cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5147
Views
0
Helpful
3
Replies

IPS module unresponsive

misscat123
Level 1
Level 1

Hi, I am running active/standby and my IPS module sometimes (twice a year) goes unresponsive triggering a failover. Current condition is:

  This host: Secondary - Active

Other host: Primary - Failed

and on the Primary host---this: slot 1: ASA-SSM-10 hw/sw rev (1.0/6.1(1)E3) status (Unresponsive/Up)

I know i need to go into the module and do hw-module module reset. But I have opened a case and gotten a replacement IDS Module. Do I need to power down my primary ASA, it is in failover mode anyway...if I do power down, would it cause any issue to production since I am on secondary right now. Also, I have read that the module won't retain or synch config between devices. how do i access the configuration of the IPS module so that I can put it into the new module?

Thanks for response.

1 Accepted Solution

Accepted Solutions

Dustin Ralich
Cisco Employee
Cisco Employee

FYI, these questions should be addressed with the CSE assigned to your TAC Service Request where the RMA was arranged. I will take a shot at answering them, but when you are working an active TAC Service Request, you should engage with the CSE assigned for questions relating to the issue at hand.

Do I need to power down my primary ASA

Yes, the AIP-SSM sensor modules are not OIR (Online Insertion/Removal) capable. The ASA unit in which the sensor module is being replaced should be powered off before removing the faulty sensor module and before installing the replacement.

if I do power down, would it cause any issue to production since I am on secondary right now.

If the other ASA member of the failover pair is currently Active and its sensor module is Up, then powering down the Standby ASA unit should not impact traffic.

I have read that the module won't retain or synch config between devices. how do i access the configuration of the IPS module so that I can put it into the new module?

Correct, the sensor modules themselves do not inheritly synchronize or replicate their configurations (like the ASA units of the failover pair do). If you are able to access the faulty sensor module long enough to get a copy of the 'show config' command output, you can input that same output into the replacement sensor module.

Finally, note that the Unresponsive status can be caused by non-hardware issues. IPS 6.1(1)E3 (which is what you appear to be running) is extremely old and no longer directly supported. You should upgrade to a modern, supported release (7.0(6)E4 or 6.2(4)E4), both of which contain many fixes, some of which correct issues that otherwise could/would cause the module to become Unresponsive.

View solution in original post

3 Replies 3

rhermes
Level 7
Level 7

Miss Cat -

Before you pull that bad AIP-SSM module out of your primary ASA, log in and capture a "show config". You can paste this into your replacement AIP-SSM module to restore the sensor's config.

Powering down your primary ASA should not cause an issue if your traffic is passing thru your secondary ASA (assuming your HA network is designed properly).

- Bob

Dustin Ralich
Cisco Employee
Cisco Employee

FYI, these questions should be addressed with the CSE assigned to your TAC Service Request where the RMA was arranged. I will take a shot at answering them, but when you are working an active TAC Service Request, you should engage with the CSE assigned for questions relating to the issue at hand.

Do I need to power down my primary ASA

Yes, the AIP-SSM sensor modules are not OIR (Online Insertion/Removal) capable. The ASA unit in which the sensor module is being replaced should be powered off before removing the faulty sensor module and before installing the replacement.

if I do power down, would it cause any issue to production since I am on secondary right now.

If the other ASA member of the failover pair is currently Active and its sensor module is Up, then powering down the Standby ASA unit should not impact traffic.

I have read that the module won't retain or synch config between devices. how do i access the configuration of the IPS module so that I can put it into the new module?

Correct, the sensor modules themselves do not inheritly synchronize or replicate their configurations (like the ASA units of the failover pair do). If you are able to access the faulty sensor module long enough to get a copy of the 'show config' command output, you can input that same output into the replacement sensor module.

Finally, note that the Unresponsive status can be caused by non-hardware issues. IPS 6.1(1)E3 (which is what you appear to be running) is extremely old and no longer directly supported. You should upgrade to a modern, supported release (7.0(6)E4 or 6.2(4)E4), both of which contain many fixes, some of which correct issues that otherwise could/would cause the module to become Unresponsive.

its true that i didn't actually have a bad module. I got the replacement but never installed it. I didn't know my ios was so out of date. I will address that issue now. Thanks for your responses, much appreciated.

i did a hw-module module 1 reset and then failed back over.

Review Cisco Networking for a $25 gift card