02-07-2012 02:19 AM - edited 03-10-2019 05:36 AM
Hi,
After upgrading to latest version IPS 7.0(7)E4, the IPS is not up right. In the ASA it appears Not Aplicable and i need to restart the module. Sometime later the IPS appears again Not Aplicable. I can not access via ssh or ASDM, only session 1.
I use Radius to autenthicate and local user if radius fail.
fw1# show module
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5520 Adaptive Security Appliance ASA5520 JMX1322L003
1 ASA 5500 Series Security Services Module-10 ASA-SSM-10 JAF1405DBJD
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
0 0024.c49a.52be to 0024.c49a.52c2 2.0 1.0(11)2 8.4(3)
1 0027.0dd2.cfa8 to 0027.0dd2.cfa8 1.0 1.0(11)5 7.0(7)E4
Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
1 IPS Not Applicable 7.0(7)E4
Mod Status Data Plane Status Compatibility
--- ------------------ --------------------- -------------
0 Up Sys Not Applicable
1 Unresponsive Not Applicable
02-08-2012 02:16 AM
JUST RE-INSERT AND RESTART FIREWALL THEN SEE THE RESULT AND POST THE OUTPUT
REGARDS
RAJAT
02-08-2012 10:56 AM
I did inside asa these commands: hw-module module 1 recover configure and hw-module module 1 boot, after re-image its ok.
Now the problem is w Radius authentication, look the log. This feature was ok before update to last version..
evStatus: eventId=1328710491220984018 vendor=Cisco
originator:
hostId: IPS_JLLE_2
appName: sshd
appInstanceId: 27584
time: 2012/02/08 18:47:22 2012/02/08 16:47:22 GMT-03:00
syslogMessage:
description: Illegal user ciscoworks from 172.16.100.9
evStatus: eventId=1328710491220984019 vendor=Cisco
originator:
hostId: IPS_JLLE_2
appName: pam_tally
appInstanceId: 27613
time: 2012/02/08 18:47:22 2012/02/08 16:47:22 GMT-03:00
syslogMessage:
description: pam_tally: pam_get_uid; no such user ciscoworks
evStatus: eventId=1328710491220984020 vendor=Cisco
originator:
hostId: IPS_JLLE_2
appName: sshd
appInstanceId: 27613
time: 2012/02/08 18:47:34 2012/02/08 16:47:34 GMT-03:00
syslogMessage:
description: pam_radius_helper: Authentication failed
evStatus: eventId=1328710491220984021 vendor=Cisco
originator:
hostId: IPS_JLLE_2
appName: sshd(pam_unix)
appInstanceId: 27613
time: 2012/02/08 18:47:34 2012/02/08 16:47:34 GMT-03:00
syslogMessage:
description: check pass; user unknown
evStatus: eventId=1328710491220984022 vendor=Cisco
originator:
hostId: IPS_JLLE_2
appName: sshd(pam_unix)
appInstanceId: 27613
time: 2012/02/08 18:47:34 2012/02/08 16:47:34 GMT-03:00
syslogMessage:
description: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=apl16
evStatus: eventId=1328710491220984023 vendor=Cisco
originator:
hostId: IPS_JLLE_2
appName: sshd
appInstanceId: 27584
time: 2012/02/08 18:47:36 2012/02/08 16:47:36 GMT-03:00
syslogMessage:
description: error: PAM: Authentication failure
evStatus: eventId=1328710491220984024 vendor=Cisco
originator:
hostId: IPS_JLLE_2
appName: pam_tally
appInstanceId: 27626
time: 2012/02/08 18:47:36 2012/02/08 16:47:36 GMT-03:00
syslogMessage:
description: pam_tally: pam_get_uid; no such user ciscoworks
evStatus: eventId=1328710491220984025 vendor=Cisco
originator:
hostId: IPS_JLLE_2
appName: monitor
appInstanceId: 359
time: 2012/02/08 18:47:43 2012/02/08 16:47:43 GMT-03:00
healthAndSecurity:
description: Heartbeat
healthStatus: green
securityStatus:
virtualSensor: vs0
02-09-2012 12:15 AM
I do have the same issue. Just uupgraded AIP-SSM IPS module from 7.0.5a to 7.0.7 - the module reloaded after upgrade as expected and then went also into unresponsive. A hw-module reload was not possible, than moved (after waiting a period of time) to hw-module shut und reset.
Afterwards the module was running, but login via ASA session, SSH and HTTPS was always denied. I'm also using external radius authentication. Sadly also the local user is not able to login anymore. To make things even worser: I did a password recovery for the cisco users, I'm able not to login via session but the cisco User is read-only. I've always maintained the device with a separate local users, where it seems there is no remote password recovery method.
I'll now look physically with a console cable, if I could find something.
For me it looks like either I've oversean something in the release notes or the new version is not been tested very well? (I've upgrading regularly during the year since at least three years without such issues.)
02-09-2012 02:27 AM
After removing and reinserting the module was reachable for some time and then went again into unresponsive:
# show module 1 details
Getting details from the Service Module, please wait...
Unable to read details from slot 1
ASA 5500 Series Security Services Module-40
Model: ASA-SSM-40
Hardware version: 1.0
Serial Number:
Firmware version: 1.0(14)5
Software version: 7.0(7)E4
MAC Address Range:
App. name: IPS
App. Status: Not Applicable
App. Status Desc: Not Applicable
App. version: 7.0(7)E4
Data plane Status: Not Applicable
Status: Unresponsive
02-09-2012 02:52 AM
Unfourtnetly to fix this issue Unresponsive, i did this procedure: http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/cli/cliimage.html#wp1032373
All configuration was lost and after re-image IPS start UP and OK, but the problem with radius continues
Step 1 Log in to the ASA.
Step 2 Enter enable mode:
asa> enable
Step 3 Configure the recovery settings for AIP-SSM:
asa# hw-module module 1 recover configure
Note If you make an error in the recovery configuration, use the hw-module module 1 recover stop command to stop the system reimaging and then you can correct the configuration.
Step 4 Specify the TFTP URL for the system image:
Image URL [tftp://0.0.0.0/]:
Example:
Image URL [tftp://0.0.0.0/]: tftp://10.89.146.1/IPS-SSM-K9-sys-1.1-a-5.0-1.img
Step 5 Specify the command and control interface of AIP-SSM:
Port IP Address [0.0.0.0]:
Example:
Port IP Address [0.0.0.0]: 10.89.149.231
Step 6 Leave the VLAN ID at 0.
VLAN ID [0]:
Step 7 Specify the default gateway of the AIP-SSM:
ateway IP Address [0.0.0.0]:
xample:
Gateway IP Address [0.0.0.0]: 10.89.149.254
Step 8 Execute the recovery:
asa# hw-module module 1 recover boot
02-09-2012 03:24 AM
Hi Christian,
thank you - quite clear, did excatly the same just some minutes before your post. If reverted back to 7.0.5a, which is now working again as expected. Meaning (for documentation propose if other users do run into the same issue):
- hw-module module 1 shutdown
- hw-module module 1 reset
- hw-module module 1 recover configure
- using IPS-SSM_40-K9-sys-1.1-a-7.0-5a-E4.img
- hw-module module 1 recover boot
- login via session 1 cisco/cisco, set new password and go thru initial setup process
- reconfigure (copy/paste) with old config via cli session
- reset
- done ;-)
Radius Support seems still buggy, as I remeber is has been added some number of versions ago but also never reached the CLI AAA part. So I guess radius is somehow still not fully tested / undervalued. Just a guess.
Regards
Mathias
02-09-2012 04:02 AM
I re-imaged w 7.0.7(4) and all it's ok (only Radius not). Before update i used 7.0.6(4) and Authentication Radius works fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide