Field Notice: FN - 63705 - ASA 5500-X Appliances - Default IPS Software Might Not Be Installed - Software Upgrade Recommended

Available Languages

Updated:March 19, 2019
Document ID:FN63705

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision Publish Date Comments
1.0
06-Jan-14
Initial Release
10.0
11-Oct-17
Migration to new field notice system
10.1
19-Mar-19
Updated the Defect Information Section

Products Affected

Affected Product ID Comments
ASA5512-IPS-K8
ASA5512-IPS-K9
ASA5515-IPS-K8
ASA5515-IPS-K9
ASA5525-IPS-K8
ASA5525-IPS-K9
ASA5545-IPS-K9
ASA5555-IPS-K9

Defect Information

Defect ID Headline
CSCvf34445 There were no defects filed with this field notice at the time of publication.

Problem Description

Some 5500-X Adaptive Security Appliances (ASAs) ordered with the Intrusion Prevention System (IPS) option were shipped without the IPS software image.

Background

Some ASA 5500-X security appliances ordered with the IPS option that shipped from September 11, 2013 through November 7, 2013 might not contain the IPS software image. This requires the user to follow special procedures in order to install the IPS software from the Cisco software download center to utilize the IPS feature set.

Problem Symptom

The IPS software image information is not displayed when the system is booted up. In addition, the show module command output displays the IPS module as 'Unknown' and 'Unresponsive' as shown in this sample output.

ciscoasa# show module

Mod Card Type                                    Model              Serial No. 
--- -------------------------------------------- ------------------ -----------
  0 ASA 5545-X with SW, 8 GE Data, 1 GE Mgmt     ASA5545            FCH12345ABC
ips Unknown                                      N/A                FCH12345ABC

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version     
--- --------------------------------- ------------ ------------ ---------------
  0 abcd.1234.abcd to abcd.1234.abcd  1.0          2.1(9)8      8.6(1)10
ips abcd.1234.abcd to abcd.1234.abcd  N/A          N/A          

Mod SSM Application Name           Status           SSM Application Version
--- ------------------------------ ---------------- --------------------------
ips Unknown                        No Image Present Not Applicable

Mod Status             Data Plane Status     Compatibility
--- ------------------ --------------------- -------------
  0 Up Sys             Not Applicable        
ips Unresponsive       Not Applicable        

Mod License Name   License Status  Time Remaining
--- -------------- --------------- ---------------
ips IPS Module     Disabled        perpetual

Workaround/Solution

In order to install the system IPS image on the ASA 5500-X, follow these steps:

  1. Download the IPS system image file that corresponds to your ASA platform to the TFTP root directory of a TFTP server that is accessible from your appliance. Make sure you can access the TFTP server location from the network connected to the Ethernet port of the ASA.
  2. Log in to the ASA 5500-X security appliance.
  3. Enter enable mode.

    asa> enable

  4. Copy the IPS image to the disk0 flash of the ASA 5500-X security appliance. 
    asa# copy tftp://192.0.2.0/directory/IPS-SSP_5545-K9-sys-1.1-a-7.1-8-E4.aip disk0:
  5. Configure the IPS software module image on the ASA 5500-X security appliance. 
    asa# sw-module module ips recover configure image disk0:/IPS-SSP_5545-K9-sys-1.1-a-7.1-8-E4.aip
  6. Execute the recovery. This loads the IPS software into the ASA 5500-X security appliance and restarts it. 
    sw-module module ips recover boot
  7. Periodically check the recovery until it is complete. 
    ciscoasa(config)# show module

Mod Card Type                                    Model              Serial No. 
--- -------------------------------------------- ------------------ -----------
  0 ASA 5545-X with SW, 8 GE Data, 1 GE Mgmt     ASA5545            FCH12345ABC
ips ASA 5545-X IPS Security Services Processor   ASA5545-IPS        FCH12345ABC

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version 
--- --------------------------------- ------------ ------------ ---------------
  0 abcd.1234.abcd to abcd.1234.abcd  1.0          2.1(9)8      8.6(1)10
ips abcd.1234.abcd to abcd.1234.abcd  N/A          N/A          7.1(8)E4

Mod SSM Application Name           Status           SSM Application Version
--- ------------------------------ ---------------- --------------------------
ips IPS                            Up               7.1(8)E4

Mod Status             Data Plane Status     Compatibility
--- ------------------ --------------------- -------------
  0 Up Sys             Not Applicable 
ips Up                 Up 

Mod License Name   License Status  Time Remaining
--- -------------- --------------- ---------------
ips IPS Module     Disabled        perpetual

    Note: The Status field in the output indicates the operational status of the ASA 5500-X IPS software module. An IPS module that operates normally shows a status of "Up". While an ASA 5500-X security appliance loads the application image, the Status field in the output reads "Recover". When the ASA 5500-X security appliance completely loads the image and restarts the IPS module, the newly transferred image is running. In order to debug any errors that might happen in the recovery process, enter the debug module-boot command to debug the system reimaging process.

  8. Session to the ASA 5500-X security appliance and initialize it with the setup command.

How To Identify Affected Products

Affected ASA 5500-X security appliances were shipped from September 11, 2013 through November 7, 2013.

Obtain the chassis serial number through the CLI or visual inspection of the ASA 5500-X security appliance as shown here:

  • Command Line Interface (CLI) - Enter the show inventory command in order to obtain the chassis serial number of the appliance: 
    asa# show inventory
Name: "Chassis", DESCR: "ASA5525-X with SW, 8 GE Data, 1 GE Mgmt, AC"
PID: ASA5525, VID: V01, SN: FTX1234ABCD
  • Visual inspection of the ASA 5500-X security appliance - The chassis serial number label is located on the rear of the appliance and might also be referenced on the sales order documentation.

    Access the Cisco Serial Number Validation Tool in order to validate your ASA 5500-X security appliance serial number(s).

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco