06-06-2012 10:54 PM - edited 03-10-2019 05:42 AM
Hi all,
can't connect with SSM through ASDM, only through CLI. If I try , I get the error "Error connecting to sensor.Error loading sensor".
I'm totally new on IPS. I appreciate any advice or help. Thanks
ASA5520ERA# sh ver
Cisco Adaptive Security Appliance Software Version 8.0(4)39
Device Manager Version 6.1(5)57
Compiled on Wed 01-Jul-09 17:24 by builders
System image file is "disk0:/asa804-39-k8.bin"
Config file at boot was "startup-config"
ASA5520ERA# session 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.
MODULO ANTI-INTRUSION
login: user
Password:
***NOTICE***
This product contains cryptographic features and is subject to United States
and local country laws governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-party authority to import,
export, distribute or use encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and local country laws. By using
this product you agree to comply with applicable laws and regulations. If you
are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
***LICENSE NOTICE***
There is no license key installed on the SSM-IPS10.
The system will continue to operate with the currently installed
signature set. A valid license must be obtained in order to apply
signature updates. Please go to http://www.cisco.com/go/license
to obtain a new license or install a license.
IPS_5520_ERA#
IPS_5520_ERA# sh configuration
! ------------------------------
! Current configuration last modified Thu Jun 07 03:33:02 2012
! ------------------------------
! Version 6.0(4)
! Host:
! Realm Keys key1.0
! Signature Definition:
! Signature Update S317.0 2008-02-13
! Virus Update V1.2 2005-11-24
! ------------------------------
service interface
physical-interfaces GigabitEthernet0/1
description Principal sensing interface
exit
exit
! ------------------------------
service authentication
exit
! ------------------------------
service event-action-rules rules0
exit
! ------------------------------
service host
network-settings
host-ip 172.29.0.2/30,172.29.0.1
host-name IPS_5520_ERA
telnet-option disabled
access-list 16.0.0.0/24
access-list 16.3.0.0/16
access-list 172.19.6.253/32
access-list 172.19.6.254/32
access-list 172.29.0.1/32
login-banner-text MODULE ANTI-INTRUSION
exit
time-zone-settings
offset 60
standard-time-zone-name GMT+01:00
exit
ntp-option enabled
ntp-keys 1 md5-key yellow
ntp-servers 172.29.0.1 key-id 1
exit
summertime-option recurring
summertime-zone-name GMT+01:00
start-summertime
week-of-month last
exit
end-summertime
month october
week-of-month last
exit
exit
exit
! ------------------------------
service logger
exit
! ------------------------------
service network-access
exit
! ------------------------------
service notification
trap-destinations 172.18.1.1
trap-community-name ROTom01
trap-port 162
exit
enable-notifications true
read-only-community ROTom01
system-location XXXXX,XX
system-contact XXXXXXXXX
exit
! ------------------------------
service signature-definition sig0
signatures 2004 0
event-counter
event-count 10
exit
status
enabled false
exit
exit
signatures 7000 0
status
enabled false
exit
exit
exit
! ------------------------------
service ssh-known-hosts
exit
! ------------------------------
service trusted-certificates
exit
! ------------------------------
service web-server
exit
! ------------------------------
service anomaly-detection ad0
exit
! ------------------------------
service external-product-interface
exit
! ------------------------------
service analysis-engine
virtual-sensor vs0
physical-interface GigabitEthernet0/1
exit
exit
IPS_5520_ERA#
06-07-2012 12:03 AM
Do you have the port on the SSM module connected to your network?
Currently you have configured 172.29.0.2/30 as the ip address and the port that the module is connected to should have ip address of 172.29.0.1 as it is the default gateway.
Also, what is your PC ip address?
Currently you are only allowing access to the SSM module if you are one of the following IPs:
access-list 16.0.0.0/24
access-list 16.3.0.0/16
access-list 172.19.6.253/32
access-list 172.19.6.254/32
access-list 172.29.0.1/32
06-07-2012 01:05 AM
Hi Jeniffer,
do you mean management port? my ip address is 16.3.40.52.
Thanks in advanced
06-07-2012 01:12 AM
Not management port on the ASA, but there is also port on the SSM module itself, that is the port that you need to connect to the network.
06-07-2012 01:35 AM
Hi Jennifer,
right now, I can't see if SSM port is connected to the network but i don't. Shall ask if someone is there near or touch me move up there..
Thanks for your time
06-04-2013 02:34 AM
I had the same problem.
My device is Cisco ASA 5520 with AIP SSM-10.
I can use ASDM to manage ASA 5520 but cannot login to IPS (in IPS or Intrusion Prevension tab). It show me the error "Error connecting sensor. Error loading sensor".
I try to reset, reload and unplug/plug the module but it don't work.
This my ASA configuration:
ASA-FW# show run
: Saved
:
ASA Version 8.4(4)1
!
hostname ASA-FW
enable password Uonv5zOz/3IVv5nJ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description Connect to Internet
nameif outside
security-level 0
ip address 10.0.0.4 255.255.255.0
!
interface GigabitEthernet0/1
description Connect to DMZ
nameif inside
security-level 100
ip address 10.2.2.2 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
nameif DMZ
security-level 50
ip address 10.3.3.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description Management
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
access-list OUT-TO-DMZ extended permit tcp any host 10.1.1.2 eq smtp
access-list OUT-TO-DMZ extended permit tcp any host 10.1.1.2 eq www
access-list OUT-TO-DMZ extended permit icmp any any log
access-list OUT-TO-DMZ extended deny ip any any
access-list inside extended permit tcp any any eq pop3
access-list inside extended permit tcp any any eq smtp
access-list inside extended permit tcp any any eq ssh
access-list inside extended permit tcp any any eq telnet
access-list inside extended permit tcp any any eq https
access-list inside extended permit udp any any eq domain
access-list inside extended permit tcp any any eq domain
access-list inside extended permit tcp any any eq www
access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list dmz extended permit ip any any
access-list dmz extended permit icmp any any
access-list acl_outside_in extended permit icmp any host 10.0.0.0
access-list acl_inside_in extended permit ip 10.2.2.0 255.255.255.0 any
access-list acl_dmz_in extended permit icmp 10.3.3.0 255.255.255.0 any
access-list traffic_for_ips extended permit ip any any
pager lines 24
logging enable
logging buffer-size 5000
logging monitor warnings
logging trap warnings
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
access-group acl_outside_in in interface outside
access-group acl_inside_in in interface inside
access-group acl_dmz_in in interface DMZ
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 DMZ
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
.....
quit
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username tanhs password fqvYQWcKVO/db.2r encrypted
!
class-map inspection_default
match default-inspection-traffic
class-map ips_class_map
match access-list traffic_for_ips
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class ips_class_map
ips inline fail-open
!
service-policy global_policy global
prompt hostname context
service call-home
call-home reporting anonymous
call-home
contact-email-addr
profile CiscoTAC-1
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:74d15883f42aaeee6ac30522fe424aeb
: end
ASA-FW#
This is SSM confiuration:
AIP-SSM# show conf
! ------------------------------
! Current configuration last modified Tue Jun 04 00:34:02 2013
! ------------------------------
! Version 7.0(2)
! Host:
! Realm Keys key1.0
! Signature Definition:
! Signature Update S480.0 2010-03-24
! ------------------------------
service interface
exit
! ------------------------------
service authentication
exit
! ------------------------------
service event-action-rules rules0
variables DMZ address 10.3.3.0-10.3.3.255
variables IN address 10.2.2.0-10.2.2.255
exit
! ------------------------------
service host
network-settings
host-ip 192.168.1.2/24,192.168.1.1
host-name AIP-SSM
telnet-option disabled
access-list 10.0.0.0/8
access-list 10.1.1.0/24
access-list 10.2.2.0/24
access-list 10.3.3.0/24
access-list 172.16.0.0/16
access-list 192.168.1.0/24
login-banner-text VISEC IDS/IPS
dns-primary-server disabled
dns-secondary-server disabled
dns-tertiary-server disabled
http-proxy no-proxy
exit
time-zone-settings
offset 0
standard-time-zone-name CST
exit
exit
! ------------------------------
service logger
exit
! ------------------------------
service network-access
exit
! ------------------------------
service notification
exit
! ------------------------------
service signature-definition sig0
signatures 2000 0
alert-severity high
engine atomic-ip
event-action produce-alert|produce-verbose-alert
exit
alert-frequency
summary-mode fire-all
summary-key AxBx
exit
exit
status
enabled true
exit
exit
signatures 2004 0
alert-severity high
engine atomic-ip
event-action produce-alert|produce-verbose-alert
exit
alert-frequency
summary-mode fire-all
summary-key AxBx
exit
exit
status
enabled true
exit
exit
signatures 60000 0
alert-severity high
sig-fidelity-rating 75
sig-description
sig-name Telnet Command Authorization Failure
sig-string-info Command authorization failed
sig-comment signature triggers string command authorization failed
exit
engine atomic-ip
specify-l4-protocol yes
l4-protocol tcp
no tcp-flags
no tcp-mask
exit
specify-payload-inspection yes
regex-string Command authorization failed
exit
exit
exit
exit
exit
! ------------------------------
service ssh-known-hosts
exit
! ------------------------------
service trusted-certificates
exit
! ------------------------------
service web-server
enable-tls true
port 443
server-id Nothing to see here. Move along.
exit
! ------------------------------
service anomaly-detection ad0
exit
! ------------------------------
service external-product-interface
exit
! ------------------------------
service health-monitor
exit
! ------------------------------
service global-correlation
exit
! ------------------------------
service analysis-engine
virtual-sensor vs0
physical-interface GigabitEthernet0/1
exit
exit
AIP-SSM#
Could anyone help me?
Thanks in advanced.
06-04-2013 02:45 AM
hi
start with loggin on to the console of the ASA with either telnet, ssh or serial - whatever is convinient for you - and get status of the module with the command
show module 1 details
If the module responds correctly it will show you some status
If you havent configured the module yet you can do this either throught he ASDM or when you are connected to the console through the command "session 1" which conencts you to the IPS blade and from there you do a basic configuration
If the module fails - try to do a "hw-module module 1 reset" - eventually start with debugging on the boot phase of it by issuing the command debug module-boot
which gives you some ideas of where it fails - if it fails
best regards /ti
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide