Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1944
Views
10
Helpful
6
Replies

Cisco ASA-SSM-20 Analysis Engine Error...

Go to solution
ALIAOF_
Level 6
Level 6

‎10-01-2012 03:00 PM - edited ‎03-10-2019 05:47 AM

I keep getting this error on my IPS, I have rebooted the sensor couple of times but it stops again and signature updates are not happening during that time either looks like it.  I heard about Cisco big ID: CsCuc34812 but there isn't really any information available on it.  Any one else running ASA-SSM-20 encountered this issue and was able to resolve it?

ips.png

ips2.png

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to ALIAOF_

‎10-05-2012 09:52 AM

Hello,

All sensors should have a virtual sensor assigned to them so they can inspect traffic.

I logged into the IPS2 and ran the following commands to assign the virtual sensor

service analysis-engine

virtual-sensor vs0

physical-interface gi0/1

That is correct!

I'm assuming this is how it should be?  How IPS 2 was able to send me the notifications if there was no virtual sensor assigned to it?

We need to determine witch type of notifications was the IPS sending ( Could be related to the IPS itself,system notifications)

Is there a CLI to confirm which IPS is active?  Do I need to assume that my upgrade caused these issues?

From the ASA

do sh service-policy and determine how many packets are being exchanged between the IPS and the ASA

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎10-02-2012 10:24 AM

Hello Mohammad,

You should see a crash file in your show tech and you will need us (TAC) to analize it.

That being said I am sure you are hitting one of this bug

CSCuc34812

How to solve it:

Use the "downgrade" command via the CLI to downgrade to the previously working signature package. Alternatively, upgrade the sensor to 7.0(8) or 7.1(6).

Any other question.Sure.. Just remember to ratea all of my answers.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
ALIAOF_
Level 6
Level 6
In response to Julio Carvajal

‎10-02-2012 04:27 PM

Thank you I ended up creating a case too.  Seems like that bug ID is not published yet so no one has any information on it.  But any ways yes I'm going to take the upgrade path.  Tech mentioned an issue with the version of signature file I have.

I'm pretty sure but just to get a second opinion this is the file for the upgrade ?

IPS-SSM_20-K9-7.1-6-E4.pkg

.img files are for the full re image correct?

Does the upgrade retain configuration?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to ALIAOF_

‎10-02-2012 04:31 PM

Hello,

Yes, An upgrade will retain configuration.

IPS-SSM_20-K9-7.1-6-E4.pkg, That is the right file

Any other question.Sure.. Just remember to ratea all of my answers.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
ALIAOF_
Level 6
Level 6
In response to Julio Carvajal

‎10-05-2012 08:55 AM

So I was able to successfully upgrade both IPS’s.  I upgraded the IPS module that is in the failover ASA and then the one in the Active ASA.  Everything seems to be fine however the notifications that I am not getting are from IPS2.

Also when I look at the summary in the Cisco IME I see that the IPS 1’s gi0/1 interface has a virtual sensor assigned as “vs0”, but IPS 2’s gi0/1’s shows no virtual sensor assigned.  Is that normal?

I logged into the IPS2 and ran the following commands to assign the virtual sensor

service analysis-engine

virtual-sensor vs0

physical-interface gi0/1

I'm assuming this is how it should be?  How IPS 2 was able to send me the notifications if there was no virtual sensor assigned to it? 

Is there a CLI to confirm which IPS is active?  Do I need to assume that my upgrade caused these issues?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to ALIAOF_

‎10-05-2012 09:52 AM

Hello,

All sensors should have a virtual sensor assigned to them so they can inspect traffic.

I logged into the IPS2 and ran the following commands to assign the virtual sensor

service analysis-engine

virtual-sensor vs0

physical-interface gi0/1

That is correct!

I'm assuming this is how it should be?  How IPS 2 was able to send me the notifications if there was no virtual sensor assigned to it?

We need to determine witch type of notifications was the IPS sending ( Could be related to the IPS itself,system notifications)

Is there a CLI to confirm which IPS is active?  Do I need to assume that my upgrade caused these issues?

From the ASA

do sh service-policy and determine how many packets are being exchanged between the IPS and the ASA

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
ALIAOF_
Level 6
Level 6
In response to Julio Carvajal

‎10-08-2012 07:24 AM

Ok just to update upgrade is successful and analysis engine is no longer stopping.  And Second IPS along with second ASA is active.  Thank you for your help with this

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card