This section covers how you can do a software recovery on the AIP-SSM through the Cisco ASA operating system. The Cisco IPS system recovery image completely refreshes the AIP-SSM to its initial state for a given software release. You can use the hw-module module command to recover, reload, reset, or shut down the AIP-SSM. The following is the command syntax:
hw-module module slot reload hw-module module slot reset hw-module module slot shutdown hw-module module slot recover [boot | configure | stop]
The following steps are necessary to completely refresh the AIP-SSM:
Step 1. |
Use the hw-module module 1 recover configure command to configure the recovery parameters for the AIP-SSM: Chicago# hw-module module 1 recover configure Image URL [tftp://0.0.0.0/]: tftp://172.18.124.9 /IPS-SSM-K9-sys-1.1-a-5.0-2-s152.img Port IP Address [0.0.0.0]: 172.18.124.11 VLAN ID [0]: Gateway IP Address [0.0.0.0]: 172.18.124.1 After invoking the hw-module module 1 recover configure command, the ASA asks you for the complete URL for the TFTP server from which the AIP-SSM will pull the recovery image. This TFTP server must be accessible by the AIP-SSM management port. The port IP address is the IP address of the AIP-SSM management port. You are also asked for the VLAN ID and default gateway IP address. A VLAN ID of 0 represents that VLANs are not used. You can use the show module module recover command to display and verify the configured recovery parameters: Chicago# show module 1 recover Module 1 recover parameters... Boot Recovery Image: Yes Image URL: tftp:// 172.18.124.9 /IPS-SSM-K9-sys-1.1-a-5.0-2-s152.img Port IP Address: 172.18.124.11 Gateway IP Address: 172.18.124.1 VLAN ID: 0 |
Step 2. |
To initiate the recovery, use the hw-module module 1 recover boot command. The Cisco ASA displays a warning message about erasing all configuration and data on the module. It prompts the user to confirm the recovery process: Chicago# hw-module module 1 recover boot The module in slot 1 will be recovered. This may erase all configuration and all data on that device and attempt to download a new image for it. Recover module in slot 1? [confirm] Reset issued for module in slot 1 You must first configure the recovery parameters before invoking the previous command. If you do not configure these parameters, the following error is displayed: Chicago# hw-module module 1 recover boot The module in slot 1 can not be recovered. The tftp url and port address must be configured via hw-module module 1 recover configure |
Previously in this chapter, you learned that you can use the show module command to obtain information about the modules installed on your ASA. You can also use the show module module-number details command to obtain more detailed information about the AIP-SSM module installed on the system. Example 13-3 includes the output of this command.
Example 13-3. Output of show module details Command
Chicago# show module 1 details Getting details from the Service Module, please wait... ASA 5500 Series Security Services Module-20 Model: ASA-SSM-20 Hardware version: 1.0 Serial Number: 0 Firmware version: 1.0(7)2 Software version: 5.0(2)S152 Status: Up Mgmt IP addr: 172.18.124.11 Mgmt web ports: 443 Mgmt TLS enabled: true
Part I: Product Overview
Introduction to Network Security
Product History
Hardware Overview
Part II: Firewall Solution
Initial Setup and System Maintenance
Network Access Control
IP Routing
Authentication, Authorization, and Accounting (AAA)
Application Inspection
Security Contexts
Transparent Firewalls
Failover and Redundancy
Quality of Service
Part III: Intrusion Prevention System (IPS) Solution
Intrusion Prevention System Integration
Configuring and Troubleshooting Cisco IPS Software via CLI
Part IV: Virtual Private Network (VPN) Solution
Site-to-Site IPSec VPNs
Remote Access VPN
Public Key Infrastructure (PKI)
Part V: Adaptive Security Device Manager
Introduction to ASDM
Firewall Management Using ASDM
IPS Management Using ASDM
VPN Management Using ASDM
Case Studies