This document describes how to troubleshoot the unresponsive state of
the Advanced Inspection and Prevention Security Services Module (AIP-SSM) in
the Cisco 5500 series Adaptive Security Appliance (ASA).
There are no specific requirements for this document.
The information in this document is based on the AIP-SSM in the Cisco
5500 Series ASA.
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Technical Tips Conventions for more information on document
The AIP-SSM goes into an unresponsive state, fails to respond to HTTP
or ASDM access but is accessible from CLI, as shown:
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5510 Adaptive Security Appliance ASA5510 JMX0934K021
1 ASA 5500 Series Security Services Module-10 ASA-SSM-10 JAB093203S3
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
0 0013.c480.a11d to 0013.c480.a121 1.0 1.0(10)0 7.0(2)
1 0013.c480.b204 to 0013.c480.b204 1.0 1.0(10)0 5.0(2)S152.0
0 Up Sys
Issue the hw-module module 1 reset command
on your ASA. This command performs a hardware reset of the AIP-SSM. It is
applicable when the card is in any of these states:
If you reboot the ASA in an unresponsive
state, your SSM must be re-imaged. Refer to the
the AIP-SSM System Image section of
Downgrading, and Installing System Images for more information and steps
on how to re-image the AIP-SSM.
Note: Refer to the
Shutting Down, Resetting, and Recovering AIP-SSM section of
ASA-SSM for more information about the various commands available to
troubleshoot the AIP-SSM.
This problem is due to Cisco bug ID
(registered customers only)
This error message is seen on the GUI.
Error connecting to sensor. Error Loading Sensor error
Check the IPS SSM management interface is
up/down, and check its configured IP address,
subnet mask and default gateway. This is the interface to access the Cisco
Adaptive Security Device Manager (ASDM) Software from the local machine. Try to
ping the management interface IP address of IPS SSM from the local machine that
you want to access the ASDM. If unable to ping check the ACLs on the
The cannot communicate with main app
error message appears while you attempt to connect to the AIP SSM
Reload the ASA or the AIP SSM module in order to resolve this
The Error: execUpgradeSoftware Connection
failed error message is seen on the CLI.
Check that the IPS SSM management interface is
up/down and that it is the interface through
which the ASA-IPS attempts to contact in order to download the software. This
is not a backplane connection between the ASA and IPS-SSM; it is the Ethernet
connection on the AIP-SSM module itself, which needs to be connected to a
switch port and configured with a IP address, subnet mask and default gateway.
If http still does not work, try to use the FTP or SCP option with the
The Error: execUpgradeSoftware The update requires 60340
KB in /usr/cids/idsRoot/var/updates, there are only 57253 KB
available. error message is seen during upgrade.
In order to fix this issue, you need to log into the CLI of the sensor
with a service account. If you do not have a service account, you can create
one with these commands:
user (username) priv service password (pass)
Once you log into the service account, issue these rm
/usr/cids/idsRoot/var/*pmz commands and log out of the service
account. Then check that the upgrade completes.
This error occurs because of the less space available on the IPS module
since the recovery files occupy more space on Module. Complete these steps in
order to remove recovery files and resolve this error:
bash-2.05b# cd /usr/cids/idsRoot/var/updates/
bash-2.05b# ls -l
drwxr-xr-x 2 cids cids 1024 Jul 1 22:35 backups
drwxr-xr-x 2 cids cids 1024 Oct 19 15:26 download
drwxrwxr-x 2 cids cids 1024 Oct 19 15:26 logs
-rw-r--r-- 1 root root 183 Sep 6 21:54 package
-rw-r--r-- 1 cids cids 27587840 Jul 9 2009 recovery.gz
drwxr-xr-x 2 cids cids 1024 Jul 1 22:35 scripts
bash-2.05b# rm recovery.gz
This error message appears:
Cannot send xml document to sensor.
This issue can be resolved if you regenerate the
tls certificate with this command:
When you try to access SSM, this error message is displayed.
Opening command session with slot 1.
Card in slot 1 did not respond to session request
Issue the hw-module module 1 recover command
in order to resolve this problem. Refer to
AIP-SSM for more information on this command.
When you try to insert the AIP SSM module into the ASA, this error
message is displayed.
module in slot 1 experienced a channel communication failure
Reload the ASA in order to resolve the issue. If issue still exists,
contact TAC for further help.
AIP-SSM fails after the signature is updated. The signature update
causes the AIP-SSM to run out of memory and become unresponsive when the number
of signatures enabled is high.
Reset the signature definition in order to resolve the issue. If too
many signatures are enabled, then try to reset the signature definition. SSH to
the sensor and use these commands:
service signature-definition sig0
Latency issue occurs with the IPS sensor.
The latency issue occurs when the deny action
inline and deny packet are
enabled for every signature in VS0. If you enable all the signatures, this
results in latency as IPS inspects every single packet through which that
passes. It is good to enable only the specific signature required as per the
network traffic flow in order to resolve the latency issue.