Can't connect with SSM Module

emilio1973 · ‎06-06-2012

Hi all,

can't connect with SSM through ASDM, only through CLI. If I try , I get the error "Error connecting to sensor.Error loading sensor".

I'm totally new on IPS. I appreciate any advice or help. Thanks

ASA5520ERA# sh ver

Cisco Adaptive Security Appliance Software Version 8.0(4)39
Device Manager Version 6.1(5)57

Compiled on Wed 01-Jul-09 17:24 by builders
System image file is "disk0:/asa804-39-k8.bin"
Config file at boot was "startup-config"

ASA5520ERA# session 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.

MODULO ANTI-INTRUSION
login: user
Password:
***NOTICE***
This product contains cryptographic features and is subject to United States
and local country laws governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-party authority to import,
export, distribute or use encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and local country laws. By using
this product you agree to comply with applicable laws and regulations. If you
are unable to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

***LICENSE NOTICE***
There is no license key installed on the SSM-IPS10.
The system will continue to operate with the currently installed
signature set. A valid license must be obtained in order to apply
signature updates. Please go to http://www.cisco.com/go/license
to obtain a new license or install a license.

IPS_5520_ERA#

IPS_5520_ERA# sh configuration

! ------------------------------

! Current configuration last modified Thu Jun 07 03:33:02 2012

! ------------------------------

! Version 6.0(4)

! Host:

! Realm Keys key1.0

! Signature Definition:

! Signature Update S317.0 2008-02-13

! Virus Update V1.2 2005-11-24

! ------------------------------

service interface

physical-interfaces GigabitEthernet0/1

description Principal sensing interface

exit

! ------------------------------

service authentication

exit

! ------------------------------

service event-action-rules rules0

exit

! ------------------------------

service host

network-settings

host-ip 172.29.0.2/30,172.29.0.1

host-name IPS_5520_ERA

telnet-option disabled

access-list 16.0.0.0/24

access-list 16.3.0.0/16

access-list 172.19.6.253/32

access-list 172.19.6.254/32

access-list 172.29.0.1/32

login-banner-text MODULE ANTI-INTRUSION

exit

time-zone-settings

offset 60

standard-time-zone-name GMT+01:00

exit

ntp-option enabled

ntp-keys 1 md5-key yellow

ntp-servers 172.29.0.1 key-id 1

exit

summertime-option recurring

summertime-zone-name GMT+01:00

start-summertime

week-of-month last

exit

end-summertime

month october

week-of-month last

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

trap-destinations 172.18.1.1

trap-community-name ROTom01

trap-port 162

exit

enable-notifications true

read-only-community ROTom01

system-location XXXXX,XX

system-contact XXXXXXXXX

exit

! ------------------------------

service signature-definition sig0

signatures 2004 0

event-counter

event-count 10

exit

status

enabled false

exit

signatures 7000 0

status

enabled false

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

exit

! ------------------------------

service anomaly-detection ad0

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service analysis-engine

virtual-sensor vs0

physical-interface GigabitEthernet0/1

exit

IPS_5520_ERA#

Jennifer Halim · ‎06-07-2012

Do you have the port on the SSM module connected to your network?

Currently you have configured 172.29.0.2/30 as the ip address and the port that the module is connected to should have ip address of 172.29.0.1 as it is the default gateway.

Also, what is your PC ip address?

Currently you are only allowing access to the SSM module if you are one of the following IPs:

access-list 16.0.0.0/24

access-list 16.3.0.0/16

access-list 172.19.6.253/32

access-list 172.19.6.254/32

access-list 172.29.0.1/32

emilio1973 · ‎06-07-2012

Hi Jeniffer,

do you mean management port? my ip address is 16.3.40.52.

Thanks in advanced

Jennifer Halim · ‎06-07-2012

Not management port on the ASA, but there is also port on the SSM module itself, that is the port that you need to connect to the network.

emilio1973 · ‎06-07-2012

Hi Jennifer,

right now, I can't see if SSM port is connected to the network but i don't. Shall ask if someone is there near or touch me move up there..

Thanks for your time

hosytan · ‎06-04-2013

I had the same problem.

My device is Cisco ASA 5520 with AIP SSM-10.

I can use ASDM to manage ASA 5520 but cannot login to IPS (in IPS or Intrusion Prevension tab). It show me the error "Error connecting sensor. Error loading sensor".

I try to reset, reload and unplug/plug the module but it don't work.

This my ASA configuration:

ASA-FW# show run

: Saved

:

ASA Version 8.4(4)1

!

hostname ASA-FW

enable password Uonv5zOz/3IVv5nJ encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface GigabitEthernet0/0

description Connect to Internet

nameif outside

security-level 0

ip address 10.0.0.4 255.255.255.0

!

interface GigabitEthernet0/1

description Connect to DMZ

nameif inside

security-level 100

ip address 10.2.2.2 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

nameif DMZ

security-level 50

ip address 10.3.3.1 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

description Management

nameif management

security-level 0

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

access-list OUT-TO-DMZ extended permit tcp any host 10.1.1.2 eq smtp

access-list OUT-TO-DMZ extended permit tcp any host 10.1.1.2 eq www

access-list OUT-TO-DMZ extended permit icmp any any log

access-list OUT-TO-DMZ extended deny ip any any

access-list inside extended permit tcp any any eq pop3

access-list inside extended permit tcp any any eq smtp

access-list inside extended permit tcp any any eq ssh

access-list inside extended permit tcp any any eq telnet

access-list inside extended permit tcp any any eq https

access-list inside extended permit udp any any eq domain

access-list inside extended permit tcp any any eq domain

access-list inside extended permit tcp any any eq www

access-list inside extended permit ip any any

access-list inside extended permit icmp any any

access-list dmz extended permit ip any any

access-list dmz extended permit icmp any any

access-list acl_outside_in extended permit icmp any host 10.0.0.0

access-list acl_inside_in extended permit ip 10.2.2.0 255.255.255.0 any

access-list acl_dmz_in extended permit icmp 10.3.3.0 255.255.255.0 any

access-list traffic_for_ips extended permit ip any any

pager lines 24

logging enable

logging buffer-size 5000

logging monitor warnings

logging trap warnings

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm history enable

arp timeout 14400

access-group acl_outside_in in interface outside

access-group acl_inside_in in interface inside

access-group acl_dmz_in in interface DMZ

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 DMZ

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

.....

quit

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 192.168.1.0 255.255.255.0 management

ssh 0.0.0.0 0.0.0.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username tanhs password fqvYQWcKVO/db.2r encrypted

!

class-map inspection_default

match default-inspection-traffic

class-map ips_class_map

match access-list traffic_for_ips

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

class ips_class_map

ips inline fail-open

!

service-policy global_policy global

prompt hostname context

service call-home

call-home reporting anonymous

call-home

contact-email-addr

profile CiscoTAC-1

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:74d15883f42aaeee6ac30522fe424aeb

: end

ASA-FW#

This is SSM confiuration:

AIP-SSM# show conf

! ------------------------------

! Current configuration last modified Tue Jun 04 00:34:02 2013

! ------------------------------

! Version 7.0(2)

! Host:

! Realm Keys key1.0

! Signature Definition:

! Signature Update S480.0 2010-03-24

! ------------------------------

service interface

exit

! ------------------------------

service authentication

exit

! ------------------------------

service event-action-rules rules0

variables DMZ address 10.3.3.0-10.3.3.255

variables IN address 10.2.2.0-10.2.2.255

exit

! ------------------------------

service host

network-settings

host-ip 192.168.1.2/24,192.168.1.1

host-name AIP-SSM

telnet-option disabled

access-list 10.0.0.0/8

access-list 10.1.1.0/24

access-list 10.2.2.0/24

access-list 10.3.3.0/24

access-list 172.16.0.0/16

access-list 192.168.1.0/24

login-banner-text VISEC IDS/IPS

dns-primary-server disabled

dns-secondary-server disabled

dns-tertiary-server disabled

http-proxy no-proxy

exit

time-zone-settings

offset 0

standard-time-zone-name CST

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

exit

! ------------------------------

service signature-definition sig0

signatures 2000 0

alert-severity high

engine atomic-ip

event-action produce-alert|produce-verbose-alert

exit

alert-frequency

summary-mode fire-all

summary-key AxBx

exit

status

enabled true

exit

signatures 2004 0

alert-severity high

engine atomic-ip

event-action produce-alert|produce-verbose-alert

exit

alert-frequency

summary-mode fire-all

summary-key AxBx

exit

status

enabled true

exit

signatures 60000 0

alert-severity high

sig-fidelity-rating 75

sig-description

sig-name Telnet Command Authorization Failure

sig-string-info Command authorization failed

sig-comment signature triggers string command authorization failed

exit

engine atomic-ip

specify-l4-protocol yes

l4-protocol tcp

no tcp-flags

no tcp-mask

exit

specify-payload-inspection yes

regex-string Command authorization failed

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

enable-tls true

port 443

server-id Nothing to see here. Move along.

exit

! ------------------------------

service anomaly-detection ad0

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service health-monitor

exit

! ------------------------------

service global-correlation

exit

! ------------------------------

service analysis-engine

virtual-sensor vs0

physical-interface GigabitEthernet0/1

exit

AIP-SSM#

Could anyone help me?

Thanks in advanced.

tiwang · ‎06-04-2013

hi

start with loggin on to the console of the ASA with either telnet, ssh or serial - whatever is convinient for you - and get status of the module with the command

show module 1 details

If the module responds correctly it will show you some status

If you havent configured the module yet you can do this either throught he ASDM or when you are connected to the console through the command "session 1" which conencts you to the IPS blade and from there you do a basic configuration

If the module fails - try to do a "hw-module module 1 reset" - eventually start with debugging on the boot phase of it by issuing the command debug module-boot

which gives you some ideas of where it fails - if it fails

best regards /ti