Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5942
Views
0
Helpful
6
Replies

Issue logging into AIP-SSM via ASDM

cornwallcollege
Level 1
Level 1

‎03-02-2012 01:13 AM - edited ‎03-10-2019 05:37 AM

Hi all,

I've got an ASA 5510 running 8.4(2) with ASDM 6.4(5)205 and an AIP SSM-10 running 7.0(6).

About 2 weeks ago we had an unscheduled reboot on the ASA and since then I have been unable to connect to the SSM using ASDM.

Direct SSH access to the SSM works fine so I am happy the username/password combination is ok and there are no ACL issues. I can also session across from the ASA with no problem.

I have tried "hw-module module 1 reload" which didn't work which i then followed with a scheduled reboot of the ASA overnight. No dice.

I'm hoping someone here might be able to point me in the right direction......

Many thanks.

Labels:
0 Helpful
6 Replies 6

svaish
Level 1
Level 1

‎03-05-2012 02:53 AM

Hi

When you try to login to the IPS via ASDM the ASDM open a new connection to the IPS to be able to access it.

Can you check if the IP address of the ASA is still added to the permitted hosts on the IPS.

Else if you have an old config backup from the ASA you can compare it with the present config, can do the same for IPS as well

Sachin

0 Helpful

cornwallcollege
Level 1
Level 1
In response to svaish

‎03-12-2012 07:13 AM

Hi svaish,

I've not got an old config to hand for it unfortunately.

The SSM is pingable and I can SSH in ok from the same workstation. I had a look at the config and I've got an "access-list" entry for the internal IP of the ASA (/32) as well as the workstation I'm trying to access it via ASDM from.

If I connect to the ASA then go to "Conffiguration" -> "IPS"  I get "Error connecting to sensor. Error Loading Sensor".

I can connect directly to the SSM via SSH with the same credentials ok though.

If I try to connect directly to the SSM with ASDM I get "Unable to launch device manager from 10.x.x.x".

What lines should I be looking for on the ASA and SSM module with regard to being able to connect?

Many thanks.

0 Helpful

svaish
Level 1
Level 1
In response to cornwallcollege

‎03-12-2012 07:35 AM

Can you try this

https://management-ip-of-ips.

this will give you IDM access

IDM is a better tool to manage IPS so is IME

Related to the error on ASDM I would suggest you check the syslogs on the ASA, what do they say?

Regards,

Sachin

0 Helpful

arikawahyono
Level 1
Level 1

‎03-05-2012 10:21 PM

Hi,

I have some issue like this before..

i resolve with shutdown the ASA then open the module then install it again..

and everything normal agai,..

i hope this help you..

Arik

0 Helpful

hosytan
Level 1
Level 1

‎06-04-2013 02:35 AM

I had the same problem.

My device is Cisco ASA 5520 with AIP SSM-10.

I can use ASDM to manage ASA 5520 but cannot login to IPS (in IPS or Intrusion Prevension tab). It show me the error "Error connecting sensor. Error loading sensor".

I try to reset, reload and unplug/plug the module but it don't work.

This my ASA configuration:

ASA-FW# show run

: Saved

:

ASA Version 8.4(4)1

!

hostname ASA-FW

enable password Uonv5zOz/3IVv5nJ encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface GigabitEthernet0/0

description Connect to Internet

nameif outside

security-level 0

ip address 10.0.0.4 255.255.255.0

!

interface GigabitEthernet0/1

description Connect to DMZ

nameif inside

security-level 100

ip address 10.2.2.2 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

nameif DMZ

security-level 50

ip address 10.3.3.1 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

description Management

nameif management

security-level 0

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

access-list OUT-TO-DMZ extended permit tcp any host 10.1.1.2 eq smtp

access-list OUT-TO-DMZ extended permit tcp any host 10.1.1.2 eq www

access-list OUT-TO-DMZ extended permit icmp any any log

access-list OUT-TO-DMZ extended deny ip any any

access-list inside extended permit tcp any any eq pop3

access-list inside extended permit tcp any any eq smtp

access-list inside extended permit tcp any any eq ssh

access-list inside extended permit tcp any any eq telnet

access-list inside extended permit tcp any any eq https

access-list inside extended permit udp any any eq domain

access-list inside extended permit tcp any any eq domain

access-list inside extended permit tcp any any eq www

access-list inside extended permit ip any any

access-list inside extended permit icmp any any

access-list dmz extended permit ip any any

access-list dmz extended permit icmp any any

access-list acl_outside_in extended permit icmp any host 10.0.0.0

access-list acl_inside_in extended permit ip 10.2.2.0 255.255.255.0 any

access-list acl_dmz_in extended permit icmp 10.3.3.0 255.255.255.0 any

access-list traffic_for_ips extended permit ip any any

pager lines 24

logging enable

logging buffer-size 5000

logging monitor warnings

logging trap warnings

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm history enable

arp timeout 14400

access-group acl_outside_in in interface outside

access-group acl_inside_in in interface inside

access-group acl_dmz_in in interface DMZ

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 DMZ

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

   .....

  quit

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 192.168.1.0 255.255.255.0 management

ssh 0.0.0.0 0.0.0.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username tanhs password fqvYQWcKVO/db.2r encrypted

!

class-map inspection_default

match default-inspection-traffic

class-map ips_class_map

match access-list traffic_for_ips

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

class ips_class_map

  ips inline fail-open

!

service-policy global_policy global

prompt hostname context

service call-home

call-home reporting anonymous

call-home

contact-email-addr

profile CiscoTAC-1

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:74d15883f42aaeee6ac30522fe424aeb

: end

ASA-FW#

This is SSM confiuration:

AIP-SSM# show conf

! ------------------------------

! Current configuration last modified Tue Jun 04 00:34:02 2013

! ------------------------------

! Version 7.0(2)

! Host:

!     Realm Keys          key1.0

! Signature Definition:

!     Signature Update    S480.0   2010-03-24

! ------------------------------

service interface

exit

! ------------------------------

service authentication

exit

! ------------------------------

service event-action-rules rules0

variables DMZ address 10.3.3.0-10.3.3.255

variables IN address 10.2.2.0-10.2.2.255

exit

! ------------------------------

service host

network-settings

host-ip 192.168.1.2/24,192.168.1.1

host-name AIP-SSM

telnet-option disabled

access-list 10.0.0.0/8

access-list 10.1.1.0/24

access-list 10.2.2.0/24

access-list 10.3.3.0/24

access-list 172.16.0.0/16

access-list 192.168.1.0/24

login-banner-text VISEC IDS/IPS

dns-primary-server disabled

dns-secondary-server disabled

dns-tertiary-server disabled

http-proxy no-proxy

exit

time-zone-settings

offset 0

standard-time-zone-name CST

exit

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

exit

! ------------------------------

service signature-definition sig0

signatures 2000 0

alert-severity high

engine atomic-ip

event-action produce-alert|produce-verbose-alert

exit

alert-frequency

summary-mode fire-all

summary-key AxBx

exit

exit

status

enabled true

exit

exit

signatures 2004 0

alert-severity high

engine atomic-ip

event-action produce-alert|produce-verbose-alert

exit

alert-frequency

summary-mode fire-all

summary-key AxBx

exit

exit

status

enabled true

exit

exit

signatures 60000 0

alert-severity high

sig-fidelity-rating 75

sig-description

sig-name Telnet Command Authorization Failure

sig-string-info Command authorization failed

sig-comment signature triggers string command authorization failed

exit

engine atomic-ip

specify-l4-protocol yes

l4-protocol tcp

no tcp-flags

no tcp-mask

exit

specify-payload-inspection yes

regex-string Command authorization failed

exit

exit

exit

exit

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

enable-tls true

port 443

server-id Nothing to see here. Move along.

exit

! ------------------------------

service anomaly-detection ad0

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service health-monitor

exit

! ------------------------------

service global-correlation

exit

! ------------------------------

service analysis-engine

virtual-sensor vs0

physical-interface GigabitEthernet0/1

exit

exit

AIP-SSM#

Could anyone help me?

Thanks in advanced.

0 Helpful

arikawahyono
Level 1
Level 1

‎06-04-2013 06:59 PM

Hi Ho Sy Tan,

Try Cisco IME (Cisco IPS Manager Express), this is powerfull management for cisco IPS.

http://software.cisco.com/download/release.html?mdfid=282052550&flowid=4444&softwareid=282829584&release=7.2.4&relind=AVAILABLE&rellifecycle=&reltype=latest

Thanks,

Arik

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card