- ASA 5525 with Software IPS

What could be the reason for ASA throwing this syslog everyday exactly when the signatures are configured for auto-update:

%ASA-6-420005: Virtual Sensor vs0 was deleted from the AIP SSM

As per Cisco documentation, vs0 cannot be deleted.

Immediately after the above message, following message is generated:

%ASA-1-323006: Module ips experienced a data channel communication failure, data channel is DOWN.

Then, after around a minute, following syslog is generated telling that vs0 was added back to the IPS:

%ASA-6-420004: Virtual Sensor vs0 was added on the AIP SSM

And finally, we get following syslog showing that IPS module is back up:

%ASA-1-505011: Module ips data channel communication is UP

So, it looks like that somehow, vs0 gets deleted from the IPS module which results in IPS experiencing data channel communication failure. Then vs0 automatically gets added back and IPS comes back up.

The cycle of above syslogs is seen daily at the same time.

Please note that we don't have license present on the IPS module.

So, it looks like this is what could be happening:

- At configured update time everyday, the IPS module tries upgrading the signature. The signatures get downloaded successfully and when IPS module tries to apply them, it realizes that the license is missing, so it tries to roll back and that’s when all those messages start coming up (even though still vs0 shouldn’t have been deleted)

Am I understanding it right?