What does the IPS message “IPS SSP application reloading IPS" mean?
Updated:May 30, 2016
This document answers a specific question about Cisco Adaptive Security Appliance (ASA) syslog messages.
What does the Cisco Intrusion Prevention System (IPS) message "IPS Security Services Processor (SSP) application reloading IPS" mean?
These syslog messages appear on the ASA:
ASA5585-SSP-IPS20 Module in slot 1, application up "IPS", version "7.1(1)E4" Normal Operation ASA5585-SSP-IPS20 Module in slot 1, application reloading "IPS", version "7.1(1)E4" Config Change
The ASA does not failover, and the IPS does not show as "failed." What is the impact of this message? What does it mean? Should I be concerned about this message?
These messages are generated during some, but not all, of the Global Correlation (GC) updates that are attempted every five minutes. This message is also generated during an IPS signature update. This message is expected behavior.
A GC check occurs every five minutes, but updates might not be available. This GC check is why the message can appear every hour or so during normal operation. When a GC update actually takes place or a signature update starts, the IPS sends a message to the ASA that indicates that a configuration change is underway.
The application does not actually reload as an ASA would if the reload command was issued. The IPS adjusts the Analysis Engine and notifies the ASA of the change. This operation can occur at the same time that the IPS goes into bypass mode while it processes the updates. Again, this is normal operation, and there is no functional impact to the IPS or the ASA performance.
Cisco bug ID CSCub28854 was filed to resolve or document this issue from the IPS side.
Cisco bug ID CSCts98836 was filed to resolve the message on the ASA.
Data channel down messages might display on an ASA failover during IPS signature or GC updates. This ASA bug addresses this situation: