Guest

Cisco ASA 5500-X Series Next-Generation Firewalls

Field Notice: FN - 63705 - ASA 5500-X Appliances - Default IPS Software Might Not Be Installed - Software Update Required

December 23, 2013


NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision Date Comment
1.0
23-DEC-2013
Initial Public Release

Products Affected

Products Affected
ASA5512-IPS-K8
ASA5512-IPS-K9
ASA5515-IPS-K8
ASA5515-IPS-K9
ASA5525-IPS-K8
ASA5525-IPS-K9
ASA5545-IPS-K9
ASA5555-IPS-K9

Problem Description

Some 5500-X Adaptive Security Appliances (ASAs) ordered with the Intrusion Prevention System (IPS) option were shipped without the IPS software image.

Background

Some ASA 5500-X security appliances ordered with the IPS option that shipped from September 11, 2013 through November 7, 2013 might not contain the IPS software image. This requires the user to follow special procedures in order to install the IPS software from the Cisco software download center to utilize the IPS feature set.

Problem Symptoms

The IPS software image information is not displayed when the system is booted up. In addition, the show module command output displays the IPS module as 'Unknown' and 'Unresponsive' as shown in this sample output.

ciscoasa# show module

Mod Card Type                                    Model              Serial No. 
--- -------------------------------------------- ------------------ -----------
  0 ASA 5545-X with SW, 8 GE Data, 1 GE Mgmt     ASA5545            FCH12345ABC
ips Unknown                                      N/A                FCH12345ABC

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version     
--- --------------------------------- ------------ ------------ ---------------
  0 abcd.1234.abcd to abcd.1234.abcd  1.0          2.1(9)8      8.6(1)10
ips abcd.1234.abcd to abcd.1234.abcd  N/A          N/A          

Mod SSM Application Name           Status           SSM Application Version
--- ------------------------------ ---------------- --------------------------
ips Unknown                        No Image Present Not Applicable

Mod Status             Data Plane Status     Compatibility
--- ------------------ --------------------- -------------
  0 Up Sys             Not Applicable        
ips Unresponsive       Not Applicable        

Mod License Name   License Status  Time Remaining
--- -------------- --------------- ---------------
ips IPS Module     Disabled        perpetual  

Workaround/Solution

In order to install the system IPS image on the ASA 5500-X, follow these steps:

  1. Download the IPS system image file that corresponds to your ASA platform to the TFTP root directory of a TFTP server that is accessible from your appliance. Make sure you can access the TFTP server location from the network connected to the Ethernet port of the ASA.

  2. Log in to the ASA 5500-X security appliance.

  3. Enter enable mode.
    asa> enable
  4. Copy the IPS image to the disk0 flash of the ASA 5500-X security appliance.
    asa# copy tftp://192.0.2.0/directory/IPS-SSP_5545-K9-sys-1.1-a-7.1-8-E4.aip disk0:
  5. Configure the IPS software module image on the ASA 5500-X security appliance.
    asa# sw-module module ips recover configure image 
    disk0:/IPS-SSP_5545-K9-sys-1.1-a-7.1-8-E4.aip
  6. Execute the recovery. This loads the IPS software into the ASA 5500-X security appliance and restarts it.
    asa# sw-module module ips recover boot
  7. Periodically check the recovery until it is complete.
    ciscoasa(config)# show module
    
    Mod Card Type                                    Model              Serial No. 
    --- -------------------------------------------- ------------------ -----------
      0 ASA 5545-X with SW, 8 GE Data, 1 GE Mgmt     ASA5545            FCH12345ABC
    ips ASA 5545-X IPS Security Services Processor   ASA5545-IPS        FCH12345ABC
    
    Mod MAC Address Range                 Hw Version   Fw Version   Sw Version 
    --- --------------------------------- ------------ ------------ ---------------
      0 abcd.1234.abcd to abcd.1234.abcd  1.0          2.1(9)8      8.6(1)10
    ips abcd.1234.abcd to abcd.1234.abcd  N/A          N/A          7.1(8)E4
    
    Mod SSM Application Name           Status           SSM Application Version
    --- ------------------------------ ---------------- --------------------------
    ips IPS                            Up               7.1(8)E4
    
    Mod Status             Data Plane Status     Compatibility
    --- ------------------ --------------------- -------------
      0 Up Sys             Not Applicable 
    ips Up                 Up 
    
    Mod License Name   License Status  Time Remaining
    --- -------------- --------------- ---------------
    ips IPS Module     Disabled        perpetual
    

    Note: The Status field in the output indicates the operational status of the ASA 5500-X IPS software module. An IPS module that operates normally shows a status of "Up". While an ASA 5500-X security appliance loads the application image, the Status field in the output reads "Recover". When the ASA 5500-X security appliance completely loads the image and restarts the IPS module, the newly transferred image is running. In order to debug any errors that might happen in the recovery process, enter the debug module-boot command to debug the system reimaging process.

  8. Session to the ASA 5500-X security appliance and initialize it with the setup command.

How To Identify Hardware Levels

Affected ASA 5500-X security appliances were shipped from September 11, 2013 through November 7, 2013.

Obtain the chassis serial number through the CLI or visual inspection of the ASA 5500-X security appliance as shown here:

  • Command Line Interface (CLI) - Enter the show inventory command in order to obtain the chassis serial number of the appliance:
    asa# show inventory
    Name: "Chassis", DESCR: "ASA5525-X with SW, 8 GE Data, 1 GE Mgmt, AC"
    PID: ASA5525, VID: V01, SN: FTX1234ABCD
    
  • Visual inspection of the ASA 5500-X security appliance - The chassis serial number label is located on the rear of the appliance and might also be referenced on the sales order documentation.

    Access the Cisco Serial Number Validation Tool in order to validate your ASA 5500-X security appliance serial number(s).

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.