This document describes how to troubleshoot the unresponsive state of the Advanced Inspection and Prevention Security Services Module (AIP-SSM) in the Cisco 5500 series Adaptive Security Appliance (ASA).
There are no specific requirements for this document.
The information in this document is based on the AIP-SSM in the Cisco 5500 Series ASA.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
The AIP-SSM goes into an unresponsive state, fails to respond to HTTP or ASDM access but is accessible from CLI, as shown:
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5510 Adaptive Security Appliance ASA5510 JMX0934K021
1 ASA 5500 Series Security Services Module-10 ASA-SSM-10 JAB093203S3
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
0 0013.c480.a11d to 0013.c480.a121 1.0 1.0(10)0 7.0(2)
1 0013.c480.b204 to 0013.c480.b204 1.0 1.0(10)0 5.0(2)S152.0
0 Up Sys
Issue the hw-module module 1 reset command on your ASA. This command performs a hardware reset of the AIP-SSM. It is applicable when the card is in any of these states:
If you reboot the ASA in an unresponsive state, your SSM must be re-imaged. Refer to the Installing the AIP-SSM System Image section of Upgrading, Downgrading, and Installing System Images for more information and steps on how to re-image the AIP-SSM.
Note: Refer to the Reloading, Shutting Down, Resetting, and Recovering AIP-SSM section of Configuring ASA-SSM for more information about the various commands available to troubleshoot the AIP-SSM.
This problem is due to Cisco bug ID CSCts58648 (registered customers only) .
This error message is seen on the GUI.
Error connecting to sensor. Error Loading Sensor error
Check the IPS SSM management interface is up/down, and check its configured IP address, subnet mask and default gateway. This is the interface to access the Cisco Adaptive Security Device Manager (ASDM) Software from the local machine. Try to ping the management interface IP address of IPS SSM from the local machine that you want to access the ASDM. If unable to ping check the ACLs on the sensor.
The cannot communicate with main app error message appears while you attempt to connect to the AIP SSM module.
Reload the ASA or the AIP SSM module in order to resolve this error.
The Error: execUpgradeSoftware Connection failed error message is seen on the CLI.
Check that the IPS SSM management interface is up/down and that it is the interface through which the ASA-IPS attempts to contact in order to download the software. This is not a backplane connection between the ASA and IPS-SSM; it is the Ethernet connection on the AIP-SSM module itself, which needs to be connected to a switch port and configured with a IP address, subnet mask and default gateway. If http still does not work, try to use the FTP or SCP option with the upgrade command.
The Error: execUpgradeSoftware The update requires 60340 KB in /usr/cids/idsRoot/var/updates, there are only 57253 KB available. error message is seen during upgrade.
In order to fix this issue, you need to log into the CLI of the sensor with a service account. If you do not have a service account, you can create one with these commands:
user (username) priv service password (pass)
Once you log into the service account, issue these rm /usr/cids/idsRoot/var/*pmz commands and log out of the service account. Then check that the upgrade completes.
This error occurs because of the less space available on the IPS module since the recovery files occupy more space on Module. Complete these steps in order to remove recovery files and resolve this error:
bash-2.05b# cd /usr/cids/idsRoot/var/updates/
bash-2.05b# ls -l
drwxr-xr-x 2 cids cids 1024 Jul 1 22:35 backups
drwxr-xr-x 2 cids cids 1024 Oct 19 15:26 download
drwxrwxr-x 2 cids cids 1024 Oct 19 15:26 logs
-rw-r--r-- 1 root root 183 Sep 6 21:54 package
-rw-r--r-- 1 cids cids 27587840 Jul 9 2009 recovery.gz
drwxr-xr-x 2 cids cids 1024 Jul 1 22:35 scripts
bash-2.05b# rm recovery.gz
This error message appears:
Cannot send xml document to sensor.
This issue can be resolved if you regenerate the tls certificate with this command:
When you try to access SSM, this error message is displayed.
Opening command session with slot 1.
Card in slot 1 did not respond to session request
Issue the hw-module module 1 recover command in order to resolve this problem. Refer to Recovering AIP-SSM for more information on this command.
When you try to insert the AIP SSM module into the ASA, this error message is displayed.
module in slot 1 experienced a channel communication failure
Reload the ASA in order to resolve the issue. If issue still exists, contact TAC for further help.
AIP-SSM fails after the signature is updated. The signature update causes the AIP-SSM to run out of memory and become unresponsive when the number of signatures enabled is high.
Reset the signature definition in order to resolve the issue. If too many signatures are enabled, then try to reset the signature definition. SSH to the sensor and use these commands:
service signature-definition sig0
Latency issue occurs with the IPS sensor.
The latency issue occurs when the deny action inline and deny packet are enabled for every signature in VS0. If you enable all the signatures, this results in latency as IPS inspects every single packet through which that passes. It is good to enable only the specific signature required as per the network traffic flow in order to resolve the latency issue.