cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1945
Views
10
Helpful
6
Replies

Cisco ASA-SSM-20 Analysis Engine Error...

ALIAOF_
Level 6
Level 6

I keep getting this error on my IPS, I have rebooted the sensor couple of times but it stops again and signature updates are not happening during that time either looks like it.  I heard about Cisco big ID: CsCuc34812 but there isn't really any information available on it.  Any one else running ASA-SSM-20 encountered this issue and was able to resolve it?

ips.png

ips2.png

1 Accepted Solution

Accepted Solutions

Hello,

All sensors should have a virtual sensor assigned to them so they can inspect traffic.

I logged into the IPS2 and ran the following commands to assign the virtual sensor

service analysis-engine

virtual-sensor vs0

physical-interface gi0/1

That is correct!

I'm assuming this is how it should be?  How IPS 2 was able to send me the notifications if there was no virtual sensor assigned to it?

We need to determine witch type of notifications was the IPS sending ( Could be related to the IPS itself,system notifications)

Is there a CLI to confirm which IPS is active?  Do I need to assume that my upgrade caused these issues?

From the ASA

do sh service-policy and determine how many packets are being exchanged between the IPS and the ASA

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

6 Replies 6

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Mohammad,

You should see a crash file in your show tech and you will need us (TAC) to analize it.

That being said I am sure you are hitting one of this bug

CSCuc34812

How to solve it:

Use the "downgrade" command via the CLI to downgrade to the previously working signature package. Alternatively, upgrade the sensor to 7.0(8) or 7.1(6).

Any other question.Sure.. Just remember to ratea all of my answers.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thank you I ended up creating a case too.  Seems like that bug ID is not published yet so no one has any information on it.  But any ways yes I'm going to take the upgrade path.  Tech mentioned an issue with the version of signature file I have.

I'm pretty sure but just to get a second opinion this is the file for the upgrade ?

IPS-SSM_20-K9-7.1-6-E4.pkg

.img files are for the full re image correct?

Does the upgrade retain configuration?

Hello,

Yes, An upgrade will retain configuration.

IPS-SSM_20-K9-7.1-6-E4.pkg, That is the right file

Any other question.Sure.. Just remember to ratea all of my answers.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

So I was able to successfully upgrade both IPS’s.  I upgraded the IPS module that is in the failover ASA and then the one in the Active ASA.  Everything seems to be fine however the notifications that I am not getting are from IPS2.

Also when I look at the summary in the Cisco IME I see that the IPS 1’s gi0/1 interface has a virtual sensor assigned as “vs0”, but IPS 2’s gi0/1’s shows no virtual sensor assigned.  Is that normal?

I logged into the IPS2 and ran the following commands to assign the virtual sensor

service analysis-engine

virtual-sensor vs0

physical-interface gi0/1

I'm assuming this is how it should be?  How IPS 2 was able to send me the notifications if there was no virtual sensor assigned to it? 

Is there a CLI to confirm which IPS is active?  Do I need to assume that my upgrade caused these issues?

Hello,

All sensors should have a virtual sensor assigned to them so they can inspect traffic.

I logged into the IPS2 and ran the following commands to assign the virtual sensor

service analysis-engine

virtual-sensor vs0

physical-interface gi0/1

That is correct!

I'm assuming this is how it should be?  How IPS 2 was able to send me the notifications if there was no virtual sensor assigned to it?

We need to determine witch type of notifications was the IPS sending ( Could be related to the IPS itself,system notifications)

Is there a CLI to confirm which IPS is active?  Do I need to assume that my upgrade caused these issues?

From the ASA

do sh service-policy and determine how many packets are being exchanged between the IPS and the ASA

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Ok just to update upgrade is successful and analysis engine is no longer stopping.  And Second IPS along with second ASA is active.  Thank you for your help with this

Review Cisco Networking for a $25 gift card