Guest

Cisco Intrusion Prevention System

IPS Reimage Process for Modules in an ASA Failover Pair Configuration Example

Hierarchical Navigation

Document ID: 116155

Updated: Jun 13, 2013

Contributed by Todd Pula, Cisco TAC Engineer.

   Download PDF
   Print

Introduction

This document describes the process required to reimage a hardware or software Intrusion Prevention System (IPS) module in an Adaptive Security Appliance (ASA) failover pair. This process can be applied to the Cisco ASA 5500 and 5500-X Series of firewall appliances. The configuration examples in this document are for an active/standby failover configuration. A similar process can be followed in an active/active configuration; however, you must ensure that there are no active contexts running before a reload is performed.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • Use of the command-line interface (CLI) for IPS software upgrades
  • Use of the CLI for ASA failover configuration

Components Used

The information in this document is based on Security Services Module (SSM), Security Services Processor (SSP), and software IPS modules on the ASA 5500 and 5500-X Series of firewall appliances.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

In certain situations, it might be necessary to reimage an IPS hardware or software module in an ASA failover pair deployment. For example, downgrading from Release 7.1(7) to Release 7.0(8) requires a reimage, as there is no formal downgrade option for the IPS operating system. These steps are used to minimize the chance of a network outage or false failover during a reimage.

  1. Complete the reimage process on the IPS module in the standby ASA.
  2. Make the standby ASA the active ASA.
  3. Complete the reimage process on the new standby ASA (former active).
  4. Restore the new standby ASA to the active state, if desired.

Note: In rare situations where both modules are in a failed state, the first module brought online causes the ASA to preempt the failover state. For example, the primary ASA has the active state and has a child module in a down state. The IPS in the standby ASA is also in a down state. The IPS is then restarted on the standby ASA. With the IPS in a failed state on the primary active ASA, the failover process considers the standby more desirable, and forces it to become active.

Configure

Initial Steps

  1. Back up the current running configuration of both sensors to an external server by use of the CLI (for example: copy current-config  ftp://cisco123:cisco123@10.10.10.10/ips1-backup).
  2. Position the IPS system image file on an external TFTP server (for example: IPS-SSM_40-K9-sys-1.1-a-7.0-8-E4.img).

Reimage the IPS on the Current Standby ASA (ASA 5500 Series only)

  1. Connect to the CLI of the standby ASA via console, Telnet, or Secure Shell (SSH).
  2. Enter the show failover command in order to verify that the ASA is the standby unit.
  3. Enter the hw-module module 1 recover configure command on the ASA and configure the appropriate IP/TFTP settings.
  4. Enter the hw-module module 1 recover boot command on the ASA in order to transfer the image and restart the IPS module.
  5. Enter the show module 1 details command on the ASA in order to monitor the recovery status.
  6. Once completed, enter the session 1 command on the ASA in order to connect to the IPS module.
  7. On the IPS, enter the setup command and configure the IP/Subnet Mask/Gateway/ACL.
  8. With the IPS module back on the network, restore the previous configuraton via CLI (for example: copy ftp://cisco123:cisco123@10.10.10.10/ips1-backup current-config).
  9. In order to verify that the IPS running configuration is updated, enter the show config command.
  10. Reinstall the signature license and upgrade the signature definitions as required.
  11. On the standby ASA, enter the failover active command in order to make the standby unit active.

Reimage the IPS on the New Standby ASA (ASA 5500 Series only)

  1. Connect to the CLI of the new standby ASA via console, Telnet, or SSH.
  2. Enter the show failover command in order to verify that the ASA is the new standby unit.
  3. Enter the hw-module module 1 recover configure command on the ASA and configure the appropriate IP/TFTP settings.
  4. Enter the hw-module module 1 recover boot command on the ASA in order to transfer the image and restart the IPS module.
  5. Enter the show module 1 details command on the ASA in order to monitor the recovery status.
  6. Once completed, enter the session 1 command on the ASA in order to connect to the IPS module.
  7. On the IPS, enter the setup command and configure the IP/Subnet Mask/Gateway/ACL.
  8. With the IPS module back on the network, restore the previous configuration via CLI (for example: copy ftp://cisco123:cisco123@10.10.10.10/ips1-backup current-config).
  9. In order to verify that the IPS running configuration is updated, enter the show config command.
  10. Reinstall the signature license and upgrade the signature definitions as required.
  11. If desired, enter the failover active command on the new standby unit in order to restore it to the active state.

Reimage the IPS on the Current Standby ASA (ASA 5500-X Series only)

  1. Connect to the CLI of the standby ASA via console, Telnet, or SSH.
  2. Enter the show failover command in order to verify that the ASA is the standby unit.
  3. Enter the sw-module module ips recover configure command on the ASA and configure the appropriate IP/TFTP settings.
  4. Enter the sw-module module ips recover boot command on the ASA in order to transfer the image and restart the IPS module.
  5. Enter the show module ips details command on the ASA in order to monitor the recovery status.
  6. Once completed, enter the session ips command on the ASA in order to connect to the IPS module.
  7. On the IPS, enter the setup command and configure the IP/Subnet Mask/Gateway/ACL.
  8. With the IPS module back on the network, restore the previous config via CLI (for example: copy ftp://cisco123:cisco123@10.10.10.10/ips1-backup current-config).
  9. In order to verify that the IPS running configuration is updated, enter the show config command.
  10. Reinstall the signature license and upgrade the signature definitions as required.
  11. On the standby ASA, enter the failover active command in order to make the standby unit active.

Reimage the IPS on the New Standby ASA (ASA 5500-X Series only)

  1. Connect to the CLI of the new standby ASA via console, Telnet, or SSH.
  2. Enter the show failover command in order to verify that the ASA is the new standby unit.
  3. Enter the sw-module module ips recover configure command on the ASA and configure the appropriate IP/TFTP settings.
  4. Enter the sw-module module ips recover boot command on the ASA in order to transfer the image and restart the IPS module.
  5. Enter the show module ips details command on the ASA in order to monitor the recovery status.
  6. Once completed, enter the session ips command on the ASA in order to connect to the IPS module.
  7. On the IPS, enter the setup command and configure IP/Subnet Mask/Gateway/ACL.
  8. With the IPS module back on the network, restore the previous configuration via CLI (for example: copy ftp://cisco123:cisco123@10.10.10.10/ips1-backup current-config).
  9. In order to verify that the IPS running configuration is updated, enter the show config command.
  10. Reinstall the signature license and upgrade the signature definitions as required.
  11. If desired, enter the failover active command on the new standby unit in order to restore it to the active state.

Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the commands used in this section.

Verify

Use this section to confirm that your configuration works properly.

The Output Interpreter Tool (registered customers only) supports certain show commands. Use the Output Interpreter Tool in order to view an analysis of show command outputs.

  • show failover - When entered on the ASA, the show failover command displays the current failover status, interface state, and operating system versions.
  • show failover history - The show failover history command displays a list of timestamped failover events on the ASA.
  • show module 1 details - The show module 1 details command is used on the ASA 5500 Series in order to display the operating system, network settings, and the control/data channel state of the IPS module.
  • show module ips details - The show module ips detials command is used on the ASA 5500-X Series in order to display the operating system, network settings, and the control/data channel state of the IPS module.

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

  • debug module-boot [level] - Displays debug messages related to the IPS module boot process.
  • no debug module-boot [level] - Disables debug.

The Output Interpreter Tool (registered customers only) supports certain show commands. Use the Output Interpreter Tool in order to view an analysis of show command outputs.

Note: Refer to Important Information on Debug Commands before you use debug commands.

Related Information

Updated: Jun 13, 2013
Document ID: 116155