07-28-2021 10:36 AM
Reading the docs, I dont see anything wrong with just upgrading the ASA software on a 5585X Chassis that has a SSP-20 module. Does this sound right?
Solved! Go to Solution.
07-28-2021 12:44 PM
i mean if you like to upgrade - you can go independtly, make sure it is compatable.
below matrix will help you :
https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html
07-28-2021 01:02 PM - edited 07-28-2021 01:02 PM
Most likely it's not is use. If it was, you would see reference to in in your policy-map with an entry for it under a "class <class map name>" line with action "ips" under it.
The old style IPS that you have has been end of life for several years and even if the ASA is configured to send traffic to it for inspection it's not very effective in the current threat landscape. You can remove the inspection entry (if indeed there is one) and then upgrade the ASA according solely to the compatibility matrix posted earlier.
07-28-2021 11:52 AM
May be we should not confuse ourself here - i did one time
5585-X is chasis, it has module. SSP-20 - you are in right path ASA Upgrade.
Do not confuse with SFR Module that is different.
07-28-2021 12:03 PM
Not sure if I know what you mean. Yes traffic is sent to it via policy I see in promiscuous mode, my question is if upgrading the ASA to different software without doing anything to the IPS will have an effect?
07-28-2021 12:25 PM
Please share the current and planned version of ASA software as well as the current IPS module type (i.e,, is it really the legacy IPS or actually the more recent Firepower module?) and details of its current version.
This is important because it is possible to upgrade to an ASA version that's incompatible with your IPS module.
07-28-2021 12:38 PM
It is currently ASA version 9.6(3)1 and upgradoing to ASA9-12-4-smp-k8
IPS version is 7.1(11)E4
07-28-2021 12:44 PM
i mean if you like to upgrade - you can go independtly, make sure it is compatable.
below matrix will help you :
https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html
07-28-2021 12:50 PM
Here is the thing, I cant even log into it, and I dont think it is doing anything because no protocols boxes in the settings are even checked for it to inspect. I thought I could verify if a license even exists from the regular ASA module but it does not reference any IPS licenses.
07-28-2021 12:58 PM
Loging to ASA command level
post below output -
show version
show modules
show inventory
07-28-2021 01:02 PM
I cant unfortunately I would need to type.
07-28-2021 01:02 PM - edited 07-28-2021 01:02 PM
Most likely it's not is use. If it was, you would see reference to in in your policy-map with an entry for it under a "class <class map name>" line with action "ips" under it.
The old style IPS that you have has been end of life for several years and even if the ASA is configured to send traffic to it for inspection it's not very effective in the current threat landscape. You can remove the inspection entry (if indeed there is one) and then upgrade the ASA according solely to the compatibility matrix posted earlier.
07-28-2021 01:07 PM
There is a policy I see referencing IPS, but it is set to fail-open and in promiscuos mode so I assume it is really not even doing anything.
The GUI shows boxes for protocols to check un-checked as I explained eariler. Should be ok you think?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide