Filter
Top Products
C-66
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Appendix C Troubleshooting
Troubleshooting the ASA 5500-X IPS SSP
• When TCP-based signatures and reset-tcp-connectionReset TCP Connection have NOT been
selected
In the case of the ASA IPS module, the TCP reset request is sent to the ASA, and the ASA then sends
the TCP reset packets. The ASA sends TCP reset packets to both the attacker and victim when the
reset-tcp-connectionReset TCP Connection is selected. When deny-packet-inlineDeny Packet Inline or
deny-connection-inlineDeny Connection Inline is selected, the ASA sends the TCP reset packet to either
the attacker or victim depending on the configuration of the signature. Signatures configured to swap the
attacker and victim when reporting the alert can cause the ASA to send the TCP reset packet to the
attacker.
For More Information
For a detailed description of all the event actions, see Event Actions, page 7-5.
IPS Reloading Messages
Symptom ASA syslog messages similar to the following are observed and the root cause of the message
is not clear:
%ASA-1-505013: ASA-SSM-10 Module in slot 1, application reloading "IPS", version
"7.1(6)E4" Config Change
%ASA-1-505013: ASA5585-SSP-IPS10 Module in slot 1, application reloading "IPS", version
"7.1(1)E4" Config Change
These messages occur once an hour for sensors not actively being configured or more often for sensors
being configured.
Conditions ASA adaptive appliances running an affected software version with an ASA IPS module
(ASA 5500 AIP SSMASA 5500-X IPS SSPASA 5585-X IPS SSP) installed that is running IPS 7.1 or
later. The common cause for these messages is global correlation and/or signature updates occurring on
the ASA IPS module that results in these messages being generated for some, but not necessarily all of
the updates, which are attempted every five minutes.
Workaround None. The cause of these messages can be confirmed on the sensor module by reviewing the
show events status past command output and identifying a status event that corresponds to the ASA
syslog message that matches the date and time. The sensor’s status event should provide further details
about what operation occurred that resulted in the ASA syslog message.
Troubleshooting the ASA 5500-X IPS SSP
Tip Before troubleshooting the ASA 5500-X IPS SSP, check the Caveats section of the Readme for the
software version installed on your sensor to see if you are dealing with a known issue.
This section contains troubleshooting information specific to the ASA 5500-X IPS SSP, and contains
the following topics:
• Health and Status Information, page C-67
• Failover Scenarios, page C-74