Cisco Content Security and Control SSM Administrator Guide, 6.0
Troubleshooting Trend Micro InterScan for Cisco CSC SSM
Download this chapter
Troubleshooting Trend Micro InterScan for Cisco CSC SSMTroubleshooting Trend Micro InterScan for Cisco CSC SSM
Download the complete book
Cisco Content Security and Control SSM Administrator Guide, 6.0(1) -- Whole Book PDFCisco Content Security and Control SSM Administrator Guide, 6.0(1) -- Whole Book PDF (PDF - 2 MB)
give_us_feedback

Table Of Contents

Troubleshooting Trend Micro InterScan
for Cisco CSC SSM

Troubleshooting Installation

What To Do If Installation Fails

Troubleshooting Activation

Troubleshooting Basic Functions

Cannot Log On

Recovering a Lost Password

Summary Status and Log Entries Out of Synch

Delay in HTTP Connection

Access to Some Websites Is Slow or Inaccessible

Performing a Packet Capture

FTP Download Does Not Work

Troubleshooting Scanning Functions

Cannot Update the Pattern File

Spam Not Being Detected

Cannot Create a Spam Stamp Identifier

Unacceptable Number of Spam False Positives

Cannot Accept Any Spam False Positives

Unacceptable Amount of Spam

Virus Is Detected but Cannot Be Cleaned

Virus Scanning Not Working

Scanning Not Working Because of Incorrect ASA Firewall Policy Configuration

Scanning Not Working Because the CSC SSM Is in a Failed State

Downloading Large Files

Restart Scanning Service

Troubleshooting Performance

CSC SSM Console Timed Out

Status LED Flashing for Over a Minute

SSM Cannot Communicate with ASDM

Logging in Without Going Through ASDM

CSC SSM Throughput is Significantly Less Than ASA

Using Knowledge Base

Using the Security Information Center

Understanding the CSC SSM Syslogs

SSM Application Mismatch [1-105048]

Traffic Dropped Because of CSC Card Failure [3-421001]

Skip Non-applicable Traffic [6-421002]

Drop ASDP Packet with Invalid Encapsulation[3-421003]

Failed to Inject Packet [7-421004]

Account Host Toward License Limit [6-421005]

Daily Node Count [5-421006]

Traffic Dropped Because of CSC Card Failure [6-421007]

New Application Detected [5-505011]

Application Stopped [5-505012]

Application Version Changes [5-505013]

Data Channel Communication Failure [3-323006]

Data Channel Communication OK [5-505010]

Before Contacting Cisco TAC


Troubleshooting Trend Micro InterScan
for Cisco CSC SSM

This chapter is provided to help you troubleshoot potential issues before contacting TAC for assistance, and includes the following sections:

Troubleshooting Installation

What To Do If Installation Fails

Troubleshooting Activation

Troubleshooting Basic Functions

Cannot Log On

Recovering a Lost Password

Summary Status and Log Entries Out of Synch

Delay in HTTP Connection

Access to Some Websites Is Slow or Inaccessible

FTP Download Does Not Work

Troubleshooting Scanning Functions

Cannot Update the Pattern File

Spam Not Being Detected

Cannot Create a Spam Stamp Identifier

Unacceptable Number of Spam False Positives

Cannot Accept Any Spam False Positives

Unacceptable Amount of Spam

Virus Is Detected but Cannot Be Cleaned

Virus Scanning Not Working

Downloading Large Files

Restart Scanning Service

Troubleshooting Performance

CSC SSM Console Timed Out

Status LED Flashing for Over a Minute

SSM Cannot Communicate with ASDM

Logging in Without Going Through ASDM

CSC SSM Throughput is Significantly Less Than ASA

Understanding the CSC SSM Syslogs

SSM Application Mismatch [1-105048]

Traffic Dropped Because of CSC Card Failure [3-421001]

Skip Non-applicable Traffic [6-421002]

Drop ASDP Packet with Invalid Encapsulation[3-421003]

Failed to Inject Packet [7-421004]

Account Host Toward License Limit [6-421005]

Daily Node Count [5-421006]

Traffic Dropped Because of CSC Card Failure [6-421007]

New Application Detected [5-505011]

Application Stopped [5-505012]

Application Version Changes [5-505013]

Data Channel Communication Failure [3-323006]

Data Channel Communication OK [5-505010]

Using Knowledge Base

Using the Security Information Center

Understanding the CSC SSM Syslogs

Before Contacting Cisco TAC

Troubleshooting Installation

The following describes a successful command-line version of the installation. If trouble arises during the installation, see the "What To Do If Installation Fails" section.

To install the CSC SSM via the command-line interface, perform the following steps.

Step 1 From the command-line prompt, type the following to begin the installation: 

hostname# hw-module module 1 recover configure

The output appears similar to the following: 

Image URL [tftp://171.69.1.129/dqu/sg-6.0-1345-tftp.img]: 

Port IP Address [30.0.0.3]: 

VLAN ID [0]: 

Gateway IP Address [30.0.0.254]: 

hostname# hw-module module 1 recover boot


The module in slot 1 will be recovered.  This may

erase all configuration and all data on that device and

attempt to download a new image for it.

Recover module in slot 1? [confirm]

Recover issued for module in slot 1

hostname# 

hostname# debug module-boot  

debug module-boot  enabled at level 1

Step 2 After about a minute, the CSC-SSM drops into ROMMON, and prints messages similar to the following: 

hostname# Slot-1 206> Cisco Systems ROMMON Version (1.0(10)0) #0: Sat Mar 26 00:13:50 PST 
2005

Slot-1 207>     morlee@bowmore:/pixab/biosbuild/1.0.10.0/boot/rommon

Slot-1 208> Platform ASA-SSM-AIP-10-K9

Slot-1 209> GigabitEthernet0/0

Slot-1 210> Link is UP

Slot-1 211> MAC Address: 000b.fcf8.01b3

Slot-1 212> ROMMON Variable Settings:

Slot-1 213>   ADDRESS=30.0.0.3

Slot-1 214>   SERVER=171.69.1.129

Slot-1 215>   GATEWAY=30.0.0.254

Slot-1 216>   PORT=GigabitEthernet0/0

Slot-1 217>   VLAN=untagged

Slot-1 218>   IMAGE=dqu/sg-6.0-1345-tftp.img

Slot-1 219>   CONFIG=

Slot-1 220>   LINKTIMEOUT=20

Slot-1 221>   PKTTIMEOUT=2

Slot-1 222>   RETRY=20

Slot-1 223> tftp dqu/sg-6.0-1345-tftp.img@171.69.1.129 via 30.0.0.254

Step 3 The SSM attempts to connect to the TFTP server to download the image. After several seconds, output similar to the following appears: 

Slot-1 224> 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Slot-1 225> 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Slot-1 226> 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Slot-1 227> 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Slot-1 228> 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

. . . [ output omitted ]. . .

Slot-1 400> 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Slot-1 401> 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Slot-1 402> 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Slot-1 403> 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Slot-1 404> 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Slot-1 405> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Slot-1 406> Received 59501255 bytes

Step 4 The TFTP download is complete. Note the number of received bytes, which should be the same size as your CSC SSM image. ROMMON then launches the image. 

Slot-1 407> Launching TFTP Image...

Step 5 The image is being unpacked and installed. After several minutes, CSC SSM reboots. Messages similar to the follow appear. 

Slot-1 408> Cisco Systems ROMMON Version (1.0(10)0) #0: Sat Mar 26 00:13:50 PST 2005

Slot-1 409>     morlee@bowmore:/pixab/biosbuild/1.0.10.0/boot/rommon

Slot-1 410> Platform ASA-SSM-AIP-10-K9

Slot-1 411> Launching BootLoader...

Step 6 After a minute or two, the CSC SSM boots up. Verify that the system has booted as follows: 

hostname# show module 1

Output similar to the following appears: 


Mod Card Type                                    Model              Serial No. 

--- -------------------------------------------- ------------------ -----------

  1 ASA 5520/5530 AIP Security Service Module-10 ASA-SSM-AIP-10-K9  P00000000TT


Mod MAC Address Range                 Hw Version   Fw Version   Sw Version     

--- --------------------------------- ------------ ------------ ---------------

  1 000b.fcf8.01b3 to 000b.fcf8.01b3  1.0          1.0(10)0     CSC SSM 6.0 (Build#1345)


Mod SSM Application Name           Status           SSM Application Version

--- ------------------------------ ---------------- --------------------------

  1 CSC SSM                        Down             6.0 (Build#1345)


Mod Status             Data Plane Status     Compatibility

--- ------------------ --------------------- -------------

  1 Up                 Up

Look for the two instances of "Up" in the Mod Status table (the last line of the output). The "Down" in the Status field of the SSM Application Name table indicates that the card is not yet activated.

What To Do If Installation Fails

Table 8-1 describes what to do if installation failure occurs during the steps described in the "Troubleshooting Installation" section.

Table 8-1 What to Do If Installation Fails

If installation failure occurs at this step:
Your action is:

Step 2

Call Cisco TAC.

Step 3

1. Make sure you set the gateway IP address to 0.0.0. if your TFTP server is in the same IP subnet as your CSC SSM.

2. If there is any router/firewall between the CSC SSM and your TFTP server, make sure these gateways allow TFTP traffic through UDP port 69. Also, verify that routes are set up correctly on these gateways and the TFTP server itself.

3. Verify the image path exists on the TFTP server, and that the directory and file are readable to all users.

Step 4

Verify the total number of bytes downloaded. If the number is different than the size of the CSC SSM image, your TFTP server may not support files the size of the image. Try another TFTP server in this case.

Step 5

Download the image again and try once more to install. If the install is not successful a second time, contact Cisco TAC.

Step 6

Download the image again and try once more to install. If the install is not successful a second time, contact Cisco TAC.


Troubleshooting Activation

Before taking any other action, make sure that the clock is set correctly on ASA. See Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide for more information, as well as the ASDM online help.

Next, use the show module, show module 1, and show module 1 details commands to verify that the CSC SSM has been activated successfully. If you cannot resolve the problem using the output from these commands, contact Cisco TAC.

Troubleshooting Basic Functions

The following sections describe issues you may encounter with basic functions, such as logging on or password recovery.

Cannot Log On

Recovering a Lost Password

Summary Status and Log Entries Out of Synch

Delay in HTTP Connection

Access to Some Websites Is Slow or Inaccessible

FTP Download Does Not Work

Cannot Log On

You specified an administrator password when you installed Trend Micro InterScan for Cisco CSC SSM with the setup wizard. You must use the password you created during installation to log in. This is not the same password that you use to access ASDM. Passwords are case-sensitive, so be sure you have entered the characters correctly.

If you forget your password, it can be recovered. See Using Knowledge Base for more information.

Recovering a Lost Password

There are three passwords used to manage the ASDM/CSC SSM. They are:

The ASDM/Web interface password

The CLI password

The root account password

The default entry for all three passwords is "cisco." If you have lost all three passwords, follow these steps for recovery:

Step 1 Re-image the CSC SSM, which restores the factory default settings. Re-imaging transfers a factory default software image to the SSM. Transfering an image is described in the "Managing AIP SSM and CSC SSM" chapter of the Cisco Security Appliance Command Line Configuration Guide.

Step 2 After re-imaging, all passwords are restored to their default value. You can now log in using the default password "cisco" and create a new ASDM/Web interface password.

Step 3 Use the new ASDM/Web interface password to access the CSC SSM interface. Go to Administration > Configuration Backup.

Step 4 Import the most recent configuration backup to restore your configuration settings.

Step 5 Using the default password "cisco," access the command-line interface and the root account to update the default CLI and root account passwords as well.

You may have lost one or two passwords, but not all. The following describes how to recover in this case.

If you have the ASDM/Web interface password, but have lost the cisco and root account passwords, you can continue to manage the CSC SSM via the Web interface, but there is no way to use the command-line interface or root account if you should need to at some time in the future. To recover these two passwords, re-image and restore using the steps described above.

If you have only the CLI password, you can log in to the CSC SSM and navigate to the "Restore Factory Defaults" option to reset the SSM, which has the same effect as re-imaging. Then import your saved configuration. See Restore Factory Defaults for more information about the Restore Factory Defaults option.

If you have only the root account password, log in and use the password command to set the CLI password. Then proceed as described in the previous paragraph.

Summary Status and Log Entries Out of Synch

You may occasionally notice that the counters displayed on the Mail (SMTP), Mail (POP3), Web (HTTP), and File Transfer (FTP) tabs of the Summary window do not synchronize to the statistics displayed in the log reports. (In the CSC SSM console, the logs are accessed by choosing Logs > Query.) This "mismatch" happens because:

The logs are reset by a reboot that occurs either because of a device error or a reboot following installation of a patch.

Logs are frequently purged because of limited memory storage on the SSM.

Delay in HTTP Connection

A delay of approximately 30 seconds can occur if you have URL filtering enabled on the CSC SSM, but the CSC SSM does not have access to the Internet via HTTP. Trend Micro maintains an online database that stores URLs in different categories. CSC SSM attempts to access the URL database when intercepting an HTTP request from a client. If you cannot grant Internet access to (either direct, or indirect via a proxy), disable URL filtering.

Access to Some Websites Is Slow or Inaccessible

There are some websites, such as banks, online shopping sites, or other special purpose servers that require extra backend processing before responding to a client request. The CSC SSM has a hard-code 90 second timeout between the client request and the server response to prevent transactions from tying up resources on the CSC SSM for too long. This means that transactions that take longer time to process fail.

The workaround is to exclude the site from scanning. To do so from the command-line interface, for example, for a site on the outside network with the IP 192.168.10.10: 

! exempt http traffic to 192.168.10.10

    access-list 101 deny tcp any host 192.168.1.1 eq http

    ! catch everything else

    access-list 101 permit tcp any any eq http

    class-map my_csc_class

          match access-list 101

    policy-map my_csc_policy

         class my_csc_class

             csc fail-close

    service-policy my_csc_policy interface inside

The above configuration exempts HTTP traffic to 192.168.10.10 from being scanned by the CSC SSM.

Performing a Packet Capture

If there are sites you can access without going through CSC SSM, but cannot access when traffic is being scanned, report the URL to Cisco TAC. If possible, do a packet capture and send the information to TAC as well. For example, assuming the client has IP 10.1.1.1, and the outside website has IP 10.2.2.2: 

access-list cap_acl permit tcp host 1.1.1.1 host 2.2.2.2

access-list cap_acl permit tcp host 2.2.2.2 host 1.1.1.1

capture cap access-list cap_acl interface inside

capture cap access-list cap_acl interface outside

FTP Download Does Not Work

If your FTP login works, but you cannot download via FTP, verify whether the inspect ftp setting is enabled on the ASA. See the Cisco Security Appliance Command Line Configuration Guide for more information.

Troubleshooting Scanning Functions

The following sections describe issues you may encounter with scanning for viruses and/or spam.

Cannot Update the Pattern File

Spam Not Being Detected

Cannot Create a Spam Stamp Identifier

Unacceptable Number of Spam False Positives

Cannot Accept Any Spam False Positives

Unacceptable Amount of Spam

Virus Is Detected but Cannot Be Cleaned

Virus Scanning Not Working

Downloading Large Files

Restart Scanning Service

Cannot Update the Pattern File

If the pattern file is out of date, and you are unable to update it, the most likely cause is that your Maintenance Agreement has expired. Check the Expiration Date field on the Administration > Product License window. If the date shown is in the past, you cannot update the pattern file until you renew your Maintenance Agreement.

Another possible cause is that the Trend Micro ActiveUpdate server is temporarily down. Try to update again in a few minutes.

Spam Not Being Detected

If the anti-spam feature does not seem to be working, be sure that:

You have enabled the feature; the anti-spam option is not enabled by default (See Enabling SMTP & POP3 Spam Filtering for more information)

You have configured the incoming mail domain (See Configuring SMTP Message Filter, Disclaimer, & Incoming Mail Domain for more information)

Cannot Create a Spam Stamp Identifier

A spam stamp identifier is a message that appears in the email message subject. For example, for a message titled "Q3 Report," if the spam stamp identifier is defined as "Spam:," the message subject would appear as "Spam:Q3 Report."

If you are having problems creating a spam identifier, make sure you are using only English upper and lowercase characters, digits 0-9, or the set of special characters shown in Figure 8-1.

Figure 8-1 Special characters for spam stamp identifier

If you attempt to use characters other than those specified, you cannot use the spam identifier for your SMTP and POP3 messages.

Unacceptable Number of Spam False Positives

Your spam filtering threshold may be set at a level that is too aggressive for your organization. Assuming you adjusted the threshold to Medium or High, try a lower setting in the threshold fields on the Mail (SMTP) > Anti-spam > SMTP Incoming Anti-spam window and the Mail (POP3) > Anti-spam > POP3 Anti-spam windows. Also enable the anti-spam "stamp message" feature on the SMTP Incoming Anti-spam window and the POP3 Anti-spam windows. See the online help for these two windows for more information.

Also, if users in your network are receiving newsletters, this type of message tends to trigger a high number of false positives. Add the newsletter email address or domain name to the approved senders list to bypass spam filtering on these messages.

Cannot Accept Any Spam False Positives

Some organizations, such as banks and other financial institutions, cannot risk any message being identified as a false positive. In this case, disable the anti-spam feature for SMTP and POP3.

Unacceptable Amount of Spam

You may have set your spam filtering threshold at a level that is too lenient for your organization. Try a higher setting in the threshold fields on the Mail (SMTP) > Anti-spam > SMTP Incoming Anti-spam window and the Mail (POP3) > Anti-spam > POP3 Anti-spam window.

Virus Is Detected but Cannot Be Cleaned

Not all virus-infected files are cleanable. For example, a password-protected file cannot be scanned or cleaned.

If you think you are infected with a virus that does not respond to cleaning, go to the following URL:

http://subwiz.trendmicro.com/SubWiz/Default.asp

This link takes you to the Trend Micro Submission Wizard, which includes information on what to do, including how to submit your suspected virus to TrendLabs for evaluation.

Virus Scanning Not Working

Ensure that no one has disabled the virus scanning feature on the SMTP Incoming, SMTP Outgoing, POP3, HTTP, and FTP Scanning windows. If scanning is enabled but viruses are not being detected, contact customer support for assistance.

Also, test the virus scanning feature by following the directions described in the "Test the Antivirus Feature" section.

Scanning Not Working Because of Incorrect ASA Firewall Policy Configuration

Another possible cause is that a file has not been scanned due to incorrect ASA firewall policy configuration. Use the ASA show service-policy csc command in the CLI to configure the SSM to process traffic. For example: 

show service-policy flow tcp host [clientIP] host [server IP] eq [proto]

For example: 

hostname(config)# show service-policy flow tcp host 192.168.10.10 host 10.69.1.129 eq http

Global policy:

Service-policy: global_policy

Class-map: trend

Match: access-lit trend

	Access rule: permit tcp any any eq www

Action: 

	Output flow: csc fail-close

	Input flow set connection timeout tcp 0:05:00

Class-map: perclient

Match: access-lit perclient

	Access rule: permit IP any any

	Action:

	Input flow: set connection per-client-max 5 per-client-embryonic-max 2

Scanning Not Working Because the CSC SSM Is in a Failed State

If the CSC SSM is in the process of rebooting, or has experienced a software failure, a syslog error 421007 is generated. In the CLI, enter the following command to view the status of the SSM card: 

hostname# show module 1

The out appears in several tables, as shown in the following example. The third table (SSM Application Name) displays a status. In this example, the status of the SSM is "Down." 

Mod Card Type                                    Model 	 Serial No. 

--- -------------------------------------------- -----------------------------

1 ASA 5500 Series Security Services Module-10  ASA-SSM-10 JAB092400TX


Mod MAC Address Range                 Hw Version   Fw Version   Sw Version

--- --------------------------------- ------------ ---------------------------

  1 0013.c480.ae4c to 0013.c480.ae4c  1.0          1.0(10)0     CSC SSM 6.0 (Build#1345)


Mod SSM Application Name           Status           SSM Application Version

--- ------------------------------ ------------------------------------------

  1 CSC SSM                        Down             6.0 (Build#1345)


Mod Status             Data Plane Status     Compatibility

--- ------------------ --------------------- -------------

  1 Up                 Up

There are three possible states that could display in the Status field for the third table:

Down—A permanent error, such as an invalid activation code was used, licensing has expired, or a file has been corrupted

Reload—Scanning is restarting, for example during a pattern file update

Up—A normal operating state

To view the state for each individual process, issue the following command in the CLI: 

hostname# show module 1 detail

The output appears similar to the following: 

Getting details from the Service Module, please wait...

ASA 5500 Series Security Services Module-10

Model:              ASA-SSM-10

Hardware version:   1.0

Serial Number:      JAB092400TX

Firmware version:   1.0(10)0

Software version:   CSC SSM 6.0 (Build#1345)

MAC Address Range:  0013.c480.ae4c to 0013.c480.ae4c

App. name:          CSC SSM

App. Status:        Down

App. Status Desc:   CSC SSM scan services are not available

App. version:       6.0 (Build#1345)

Data plane Status:  Up

Status:             Up

HTTP Service:       Down


Mail Service:       Down


FTP  Service:       Down


Activated:          No


Mgmt IP addr:       <not available>


Mgmt web port:      8443


Peer IP addr:       <not enabled>

The status for the CSC SSM is shown in the App. Status field. In the example, the status is "Down." The possible states for this field are:

Not Present—The SSM card is not found

Init—The SSM card is booting

Up—The SSM card is up and running

Unresponsive—The SSM card is not responding

Reload—The SSM card is reloading

Shutting Down—The SSM card is shutting down

Down—The SSM card is down and can be safely removed from its slot

Recover—The SSM card is being reimaged

Downloading Large Files

Handling of very large files may be a potential issue for the HTTP and FTP protocols. On the Target tabs of the HTTP Scanning and FTP Scanning windows, you configured large file handling fields, which included a deferred scanning option.

If you did not enable deferred scanning, InterScan for Cisco CSC SSM must receive and scan the entire file before passing the file contents to the requesting user. Depending on the file size, this could:

Result in the file being downloaded, but very slowly at first with more rapid speed as the download progresses

Take longer than the automatic browser timeout period, with the result being that the user is unable to receive the file contents at all (because the browser times out before the download completes)

If you enabled deferred scanning, part of the content of the large file is delivered without scanning to prevent timeout. Subsequent portions of the content are being scanned in the background and are then downloaded if no threat is detected. If a threat is detected, the rest of the file is not downloaded, but the unscanned portion of the large file is already stored on the user's machine and may introduce a security risk.

Restart Scanning Service

The Mail (SMTP and POP3) tabs on the Summary window display a count of Messages processed since the service was started in the Message Activity area of the window. For an example, see Figure 8-2.

Figure 8-2 Messages Processed Counter on the Mail (POP3) Tab of the Summary Window

1

Message activity counter


Several events can cause these counters to reset to zero. The events are:

A pattern file or scan engine update

A configuration change

Application of a patch

The statistics in the Detection Summary area of the window do not reset; these statistics continue to update as trigger events occur, regardless of the above events.

There is nothing wrong when the counters reset, you simply need to understand what causes a counter reset. If, however, you have a continuous zero in the Messages processed... fields, this indicates that email traffic is not being scanned and you should investigate the situation.

Troubleshooting Performance

The following sections describe issues you may encounter with performance.

CSC SSM Console Timed Out

Status LED Flashing for Over a Minute

SSM Cannot Communicate with ASDM

Logging in Without Going Through ASDM

CSC SSM Throughput is Significantly Less Than ASA

CSC SSM Console Timed Out

If you leave the CSC SSM console active and there is no activity detected for approximately 10 minutes, your session is timed out. Log in again to resume work. Unsaved changes to your work are lost. If you are called away, it's best to save your work and log off until your return.

Status LED Flashing for Over a Minute

If the Status LED continues flashing for more than a minute, the scanning service is not available. To resolve this problem, reboot the system from ASDM, or contact customer support for assistance.

Caution If the file to be downloaded is larger than the size specified in the Do not scan files larger than... field, the file is delivered without scanning and may present a security risk.

SSM Cannot Communicate with ASDM

See the "Reset Management Port Access Control" section for information on resetting port access controls, which may solve this problem.

Logging in Without Going Through ASDM

If for some reason ASDM is unavailable, you can log directly into CSC SSM via a Web browser. To log in, perform the following steps:

Step 1 Type the following URL in a browser window: 

https://{SSM IP addresss}:8443

For example: 

https://10.123.123.123:8443/

Step 2 The Logon window displays. Type the password you created on the Password Configuration installation window in the setup wizard and click Log On.

Step 3 The default view of the CSC SSM console is the Status tab on the Summary window:

Figure 8-3 Status Tab of the Summary Screen on the CSC SSM Console

CSC SSM Throughput is Significantly Less Than ASA

Restoring files from TCP connections and scanning them is a heavy operation, which involves much more overhead than protocol-conformance checking that is usually done by firewall. The workaround is to divert only these connections that need to be scanned to CSC SSM to mitigate the performance mismatch.

For example, HTTP traffic can be divided into outbound traffic (an inside user accesses outside websites), inbound traffic (outside users are accessing inside servers), and intranet traffic (traffic between internal sites or trusted partners). You can configure CSC SSM to scan only outbound traffic for viruses, but skip the inbound ones.

Refer to the "Managing AIP SSM and CSC SSM" chapter of the Cisco Security Appliance Command Line Configuration Guide for more information.

Using Knowledge Base

You are welcome to search for more information in the Trend Micro online Knowledge Base. The Knowledge Base URL is:

http://esupport.trendmicro.com

The Knowledge Base search engine allows you to refine your search, by entering product name, problem category, and keywords. There are thousands of solutions available in the Knowledge Base, and more are added weekly.

Using the Security Information Center

Comprehensive security information is available 24x7 from the Trend Micro Security Information Center, which is a free online resource. The Security Information Center URL is:

http://trendmicro.com/vinfo/

The Security Information Center provides information such as the following:

Virus Encyclopedia—A compilation of knowledge about all known threats, including viruses, worms, Trojans, and others

Security Advisories—View malware alerts, risk ratings for the most prominent risks, the most current pattern file and scan engine versions, and other helpful information

Scams and Hoaxes—Information about malware hoaxes, scams such as chain letters or money-based hoaxes, and urban legends

Joke Programs—A repository of information about known joke programs that are detected by the Trend Micro scan engine

Spyware/Grayware—Information about the top ten spyware/grayware programs, and a searchable database of spyware/grayware programs

Phishing Encyclopedia—A list of known phishing scams and a description of the perpetration methods

Virus Map—A description of threats by location worldwide

Figure 8-4 Virus Map

Weekly Virus Report —Current news about threats that have appeared in the past week (Subscribe to the Weekly Virus Report to automatically receive a copy each week via email.)

General virus information, including:

Virus Primer—An introduction to virus terminology and a description of the virus life cycle

Safe Computing Guide—A description of safety guidelines to reduce the risk of infections

Risk ratings—A description of how malware and spyware/grayware threats are classified as Very Low, Low, Medium, or High threats to the global IT community

White papers—Links to documents that explain security concepts with titles such as The Real Cost of a Virus Outbreak or The Spyware Battle—Privacy vs. Profits

Test files—A test file for testing Trend Micro InterScan for Cisco CSC SSM, and instructions for performing the test

Webmaster tools—Free information and tools for Webmasters

TrendLabs—Information about TrendLabs, the ISO 9002-certified virus research and product support center

Understanding the CSC SSM Syslogs

There are 13 syslog messages that are CSC SSM-related. Each of these messages is described below.

SSM Application Mismatch [1-105048] 

Error Message    %ASA-1-105048: (unit) Mate's service module (application) is different 
from mine (application)

Explanation    The failover process detected that different applications are running on the service modules in the active and standby units. The two failover units are incompatible if different service modules are used.

unit—Primary or secondary.

application—The name of the application, such as InterScan Security Card.

Recommended Action    Make sure that both units have identical service modules before trying to re-enable failover.

Traffic Dropped Because of CSC Card Failure [3-421001] 

Error Message    %ASA-3-421001: TCP|UDP flow from interface_name:ip/port to 
interface_name:ip/port is dropped because application has failed.

Explanation    A packet was dropped because the CSC SSM application failed. By default, this message is rate limited to 1 message every 10 seconds.

interface_name—The interface name.

IP_address—The IP address.

port—The port number.

application—The CSC SSM is the only application supported in the current release.

Recommended Action    Immediately investigate the problem with the service module.

Skip Non-applicable Traffic [6-421002] 

Error Message    %ASA-6-421002: TCP|UDP flow from interface_name:IP_address/port to 
interface_nam:IP_address/port bypassed application checking because the protocol is not 
supported.

Explanation    Connection bypassed service module security checking because the protocol it is using cannot be scanned by the service module. For example, the CSC SSM is not capable of scanning TELNET traffic. If user configures TELNET traffic to be scanned, the traffic will bypass the scanning service. By default, this message is rate limited to 1 message every 10 seconds.

IP_address—The IP address.

port—The port number.

interface_name—The name of the interface on which the policy is applied.

application—The CSC SSM is the only application supported in the current release.

Recommended Action    The configuration should be modified to only include protocols that are supported by the service module.

Drop ASDP Packet with Invalid Encapsulation[3-421003] 

Error Message    %ASA-3-421003: Invalid data plane encapsulation.

Explanation    A packet injected by the service module did not have the correct data plane header. Packets exchanged on data backplane adhere to a Cisco proprietary protocol called ASDP. Any packet that does not have the proper ASDP header is dropped.

Recommended Action    Use the capture name type asp-drop [ssm-asdp-invalid-encap] command to capture the offending packets and contact Cisco TAC.

Failed to Inject Packet [7-421004] 

Error Message    %ASA-7-421004: Failed to inject {TCP|UDP} packet from IP_address/port to 
IP_address/port

Explanation    The security appliance has failed to inject a packet as instructed by the service module. This could happen if the security appliance tries to inject a packet into a flow that has already been released.

IP_address—The IP address.

port—The port number.

Recommended Action    This could happen because the security appliance maintains its connection table independently from the service module. Normally it will not cause any problem. If this affects security appliance performance, contact Cisco TAC.

Account Host Toward License Limit [6-421005] 

Error Message    %ASA-6-421005: interface_name:IP_address is counted as a user of application

Explanation    A host has been counted toward the license limit. The specified host was counted as a user of application. The total number of users in 24 hours is calculated at midnight for license validation.

interface_name—The interface name.

IP_address—The IP address.

application—The CSC SSM is the only application supported in the current release.

Recommended Action    No action required. However, if the overall count exceeds the user license you have purchased, contact Cisco to upgrade your license.

Daily Node Count [5-421006] 

Error Message    %ASA-6-421006: There are number users of application accounted during the 
past 24 hours.

Explanation    Identifies the total number of users who have used application for the past 24 hours. This message is generated every 24 hours to give the total number of hosts that have used services provided by the service module.

Recommended Action    No action required. However, if the overall count exceeds the user license you have purchased, contact Cisco to upgrade your license.

Traffic Dropped Because of CSC Card Failure [6-421007] 

Error Message    %ASA-3-421007: TCP|UDP flow from interface_name:IP_address/port to 
interface_name:IP_address/port is skipped because application has failed.

Explanation    This message is generated when a flow is skipped because the service module application has failed. By default, this message is rate limited to 1 message every 10 seconds.

IP_address—The IP address.

port—The port number.

interface_name—The name of the interface on which the policy is applied.

application—the CSC SSM is the only application supported in the current release.

Recommended Action    Immediately investigate the problem with the service module.

New Application Detected [5-505011] 

Error Message    %ASA-5-505011: Module in slot slot, application detected application, 
version version.

Explanation    A new application was detected on a 4GE SSM. This may occur when the system boots, when the 4GE SSM boots, or when the 4GE SSM starts a new application.

slot—The slot in which the application was detected.

application—The name of the application detected.

version—The application version detected.

Recommended Action    No action required if the activity described is normal and expected.

Application Stopped [5-505012] 

Error Message    %ASA-5-505012: Module in slot slot, application stopped application, 
version version

Explanation    This message is generated whenever an application is stopped or removed from a 4GE SSM. This may occur when the 4GE SSM upgrades an application or when an application on the 4GE SSM is stopped or uninstalled.

slot—The slot in which the application was stopped.

application—The name of the application stopped.

version—The application version stopped.

Recommended Action    If an upgrade was not occurring on the 4GE SSM or the application was not intentionally stopped or uninstalled, review the logs from the 4GE SSM to determine why the application stopped.

Application Version Changes [5-505013] 

Error Message    %ASA-5-505013: Module in slot slot application changed from: application 
version version to: newapplication version newversion.

Explanation    This message is generated whenever an application version changes, such as after an upgrade. This occurs when a software update for the application on the module is complete.

slot—The slot in which the application was upgraded.

application—The name of the application that was upgraded.

version—The application version that was upgraded.

slot—The slot in which the application was upgraded.

application—The name of the application that was upgraded.

version—The application version that was upgraded.

newapplication—The new application name.

newversion—The new application version.

Recommended Action    Verify that the upgrade was expected and that the new version is correct.

Data Channel Communication Failure [3-323006] 

Error Message    %ASA-3-323006: Module in slot slot experienced a data channel 
communication failure, data channel is DOWN.

Explanation    This message indicates that a data channel communication failure occurred and the system was unable to forward traffic to the 4GE SSM. This failure triggers a failover when it occurs on the active appliance in a failover pair. It also results in the configured fail open or fail closed policy being enforced on traffic that would normally be sent to the 4GE SSM. This message is generated whenever there is a communication problem over the security appliance dataplane between the system module and the 4GE SSM. This can be caused when the 4GE SSM stops, resets, or is removed.

slot—The slot in which the failure occurred

Recommended Action    If this is not the result of the 4GE SSM reloading or resetting and a corresponding message 5-505010 is not seen after the 4GE SSM returns to an UP state, the module may need to be reset using the hw-module module 1 reset command.

Data Channel Communication OK [5-505010] 

Error Message    %ASA-5-505010: Module in slot slot data channel communication is UP.

Explanation    This message is generated whenever the data channel communication recovers from a DOWN state. This message indicates that data channel communication is operating normally. It occurs after the data channel communication fails and then recovers.

slot—The slot that has established data channel communication.

Recommended Action    No action required unless this message was generated as a result of a previous data channel communication failure (message 3-323006). In that case, check the 4GE SSM messages to determine the cause of the communication failure.

Before Contacting Cisco TAC

Before you contact the Technical Assistance Center (TAC), check the documentation and online help to see if it contains the answer you are looking for. If you have checked the documentation, as well as Knowledge Base, and still need help, please be prepared to give the following information to speed the resolution of your problem:

Product Activation Code(s)

Version number of the product

Version number of the pattern file and scan engine

Number of users

Exact text of the error message, if you received one

Steps to reproduce the problem

See Obtaining Technical Assistance for more information.