Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
0
Helpful
1
Replies

Upgrade woes with the IPS-20 module

Cathy Ellis
Beginner
Beginner

‎01-28-2015 12:49 PM - edited ‎03-10-2019 06:19 AM

Hi All,

I have been trying to upgrade the software on an IPS-20 module which is part of an active/ active ASA 5585-X set-up.

The original software version was 7.2(1) and we wanted to upgrade to 7.3(2) - which has the advantage of supporting SNMPv3.

The readme file for 7.3(2) states that the upgrade path is allowed.

Last week we tried the upgrade via IDM -this failed. The IPS module didn't come back online. We managed to recover it from the CLI on the host ASA by re-imaging with the original software image - thus returning to the initial state.

Today we made a 2nd attempt - this time on the IPS CLI using the upgrade command and the relevant upgrade software package.
This failed too. We waited at least an hour, but the module didn't boot properly. We no longer had access to the IPS module directly. And from the ASA CLI it's status is reported as Unresponsive.
Next we tried doing a full image recovery, this time with the full image of the new software version which we want to install. The TFTP server gave some confidence that the correct file was loaded to the module.

But it failed to boot properly - it seemed to be in a boot loop. (This could be seen by continual 'Launching BootLoader' messages via the debug module-boot command on the ASA CLI).

Again the IPS module status progressed from Recover, to Init and finally to Unresponsive.

Next we tried full image recovery with the original software version (full image file) -  again the TFTP image load seemed to complete OK, then it got stuck at 'Launching BootLoader'.

 

Update No.1

It turns out that this issue is a known problem and may be identified by Bug ID CSCug52259.

We had to get the IPS module replaced (fortunately covered by maintenance contract).

New unit delivered 2nd Feb just before midday; set-to work and successfully upgraded software version by end of the day.

 

Update No.2

Because our IPS module was part of an active/active ASA redundant pair we actually had 2 of these IPS modules which needed to be upgraded. Once the first one was up and running again we started on the 2nd!

We encountered the same problems as described above when attempting the upgrade on the 2nd IPS module - and raised another case with Cisco.

This time the TAC sent us an updated BIOS version to install on the IPS module via TFTP. This worked a treat! And after that the upgrade was also successful.

Here are the details of from Cisco's Bug Search Tool:

ROMMON: eUSB device not recognized by BIOS on boot

CSCug52259

Symptom:
ASA or IPS goes into a 'boot loop' after resetting the device, where the ASA/IPS is unable to find a boot image with errors similar to the following:

Launching BootLoader...
Default configuration file contains 1 entry.

Searching / for images to boot.

No images in /
Error 15: File not found

Conditions:
This issue has been seen on 5585, SSP-10, and 4510/4520 devices.

The problem is independent of IPS version, so any IPS version can be affected. The issue can only be corrected with a BIOS update or RMA, which TAC can provide.

Workaround:
None.

 

Hope this helps others out there :)

Cathy

Labels:
0 Helpful
1 Reply 1

nspasov
Cisco Employee
Cisco Employee

‎02-08-2015 02:58 PM

Good job on finding a solution to your own problem Cathy! Also thank you for coming back and sharing the solution with everyone here!

CSCug52259

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents