Not been able to access the IPS module from ASDM

chenzovicc
chenzovicc used Ask the Experts™
on
Hi Experts,
I purchased a cisco 5520 and Iam having issue trying to access the ASA_5500_Series_Security_Services_Module-10  ASA-SSM-10 from the ASDM or by typing the ip address.
When trying to access through the ASDM I will enter the user and password and I get an error:  ERROR CONNECTING TO SENSOR. ERROR LOADING SENSOR.
I tried connecting to the sensor using the ip address configured and click on RUN IDM then Java will run and display an Unable to lunch the application.
I was able to configure the module using the CLI going through the firewall.
Please advise
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
btanExec Consultant
Distinguished Expert 2018

Commented:
Check the IPS SSM management interface is up/down, and check its configured IP address, subnet mask and default gateway. Also check the port too for connection as it can e other port besides the default 443 (use TLS/SSL encryption) e.g. find out via CLI  e.g. hostname# show module 1 details, to check for the "Mgmt web ports:". Reload the ASA or the AIP SSM module to see if it helps. But try to reload SSM first e.g. hostname# hw-module module 1 reload in order to reboot the AIP-SSM module and not reboot ASA yet.
There are past issue discussed here and offering some possible working steps
what I did to fix it...

Launch the Java Control Panel (you can select 'Check for Updates' from Start -> Program Menu -> Java)
Select the security tab
Click on Edit Site and add the IP address of your ASA (e.g. https://192.168.1.1/)
I am running Java 7 Update 51 build 13 with ASDM v 7.1(2) and ASA 9.0(2).
As of right now there are only two methods that I can get the ASDM to work after upgrading.   Adding the ASA’s URL to the exception site list does not fix the issue.


1.       Import the ASA Certificate and install the certificate into the “Secure Site” Section (Secure Site NOT Trusted Certificate)

2.      Import the CA certificate chain into the Java Secure Site CA Section.*

*If you use method two and import the CA certificates the hostname must match the CN presented.  So if the certificate on the ASA has vpn.example.com and you type in the IP address in to the ASDM window you will get the same results.

This is not the same behavior if you import the certificate into the secure sites.  If you import the cert into the secure site you can use any hostname/IP address that resolves to the IP address of the ASA (host file entries have also been tested).

I also noticed that the Java certificate store does not reflect the Windows Certificate store.  So if you have an Corporate CA certificate that is distributed via GPO this cert will still need to be manually imported into the Java Control Panel.

Author

Commented:
Sorry just to clarify:
I can access the ASA but can't access the IPS from the GUI or by trting to access the IPS GUI via ip address. I created an exeption for the IPS on the JAVA-Security exclusions but still can't access the IPS.
i AM RUNNING IPS version 7.1
I can access the IPS through the CLI but that's all.

Author

Commented:
This is the running configuration on the IPS module from the CLI and I have configure port g0/3 and UP, management port but nothing connected to it. I have the IPS module connected to my cisco switch.  

Current configuration last modified Sat Dec 26 20:11:24 2015
! ------------------------------
! Version 7.1(6)
! Host:
!     Realm Keys          key1.0
! Signature Definition:
!     Signature Update    S765.0   2014-01-21
! ------------------------------
service interface
exit
! ------------------------------
service authentication
exit
! ------------------------------
service event-action-rules rules0
exit
! ------------------------------
service host
network-settings
host-ip 10.0.5.20/24,10.0.5.1
host-name CIBER-IPS
telnet-option disabled
access-list 10.0.5.0/24
dns-primary-server enabled
address 4.2.2.2
exit
dns-secondary-server disabled
dns-tertiary-server disabled
exit
time-zone-settings
offset -8
standard-time-zone-name PDT
exit
summertime-option recurring
summertime-zone-name PDT
exit
exit
! ------------------------------
service logger
exit
! ------------------------------
service network-access
exit
! ------------------------------
service notification
exit
! ------------------------------
service signature-definition sig0
exit
! ------------------------------
service ssh-known-hosts
exit
! ------------------------------
service trusted-certificates
exit
! ------------------------------
service web-server
port 4443
exit
! ------------------------------
service anomaly-detection ad0
exit
! ------------------------------
service external-product-interface
exit
! ------------------------------
service health-monitor
exit
! ------------------------------
service global-correlation
exit
! ------------------------------
service aaa
exit
! ------------------------------
service analysis-engine
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

btanExec Consultant
Distinguished Expert 2018

Commented:
looks like the web server is not 443 but instead based on your config is 4443. Normally we see this instead
service web-server
enable-tls true
port 443
probably can do check if the explicit port in the URL using 4443 can make it accessible instead. see - http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg.html

Also do reset the IPS module as shared earlier to see if ASDM can connect. E.g. try to do a "hw-module module 1 reset" - eventually start with debugging on the boot phase of it by issuing the command "debug module-boot" which gives you some ideas of where it fails - if it fails.

Try also if IDM Express (IME) faced this issues too. See last post in the forum -
The IDM software that comes with ASDM does not support java 1.7. The ASA portion of ASDM supports 1.7 but launching the IPS applet only works with 1.6. The TAC enginner suggested I use the IME (IPS Manager Express) that is available for free on Cisco's website (http://www.cisco.com/en/US/products/ps9610/tsd_products_support_general_information.html).
https://supportforums.cisco.com/discussion/11675396/unable-access-aip-ssm-through-asdm

Author

Commented:
I tried what you suggested and it doesn't work.
I tried to download Cisco IPS Manager Express (IME).   but cisco is asking for a Cisco contract. I purchase this firewall for my LAB and don't have a support contract.
btanExec Consultant
Distinguished Expert 2018

Commented:
The debug did not show any error?

For the licence portion, see

Note You must be administrator to view license information in the Licensing pane and to install the sensor license key.
In the Licensing pane, you can obtain and install the sensor license key. The Licensing pane displays the status of the current license.
Understanding Licensing

Although the sensor functions without the license key, you must have a license key to obtain signature updates and use the global correlation features. To obtain a license key, you must have the following:

Cisco Service for IPS service contract—Contact your reseller, Cisco service or product sales to purchase a contract.

Your IPS device serial number—To find the IPS device serial number in the IME, choose Configuration > sensor_name > Sensor Management > Licensing , or in the CLI use the show version command.
Valid Cisco.com username and password.

Trial license keys are also available. If you cannot get your sensor licensed because of problems with your contract, you can obtain a 60-day trial license that supports signature updates that require licensing.

You can obtain a license key from the Cisco.com licensing server, which is then delivered to the sensor. Or, you can update the license key from a license key provided in a local file. Go to http://www.cisco.com/go/license and click IPS Signature Subscription Service to apply for a license key.
http://www.cisco.com/c/en/us/td/docs/security/ips/7-1/configuration/guide/ime/imeguide71/ime_sensor_management.html#13116

Author

Commented:
Hi,

I tried to upload the license but got this error:
CIBER-IPS# copy scp:// license-key
User: ALFY
Server's IP Address: 10.0.5.50
Port[22]:
File name: JAF25344BBRTO_20155555503210389.lic
Password: *********
The authenticity of host '10.0.5.50 (10.0.5.50)' can't be established.
RSA1 key fingerprint is b5:b8:e0:f7:ce:4f:52:3e:0d:25:ef:37:e7:9a:bb:99.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
no

The authenticity for host, 10.0.5.50, can't be established.  Verify the ssh host                               key in the known hosts configuration.

I will try to use FTP tonight

Author

Commented:
The debug didn't show any error. It boot up fine
btanExec Consultant
Distinguished Expert 2018

Commented:
For the error message, it is just SSH telling you that it's never seen this particular host key before, so it isn't able to truly verify that you're connecting to the host you think you are.

So when you say "Yes" it puts the ssh key into your known_hosts file, and then on subsequent connections will compare the key it gets from the host to the one in the known_hosts file.

You may want to proceed to connect... Unless you have somehow already fetched the pub key signature for this server and put it into your known_hosts, which is the one normal way to skip the check (though just saying "yes" to the check is often faster to achieve the same)

Author

Commented:
It won't let me answer yes, it will just go all the way down to "The authenticity for host, 10.0.5.50, can't be established.  Verify the ssh host key in the known hosts configuration."
btanExec Consultant
Distinguished Expert 2018

Commented:

Author

Commented:
OK
It seems to be able to install the license key showing:    JAF25344BBRTO 100% 1268     1.2KB/s   00:00
but when running sh version says :"NO LICENSE PRESENT". Saved the Firewall and reboot it and try to import the License again but the same result.

Cisco Intrusion Prevention System, Version 7.1(6)E4

Host:
    Realm Keys          key1.0
Signature Definition:
    Signature Update    S765.0        2014-01-21
OS Version:             2.6.29.1
Platform:               ASA-SSM-10
Serial Number:          JAF25344BBRTO
No license present
Sensor up-time is 2:14.
Using 600M out of 974M bytes of available memory (61% usage)
system is using 29.0M out of 160.0M bytes of available disk space (18% usage)
application-data is using 85.8M out of 169.5M bytes of available disk space (53% usage)
boot is using 57.4M out of 69.7M bytes of available disk space (87% usage)
application-log is using 123.5M out of 513.0M bytes of available disk space (24% usage)


MainApp            S-2012_AUG_24_05_31_7_1_5_3   (Release)   2012-08-24T05:40:50-0500   Running
AnalysisEngine     S-2012_AUG_24_05_31_7_1_5_3   (Release)   2012-08-24T05:40:50-0500   Running
CollaborationApp   S-2012_AUG_24_05_31_7_1_5_3   (Release)   2012-08-24T05:40:50-0500   Running
CLI                S-2012_AUG_24_05_31_7_1_5_3   (Release)   2012-08-24T05:40:50-0500

Upgrade History:

* IPS-sig-S763-req-E4       11:38:06 UTC Fri Jan 10 2014
  IPS-sig-S764-req-E4.pkg   11:38:06 UTC Tue Jan 21 2014

Recovery Partition Version 1.1 - 7.1(6)E4

Host Certificate Valid from: 25-Dec-2015 to 25-Dec-2017

Author

Commented:
Tried to connect to the IPS using the GUI but no luck
Exec Consultant
Distinguished Expert 2018
Commented:
Just to stay in sync, these step in the link is followed through but failed?http://www.cisco.com/c/en/us/support/docs/security/intrusion-prevention-system/116006-ips-sensor-testing-00.html#topic1

Likewise for the licensing step. Maybe good to erase, install and restart device.
http://www.cisco.com/c/en/us/td/docs/security/ips/7-1/configuration/guide/idm/idmguide71/idm_sensor_management.html#96156

Author

Commented:
Hi BTAN,

The last post help me figure out the reason why I couldn't connect. I install java version 6.0 on one of my computers and connected successfully.
I updated the IPS and now I will configure the IPS.
Why when connected to the IP GUI shows the Management port and I know the SSM-10 port is configure. Also the GUI shows interfaces gi0/0 and g0/1 as active but I don't have them configure at all?
Let me know if you want me to open another question for this.
Thanks
btanExec Consultant
Distinguished Expert 2018

Commented:
Thanks will be good to open a new question to poll the larger pool of experts.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial