Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2649
Views
20
Helpful
10
Replies

Upgrade ASA software on ASA5585X with SSP-20 Module

Go to solution
CiscoPurpleBelt
Level 6
Level 6

‎07-28-2021 10:36 AM

Reading the docs, I dont see anything wrong with just upgrading the ASA software on a 5585X Chassis that has a SSP-20 module. Does this sound right?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎07-28-2021 12:44 PM

i mean if you like to upgrade - you can go independtly, make sure it is compatable.

 

below matrix will help you :

https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎07-28-2021 01:02 PM - edited ‎07-28-2021 01:02 PM

Most likely it's not is use. If it was, you would see reference to in in your policy-map with an entry for it under a "class <class map name>" line with action "ips" under it.

https://www.cisco.com/c/en/us/td/docs/security/ips/5-1/configuration/guide/cli/cliguide/cliSSM.html#wp1030972

The old style IPS that you have has been end of life for several years and even if the ASA is configured to send traffic to it for inspection it's not very effective in the current threat landscape. You can remove the inspection entry (if indeed there is one) and then upgrade the ASA according solely to the compatibility matrix posted earlier.

View solution in original post

10 Replies 10

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-28-2021 11:52 AM

May be we should not confuse ourself here - i did one time

 

5585-X is chasis, it has module. SSP-20   - you are in right path  ASA Upgrade.

 

Do not confuse with SFR Module that is different.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to balaji.bandi

‎07-28-2021 12:03 PM

Not sure if I know what you mean. Yes traffic is sent to it via policy I see in promiscuous mode, my question is if upgrading the ASA to different software without doing anything to the IPS will have an effect?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎07-28-2021 12:25 PM

Please share the current and planned version of ASA software as well as the current IPS module type (i.e,, is it really the legacy IPS or actually the more recent Firepower module?) and details of its current version.

This is important because it is possible to upgrade to an ASA version that's incompatible with your IPS module.

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to Marvin Rhoads

‎07-28-2021 12:38 PM

It is currently ASA version 9.6(3)1 and upgradoing to ASA9-12-4-smp-k8

IPS version is 7.1(11)E4

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎07-28-2021 12:44 PM

i mean if you like to upgrade - you can go independtly, make sure it is compatable.

 

below matrix will help you :

https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to balaji.bandi

‎07-28-2021 12:50 PM

Here is the thing, I cant even log into it, and I dont think it is doing anything because no protocols boxes in the settings are even checked for it to inspect. I thought I could verify if a license even exists from the regular ASA module but it does not reference any IPS licenses.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎07-28-2021 12:58 PM

Loging to ASA command level

 

post below output -

 

show version

show modules

show inventory

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to balaji.bandi

‎07-28-2021 01:02 PM

I cant unfortunately I would need to type.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎07-28-2021 01:02 PM - edited ‎07-28-2021 01:02 PM

Most likely it's not is use. If it was, you would see reference to in in your policy-map with an entry for it under a "class <class map name>" line with action "ips" under it.

https://www.cisco.com/c/en/us/td/docs/security/ips/5-1/configuration/guide/cli/cliguide/cliSSM.html#wp1030972

The old style IPS that you have has been end of life for several years and even if the ASA is configured to send traffic to it for inspection it's not very effective in the current threat landscape. You can remove the inspection entry (if indeed there is one) and then upgrade the ASA according solely to the compatibility matrix posted earlier.

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to Marvin Rhoads

‎07-28-2021 01:07 PM

There is a policy I see referencing IPS, but it is set to fail-open and in promiscuos mode so I assume it is really not even doing anything.

The GUI shows boxes for protocols to check un-checked as I explained eariler. Should be ok you think?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card