show module ips details" command to monitor the status
  • Once the IPS is in an Up state, you can then issue the "session ips" command to begin the initial configuration

Feel free to PM me the license keys if you want me to check out what you have.  Alternatively, you can open up a case with TAC so we can help you out.

Download Link:

http://www.cisco.com/cisco/software/release.html?mdfid=283674966&flowid=24482&softwareid=282549758&release=7.1%284%29E4&relind=AVAILABLE&rellifecycle=&reltype=lates

Hi,

Thanks for the assistance.  Sorry for the delay in replying.

In the end, I contacted licencing, who have raised a service request with TAC (SR 622003745).

Thanks,

Stuart

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers