Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4335
Views
5
Helpful
2
Replies

permanently disable IPS module in an ASA

Eli Kagan
Level 1
Level 1

‎08-03-2017 07:27 AM - edited ‎03-10-2019 06:54 AM

Howdy,

I have a bunch of older ASA 5510 and 5520 with ASA-SSM-10 modules installed. 

I was wondering what's the proper way of permanently disabling these modules without physically removing them.

I was planning on removing the service policy that forwards traffic to the IPS and then doing ' hw-module module 1 shutdown'.

Is there anything else that needs to be done?

Will the module stay shut after a reboot?

Do I need to erase its config?

Thanks,

Eli

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-03-2017 07:12 PM

Removing the service policy certainly takes them out of the data path.

I'm not 100% sure, but I believe the hw-module command will only remain in effect while the ASA is running. A restart (from power cycle or reload) will invoke the boot process which will always bring up any installed hardware module.

Karsten Iwen
VIP
VIP
In response to Marvin Rhoads

‎08-04-2017 01:30 AM

I'm with Marvin here, after each reboot the module starts up again. But it doesn't cause any harm if your service-policy is configgured without any ips-action. That's also the state I have on the ASAs of some customers that haven't migrated yet.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card