Hi Marius,

Thanks for the reply. To be honest, I've tried going direct from the PC (and so the tftp server) direct to the management port on the SSM, I've also tried to go PC -> Switch -> SSM Management port.

Am I correct in thinking this is the correct way to connect to the SSM card to upload the firmware image?

 

Thanks again for your help.

Yes this is the correct port.

Try the following command instead:

hw-module module slot recover boot

--

Please remember to select a correct answer and rate helpful posts

Hi Marius,

Thanks for sticking with me.

With the command

hw-module module slot recover boot

the slot  refers to the slot number where the SSM-AIP card is.

In my case, it is in slot 1. So, for me, the full command is :-

hw-module module 1 recover boot

When I issue this, the SSM-AIP card goes into recover mode (so I guess the internal bus is working ok), but there is no comms from the SSM-AIP cards management port at all.

I would of expected it to look for the TFTP server that was setup in its 

hw-module module 1 recover configuration

but nothing.

 

If you've any other pointers then I would be very grateful!

 

Thanks

 

After some research, it seems like you need to connect to the Ethernet port on the SSM-AIP.

Note Make sure you can access the TFTP server location from the network connected to the Ethernet port of the adaptive security appliance.

https://www.cisco.com/c/en/us/td/docs/security/ips/7-1/configuration/guide/cli/cliguide71/cli_system_images.html#88176

Hi Marius,

Thanks again for the suggestion.

 

I've physically connected the SSM-AIP management port, the ASA Inside port and my PC to a flat switch.

I'm using Tftpd64 as the file server on the PC.

 

Via "HW-Module Module 1 recover configure"

I've set the tftp IP address to my PC  - 

tftp://192.168.2.10/{Image File Name}

Port IP Address (is this the address assigned to the SSM Management port?) as

192.168.2.11

VLAN ID

0

Gateway IP Address

192.168.2.1

The gateway address is that of the ASA inside port

 

I then use the

HW-Module Module 1 recover boot

to try and make the SSM card load the image from the tftp server.

However, not much seems to happen. though the link from the SSM management card does go down twice shortly after hitting enter for the confirm "Recover module 1?"

 

It also looks as though the internal comms between the ASA and the SSM card are working as during startup, the ASA showns the SSM card as "init", then after a while "unresponsive". When I initiate the recovery procedure, it then reports the card as "recover".

 

 

Things to note...

From the ASA CLI, I can ping 

192.168.2.1 ok (ASA Port)

192.168.2.10 ok (PC)

However, I get no reply when I ping

192.168.2.11

 

Also, the LEDs on the SSM card management port are permanently green. I would of expected the Link one to flash when it was looking for the tftp server? 

 

I've also recently purchased another SSM card just in case the first was faulty - but this is reacting in exactly the same way!

 

I'm sure I'm missing something simple, but I can't put my finger on it!

 

If you've any further questions - suggestions, please let me know!

 

Thanks

 

Did you look through the document I posted previously? 

Note Make sure you can access the TFTP server location from the network connected to the Ethernet port of the adaptive security appliance.

I suggest you read through the section titled "Installing the System Image for the ASA 5500-X IPS SSP" and / or "Reimaging the ASA 5500 AIP SSM Using the recover configure/boot Command"

 

Hi Marius,

Thanks again for getting back to me.

I had previously read this document a number of times, but I'm still a little confused...



"Make sure you can access the TFTP server location from the network connected to the Ethernet port of the adaptive security appliance."

I assume this is referring to the ASA 5510 Inside interface?

This has a network address of 192.168.2.1/24 with the PC (as the TFTP server) with 192.168.2.10/24

The ASA can ping 192.168.2.10 (the PC) no problem.

What I don't understand from the example in the documentation that you linked to, is what the management  port on the SSM-IPS is doing? The manual says that this port is used to download the image file from the TFTP server, but in the example it is on a different sub net? So the ASA inside interface, and also the PC with the TFTP server on will be unable to route to the SSM-IPS management interface? Or am I missing something?

I could understand it more if the ASA used the internal interface to send the image file to the SSM-IPS module, but the documentation does say it receives it via its own management interface.

As you can see - I'm going around in circles!

I'm sure it's a simple solution and I'm just missing a key bit of information, but I'm at a loss to what it is!



Many thanks again for sticking with me!

I had a look in the Cisco ASA All-In-One book and found the following steps:

1. Place the system image file on a TFTP server that is accessible over the network.

2. Connect the physical managment interface of the ASA IPS to the network

3. Designate a management IP address for the ASA IPS.  If the TFTP server is on a different subnet, you must also provide ASAIPS a default gateway to use for the download.  If you place the TFTP server on the same subnet or connect it directly to the ASA IPS, point the default gateway to the TFTP server itself.

4. From the privileged exec mode on the host ASA, issue the following command: hw-module module 1 recover configure

    Specify the full TFTP URL for the system image: ex. tftp://172.16.164.124/IPS-SSM_20-K9-sys

    Provide the IP address for the ASA IPS management interface: 192.168.1.19

    Provide the IP address of the ASA IPS default gateway or the TFTP server if directly connected: 192.168.1.11

5. Start the re-imaging proces with the hw-module module 1 recover boot command

 

Hope this helps you.

@Marius Gunnerud 

 

Hi Marius,

Thanks again for the information!

I tried what you suggested a few ways, but with no luck.

 

I also tried it the simplest way I could, given the information you kindly provided :-

My PC with the static IP address of 192.168.2.10/24

with Tftp64 running as the TFTP server.

This was connected to a switch.

I also connected the ASA IPS management port into the same switch.

I used a switch just in case there were any cross over / straight through cable issues!

 

With the IPS being in an "unresponsive" state, I entered the following via the ASA CLI :-

HW-Module module 1 recover config

image url : tftp://192.168.2.10/IPS-SSM_10-K9-sys-1.1-a-7.1-10-E4.img

Port IP Address: 192.168.2.11

VLAN ID(0): {enter}

Gateway IP Address: 192.168.2.10

 

HW-Module module 1 recover boot

Recover module 1? [confirm] {enter}

 

When i press enter to confirm, the port ling LED on the switch that is connected to the IPS management port goes out for a few seconds, comes back on for a few seconds, goes off again, then comes on and remains on.

At this stage, Show Module 1

Shows the module has gone into "recover" mode, but nothing else seem to happen!

 

I've just purchased the "Official Cert Guide - CCNP Security IPS 642-627" as there is some information in there about re-imaging the IPS, though there seems to be nothing new that we've not already tried.

 

Do the above parameters seem OK to you?

 

Thanks again for helping out!