cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2604
Views
0
Helpful
10
Replies

Problems Uploading New Image to ASA-SSM-AIP installed in an ASA5510

Rice1
Level 1
Level 1

Hi,

Can anyone help me?!

I’ve had an ASA5510 up and running for some time without any issues.

I recently purchased a ASA-SSM-AIP-10-K9 card to learn with.

When I received the card, when doing a Show module 1, I could see that there was no firmware on the card, which I now have.

I’ve set up a tftp server on my PC which I’ve previously used successfully with other Cisco equipment.

However, I’ve gone through the

hw-module module 1 configure

and

Hw-module module 1 boot

But don’t seem to have any luck at all with getting it to load the image!

I’m also a little confused about what physical links I should be making.

The documentation says that the image is loaded through the management port, so I’ve connected the PC with the tftp server via a switch to the SSM management port. I’ve also tried with the PC on the inside interface and linking the ASA and SSM management interfaces, but this still did not work.

In many of the physical configurations I’ve tried, I’ve never had a ping response from the SSM card, though it seems to react as expected to commands sent via the ASA when using CLI.

I’ve also used wireshark on the SSM management port to see if I could gain some clues there, but no traffic at all seems to be coming from the SSM, even though it is in recovery mode. The link led is lit on the port.

Also, when using the hw-module module 1 configure, am I right in thinking that the value you enter in the "Port IP address" is the IP given to the management port on the SSM?

I’ve assumed that this is the case and setup the connected devices with the correct sub nets to suit.

Any help you can give would be really appreciated as I’m already bald enough!

Many thanks.

10 Replies 10

This almost sounds like a cabling issue.  Are you using a crossover cable? Or tried the upgrade via a switch?

--
Please remember to select a correct answer and rate helpful posts

Hi Marius,

Thanks for the reply. To be honest, I've tried going direct from the PC (and so the tftp server) direct to the management port on the SSM, I've also tried to go PC -> Switch -> SSM Management port.

Am I correct in thinking this is the correct way to connect to the SSM card to upload the firmware image?

 

Thanks again for your help.

Yes this is the correct port.

Try the following command instead:

hw-module module slot recover boot

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Hi Marius,

Thanks for sticking with me.

With the command

hw-module module slot recover boot

the slot  refers to the slot number where the SSM-AIP card is.

In my case, it is in slot 1. So, for me, the full command is :-

hw-module module recover boot

When I issue this, the SSM-AIP card goes into recover mode (so I guess the internal bus is working ok), but there is no comms from the SSM-AIP cards management port at all.

I would of expected it to look for the TFTP server that was setup in its 

hw-module module recover configuration

but nothing.

 

If you've any other pointers then I would be very grateful!

 

Thanks

 

After some research, it seems like you need to connect to the Ethernet port on the SSM-AIP.

Note Make sure you can access the TFTP server location from the network connected to the Ethernet port of the adaptive security appliance.

https://www.cisco.com/c/en/us/td/docs/security/ips/7-1/configuration/guide/cli/cliguide71/cli_system_images.html#88176

--
Please remember to select a correct answer and rate helpful posts

Hi Marius,

Thanks again for the suggestion.

 

I've physically connected the SSM-AIP management port, the ASA Inside port and my PC to a flat switch.

I'm using Tftpd64 as the file server on the PC.

 

Via "HW-Module Module 1 recover configure"

I've set the tftp IP address to my PC  - 

tftp://192.168.2.10/{Image File Name}

Port IP Address (is this the address assigned to the SSM Management port?) as

192.168.2.11

VLAN ID

0

Gateway IP Address

192.168.2.1

The gateway address is that of the ASA inside port

 

I then use the

HW-Module Module 1 recover boot

to try and make the SSM card load the image from the tftp server.

However, not much seems to happen. though the link from the SSM management card does go down twice shortly after hitting enter for the confirm "Recover module 1?"

 

It also looks as though the internal comms between the ASA and the SSM card are working as during startup, the ASA showns the SSM card as "init", then after a while "unresponsive". When I initiate the recovery procedure, it then reports the card as "recover".

 

 

Things to note...

From the ASA CLI, I can ping 

192.168.2.1 ok (ASA Port)

192.168.2.10 ok (PC)

However, I get no reply when I ping

192.168.2.11

 

Also, the LEDs on the SSM card management port are permanently green. I would of expected the Link one to flash when it was looking for the tftp server? 

 

I've also recently purchased another SSM card just in case the first was faulty - but this is reacting in exactly the same way!

 

I'm sure I'm missing something simple, but I can't put my finger on it!

 

If you've any further questions - suggestions, please let me know!

 

Thanks

 

Did you look through the document I posted previously? 

Note Make sure you can access the TFTP server location from the network connected to the Ethernet port of the adaptive security appliance.

I suggest you read through the section titled "Installing the System Image for the ASA 5500-X IPS SSP" and / or "Reimaging the ASA 5500 AIP SSM Using the recover configure/boot Command"

 

--
Please remember to select a correct answer and rate helpful posts

Hi Marius,

Thanks again for getting back to me.

I had previously read this document a number of times, but I'm still a little confused...



"Make sure you can access the TFTP server location from the network connected to the Ethernet port of the adaptive security appliance."

I assume this is referring to the ASA 5510 Inside interface?

This has a network address of 192.168.2.1/24 with the PC (as the TFTP server) with 192.168.2.10/24

The ASA can ping 192.168.2.10 (the PC) no problem.

What I don't understand from the example in the documentation that you linked to, is what the management  port on the SSM-IPS is doing? The manual says that this port is used to download the image file from the TFTP server, but in the example it is on a different sub net? So the ASA inside interface, and also the PC with the TFTP server on will be unable to route to the SSM-IPS management interface? Or am I missing something?

I could understand it more if the ASA used the internal interface to send the image file to the SSM-IPS module, but the documentation does say it receives it via its own management interface.

As you can see - I'm going around in circles!

I'm sure it's a simple solution and I'm just missing a key bit of information, but I'm at a loss to what it is!



Many thanks again for sticking with me!

I had a look in the Cisco ASA All-In-One book and found the following steps:

1. Place the system image file on a TFTP server that is accessible over the network.

2. Connect the physical managment interface of the ASA IPS to the network

3. Designate a management IP address for the ASA IPS.  If the TFTP server is on a different subnet, you must also provide ASAIPS a default gateway to use for the download.  If you place the TFTP server on the same subnet or connect it directly to the ASA IPS, point the default gateway to the TFTP server itself.

4. From the privileged exec mode on the host ASA, issue the following command: hw-module module 1 recover configure

    Specify the full TFTP URL for the system image: ex. tftp://172.16.164.124/IPS-SSM_20-K9-sys

    Provide the IP address for the ASA IPS management interface: 192.168.1.19

    Provide the IP address of the ASA IPS default gateway or the TFTP server if directly connected: 192.168.1.11

5. Start the re-imaging proces with the hw-module module 1 recover boot command

 

Hope this helps you.

--
Please remember to select a correct answer and rate helpful posts

@Marius Gunnerud VIP Advocate

 

Hi Marius,

Thanks again for the information!

I tried what you suggested a few ways, but with no luck.

 

I also tried it the simplest way I could, given the information you kindly provided :-

My PC with the static IP address of 192.168.2.10/24

with Tftp64 running as the TFTP server.

This was connected to a switch.

I also connected the ASA IPS management port into the same switch.

I used a switch just in case there were any cross over / straight through cable issues!

 

With the IPS being in an "unresponsive" state, I entered the following via the ASA CLI :-

HW-Module module 1 recover config

image url : tftp://192.168.2.10/IPS-SSM_10-K9-sys-1.1-a-7.1-10-E4.img

Port IP Address: 192.168.2.11

VLAN ID(0): {enter}

Gateway IP Address: 192.168.2.10

 

HW-Module module 1 recover boot

Recover module 1? [confirm] {enter}

 

When i press enter to confirm, the port ling LED on the switch that is connected to the IPS management port goes out for a few seconds, comes back on for a few seconds, goes off again, then comes on and remains on.

At this stage, Show Module 1

Shows the module has gone into "recover" mode, but nothing else seem to happen!

 

I've just purchased the "Official Cert Guide - CCNP Security IPS 642-627" as there is some information in there about re-imaging the IPS, though there seems to be nothing new that we've not already tried.

 

Do the above parameters seem OK to you?

 

Thanks again for helping out!

 

 

 

Review Cisco Networking for a $25 gift card