Guest

Cisco ASA 5500-X Series Next-Generation Firewalls

ASA 5500-X: Clear a Console Connection to an Installed IPS/CX Module

Document ID: 116404

Updated: Aug 20, 2013

Contributed by Prapanch Ramamoorthy, Cisco TAC Engineer.

   Print

Introduction

This document describes a common problem that users who manage Cisco Adaptive Security Appliances (ASAs) might encounter. Cisco ASA 5500-X Series appliances provide next-generation firewall services with the optional ability to install a software-based Intrusion Prevention System (IPS) module or a Cisco ASA CX (Context Aware) module. 

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • Cisco ASA Command Line Interface (CLI).
  • IPS or CX Modules for ASA 5500-X Series Appliances

Components Used

The information in this document is based on Cisco ASA 5500-X Series next-generation firewall appliances.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Problem

When you try to establish a console connection to the software IPS or CX module installed, you might encounter an error message that suggests someone is already logged into the console. For example:

ciscoasa# session cxsc console
ERROR: An existing console session is in progress with module cxsc.
Only one is allowed at any point in time.

The previous command output indicates that a console connection to the CX module already exists. The equivalent command for the IPS module is session ips console, which shows this output when used:

ciscoasa# session ips console
ERROR: An existing console session is in progress with module ips.
Only one is allowed at any point in time.

Solution

The only way to clear a console connection to the software IPS/CX module on an ASA 5500-X Series appliance is to clear the CLI connection to the ASA where the console session is active. This section provides a simulated scenario, similar to the one previously described, that demonsrates the procedure used in order to clear such a connection.

Consider an ASA 5525-X with next-generation firewall services (also known as CX) enabled.

ciscoasa# show module cxsc

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
cxsc ASA CX5525 Security Appliance                ASA CX5525         FCH1719J569

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
cxsc 6c41.6aa1.31d4 to 6c41.6aa1.31d4  N/A          N/A          9.1.1

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
cxsc ASA CX                         Up               9.1.1

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
cxsc Up                 Up

There is a Secure Shell (SSH) session established with the ASA in addition to a console connection.

ciscoasa# show asp table socket

Protocol  Socket     State     Local Address        Foreign Address
SSL       000069e8   LISTEN    10.106.44.101:443    0.0.0.0:*
TCP       00009628   LISTEN    10.106.44.101:22     0.0.0.0:*
TCP       0000da58   ESTAB     10.106.44.101:22     64.103.226.139:52565

The bolded connection shown in the output is the SSH session where the console connection to the CX module is active. Attempts to access the console from another CLI connection (such as a console connection to the ASA) fail with the error previously mentioned. The output of the show conn all command is used in order to discover the SSH connection to the ASA, which is cleared with use of the clear conn all command.

ciscoasa# show conn all | in 52565
1 in use, 4 most used
TCP mgmt 64.103.226.139:52565 NP Identity Ifc 10.106.44.101:22,
 idle 0:04:16, bytes 10284, flags UOB

ciscoasa#
ciscoasa#
ciscoasa# clear conn all port 52565
1 connection(s) deleted.

ciscoasa# show conn all | i 52565
0 in use, 4 most used
ciscoasa# show asp table socket

Protocol  Socket    State      Local Address        Foreign Address
SSL       000069e8  LISTEN     10.106.44.101:443    0.0.0.0:*
TCP       00009628  LISTEN     10.106.44.101:22     0.0.0.0:*

ciscoasa#
ciscoasa# session cxsc console
Opening console session with module cxsc.
Connected to module cxsc. Escape character sequence is 'CTRL-^X'.

asacx>

Cisco bug ID CSCuh65249 (ASA 5500-X: Need a way to clear out console connection to IPS/CX module) was filed in order to introduce a more graceful way to clear such a console connection.

Cisco bug ID CSCud27214 (Cannot exit from session ips console when connected to terminal server) was filed in order to resolve the inability to exit from a console when attached via a terminal server with a Ctrl^x escape sequence.

Alternate Solution

Alternatively, if it is not possible to kill the console connection that exists with use of the method previously mentioned, use the session ips or session cx command in order to access the IPS or CX modules, respectively. This is not a console connection. Therefore, it is possible to have multiple sessions established simultaneously to the software module.

Related Information

Updated: Aug 20, 2013
Document ID: 116404