Document ID: 116404
Updated: Aug 20, 2013
Contributed by Prapanch Ramamoorthy, Cisco TAC Engineer.
Contents
Introduction
This document describes a common problem that users who manage Cisco Adaptive Security Appliances (ASAs) might encounter. Cisco ASA 5500-X Series appliances provide next-generation firewall services with the optional ability to install a software-based Intrusion Prevention System (IPS) module or a Cisco ASA CX (Context Aware) module.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Cisco ASA Command Line Interface (CLI).
- IPS or CX Modules for ASA 5500-X Series Appliances
Components Used
The information in this document is based on Cisco ASA 5500-X Series next-generation firewall appliances.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Problem
When you try to establish a console connection to the software IPS or CX module installed, you might encounter an error message that suggests someone is already logged into the console. For example:
ciscoasa# session cxsc console
ERROR: An existing console session is in progress with module cxsc.
Only one is allowed at any point in time.
The previous command output indicates that a console connection to the CX module already exists. The equivalent command for the IPS module is session ips console, which shows this output when used:
ciscoasa# session ips console
ERROR: An existing console session is in progress with module ips.
Only one is allowed at any point in time.
Solution
The only way to clear a console connection to the software IPS/CX module on an ASA 5500-X Series appliance is to clear the CLI connection to the ASA where the console session is active. This section provides a simulated scenario, similar to the one previously described, that demonsrates the procedure used in order to clear such a connection.
Consider an ASA 5525-X with next-generation firewall services (also known as CX) enabled.
ciscoasa# show module cxsc
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
cxsc ASA CX5525 Security Appliance ASA CX5525 FCH1719J569
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
cxsc 6c41.6aa1.31d4 to 6c41.6aa1.31d4 N/A N/A 9.1.1
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
cxsc ASA CX Up 9.1.1
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
cxsc Up Up
There is a Secure Shell (SSH) session established with the ASA in addition to a console connection.
ciscoasa# show asp table socket
Protocol Socket State Local Address Foreign Address
SSL 000069e8 LISTEN 10.106.44.101:443 0.0.0.0:*
TCP 00009628 LISTEN 10.106.44.101:22 0.0.0.0:*
TCP 0000da58 ESTAB 10.106.44.101:22 64.103.226.139:52565
The bolded connection shown in the output is the SSH session where the console connection to the CX module is active. Attempts to access the console from another CLI connection (such as a console connection to the ASA) fail with the error previously mentioned. The output of the show conn all command is used in order to discover the SSH connection to the ASA, which is cleared with use of the clear conn all command.
ciscoasa# show conn all | in 52565
1 in use, 4 most used
TCP mgmt 64.103.226.139:52565 NP Identity Ifc 10.106.44.101:22,
idle 0:04:16, bytes 10284, flags UOB
ciscoasa#
ciscoasa#
ciscoasa# clear conn all port 52565
1 connection(s) deleted.
ciscoasa# show conn all | i 52565
0 in use, 4 most used
ciscoasa# show asp table socket
Protocol Socket State Local Address Foreign Address
SSL 000069e8 LISTEN 10.106.44.101:443 0.0.0.0:*
TCP 00009628 LISTEN 10.106.44.101:22 0.0.0.0:*
ciscoasa#
ciscoasa# session cxsc console
Opening console session with module cxsc.
Connected to module cxsc. Escape character sequence is 'CTRL-^X'.
asacx>
Cisco bug ID CSCuh65249 (ASA 5500-X: Need a way to clear out console connection to IPS/CX module) was filed in order to introduce a more graceful way to clear such a console connection.
Cisco bug ID CSCud27214 (Cannot exit from session ips console when connected to terminal server) was filed in order to resolve the inability to exit from a console when attached via a terminal server with a Ctrl^x escape sequence.
Alternate Solution
Alternatively, if it is not possible to kill the console connection that exists with use of the method previously mentioned, use the session ips or session cx command in order to access the IPS or CX modules, respectively. This is not a console connection. Therefore, it is possible to have multiple sessions established simultaneously to the software module.
Related Information
Open a Support Case 
(Requires a Cisco Service Contract.)
Related Cisco Support Community Discussions
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.