Upgrade IPS problem

Christian Siedschlag · ‎02-07-2012

Hi,

After upgrading to latest version IPS 7.0(7)E4, the IPS is not up right. In the ASA it appears Not Aplicable and i need to restart the module. Sometime later the IPS appears again Not Aplicable. I can not access via ssh or ASDM, only session 1.

I use Radius to autenthicate and local user if radius fail.

fw1# show module

Mod Card Type Model Serial No.

--- -------------------------------------------- ------------------ -----------

0 ASA 5520 Adaptive Security Appliance ASA5520 JMX1322L003

1 ASA 5500 Series Security Services Module-10 ASA-SSM-10 JAF1405DBJD

Mod MAC Address Range Hw Version Fw Version Sw Version

--- --------------------------------- ------------ ------------ ---------------

0 0024.c49a.52be to 0024.c49a.52c2 2.0 1.0(11)2 8.4(3)

1 0027.0dd2.cfa8 to 0027.0dd2.cfa8 1.0 1.0(11)5 7.0(7)E4

Mod SSM Application Name Status SSM Application Version

--- ------------------------------ ---------------- --------------------------

1 IPS Not Applicable 7.0(7)E4

Mod Status Data Plane Status Compatibility

--- ------------------ --------------------- -------------

0 Up Sys Not Applicable

1 Unresponsive Not Applicable

r.kukreja · ‎02-08-2012

JUST RE-INSERT AND RESTART FIREWALL THEN SEE THE RESULT AND POST THE OUTPUT

REGARDS

RAJAT

Christian Siedschlag · ‎02-08-2012

I did inside asa these commands: hw-module module 1 recover configure and hw-module module 1 boot, after re-image its ok.

Now the problem is w Radius authentication, look the log. This feature was ok before update to last version..

evStatus: eventId=1328710491220984018 vendor=Cisco

originator:

hostId: IPS_JLLE_2

appName: sshd

appInstanceId: 27584

time: 2012/02/08 18:47:22 2012/02/08 16:47:22 GMT-03:00

syslogMessage:

description: Illegal user ciscoworks from 172.16.100.9

evStatus: eventId=1328710491220984019 vendor=Cisco

originator:

hostId: IPS_JLLE_2

appName: pam_tally

appInstanceId: 27613

time: 2012/02/08 18:47:22 2012/02/08 16:47:22 GMT-03:00

syslogMessage:

description: pam_tally: pam_get_uid; no such user ciscoworks

evStatus: eventId=1328710491220984020 vendor=Cisco

originator:

hostId: IPS_JLLE_2

appName: sshd

appInstanceId: 27613

time: 2012/02/08 18:47:34 2012/02/08 16:47:34 GMT-03:00

syslogMessage:

description: pam_radius_helper: Authentication failed

evStatus: eventId=1328710491220984021 vendor=Cisco

originator:

hostId: IPS_JLLE_2

appName: sshd(pam_unix)

appInstanceId: 27613

time: 2012/02/08 18:47:34 2012/02/08 16:47:34 GMT-03:00

syslogMessage:

description: check pass; user unknown

evStatus: eventId=1328710491220984022 vendor=Cisco

originator:

hostId: IPS_JLLE_2

appName: sshd(pam_unix)

appInstanceId: 27613

time: 2012/02/08 18:47:34 2012/02/08 16:47:34 GMT-03:00

syslogMessage:

description: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=apl16

evStatus: eventId=1328710491220984023 vendor=Cisco

originator:

hostId: IPS_JLLE_2

appName: sshd

appInstanceId: 27584

time: 2012/02/08 18:47:36 2012/02/08 16:47:36 GMT-03:00

syslogMessage:

description: error: PAM: Authentication failure

evStatus: eventId=1328710491220984024 vendor=Cisco

originator:

hostId: IPS_JLLE_2

appName: pam_tally

appInstanceId: 27626

time: 2012/02/08 18:47:36 2012/02/08 16:47:36 GMT-03:00

syslogMessage:

description: pam_tally: pam_get_uid; no such user ciscoworks

evStatus: eventId=1328710491220984025 vendor=Cisco

originator:

hostId: IPS_JLLE_2

appName: monitor

appInstanceId: 359

time: 2012/02/08 18:47:43 2012/02/08 16:47:43 GMT-03:00

healthAndSecurity:

description: Heartbeat

healthStatus: green

securityStatus:

virtualSensor: vs0

aidacruises · ‎02-09-2012

I do have the same issue. Just uupgraded AIP-SSM IPS module from 7.0.5a to 7.0.7 - the module reloaded after upgrade as expected and then went also into unresponsive. A hw-module reload was not possible, than moved (after waiting a period of time) to hw-module shut und reset.

Afterwards the module was running, but login via ASA session, SSH and HTTPS was always denied. I'm also using external radius authentication. Sadly also the local user is not able to login anymore. To make things even worser: I did a password recovery for the cisco users, I'm able not to login via session but the cisco User is read-only. I've always maintained the device with a separate local users, where it seems there is no remote password recovery method.

I'll now look physically with a console cable, if I could find something.

For me it looks like either I've oversean something in the release notes or the new version is not been tested very well? (I've upgrading regularly during the year since at least three years without such issues.)

aidacruises · ‎02-09-2012

After removing and reinserting the module was reachable for some time and then went again into unresponsive:

# show module 1 details

Getting details from the Service Module, please wait...

Unable to read details from slot 1

ASA 5500 Series Security Services Module-40

Model: ASA-SSM-40

Hardware version: 1.0

Serial Number:

Firmware version: 1.0(14)5

Software version: 7.0(7)E4

MAC Address Range:

App. name: IPS

App. Status: Not Applicable

App. Status Desc: Not Applicable

App. version: 7.0(7)E4

Data plane Status: Not Applicable

Status: Unresponsive

Christian Siedschlag · ‎02-09-2012

Unfourtnetly to fix this issue Unresponsive, i did this procedure: http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/cli/cliimage.html#wp1032373

All configuration was lost and after re-image IPS start UP and OK, but the problem with radius continues

Step 1 Log in to the ASA.

Step 2 Enter enable mode:

asa> enable

Step 3 Configure the recovery settings for AIP-SSM:

asa# hw-module module 1 recover configure

Note If you make an error in the recovery configuration, use the hw-module module 1 recover stop command to stop the system reimaging and then you can correct the configuration.

Step 4 Specify the TFTP URL for the system image:

Image URL [tftp://0.0.0.0/]:

Example:

Image URL [tftp://0.0.0.0/]: tftp://10.89.146.1/IPS-SSM-K9-sys-1.1-a-5.0-1.img

Step 5 Specify the command and control interface of AIP-SSM:

Port IP Address [0.0.0.0]:

Example:

Port IP Address [0.0.0.0]: 10.89.149.231

Step 6 Leave the VLAN ID at 0.

VLAN ID [0]:

Step 7 Specify the default gateway of the AIP-SSM:

ateway IP Address [0.0.0.0]:

xample:

Gateway IP Address [0.0.0.0]: 10.89.149.254

Step 8 Execute the recovery:

asa# hw-module module 1 recover boot

aidacruises · ‎02-09-2012

Hi Christian,

thank you - quite clear, did excatly the same just some minutes before your post. If reverted back to 7.0.5a, which is now working again as expected. Meaning (for documentation propose if other users do run into the same issue):

- hw-module module 1 shutdown

- hw-module module 1 reset

- hw-module module 1 recover configure

- using IPS-SSM_40-K9-sys-1.1-a-7.0-5a-E4.img

- hw-module module 1 recover boot

- login via session 1 cisco/cisco, set new password and go thru initial setup process

- reconfigure (copy/paste) with old config via cli session

- reset

- done ;-)

Radius Support seems still buggy, as I remeber is has been added some number of versions ago but also never reached the CLI AAA part. So I guess radius is somehow still not fully tested / undervalued. Just a guess.

Regards

Mathias

Christian Siedschlag · ‎02-09-2012

I re-imaged w 7.0.7(4) and all it's ok (only Radius not). Before update i used 7.0.6(4) and Authentication Radius works fine.