I first got into the IPS module and had to reset the password:
ASA#session 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.
login: cisco
Password:
You are required to change your password immediately (password aged)
Changing password for cisco
(current) password:
New password:
Retype new password:
Once I reset the password, I went forward with the upgrade.
ASAIPS-2# sh ver
Application Partition:
Cisco Intrusion Prevention System, Version 5.1(1)S222.0
Host:
Realm Keys key1.0
Signature Definition:
Signature Update S222.0 2006-03-17
Virus Update V1.0 2005-11-17
OS Version: 2.4.26-IDS-smp-bigphys
Platform: ASA-SSM-10
Serial Number: JAB0XXXXXX
License expired: 22-May-2006 UTC
Sensor up-time is 244 days.
Using 552251392 out of 1054670848 bytes of available memory (52% usage)
system is using 17.3M out of 36.8M bytes of available disk space (47% usage)
application-data is using 45.2M out of 166.6M bytes of available disk space (29% usage)
boot is using 35.0M out of 68.5M bytes of available disk space (54% usage)
MainApp 2005_Nov_15_13.47 (Release) 2005-11-15T14:27:20-0600 Running
AnalysisEngine 2006_Feb_08_13.09 (Release) 2006-02-08T13:52:38-0600 Running
CLI 2005_Nov_15_13.47 (Release) 2005-11-15T14:27:20-0600
Upgrade History:
* IPS-K9-min-5.1-1 19:47:00 UTC Tue Nov 15 2005
--MORE-- IPS-sig-S222-minreq-5.0-5.pkg 13:06:21 UTC Thu Mar 23 2006
Recovery Partition Version 1.1 - 5.1(1)
ASAIPS-2# config t
ASAIPS-2(config)# upgrade ftp://shane@172.24.14.44/IPS-engine-E4-req-6.2-2.pkg
Password: *********
Continue with upgrade? []:yes
The filename IPS-K9-6.2-2-E4.pkg is not a valid upgrade file type.
Ok, obviously this did not go the way I wanted. To make a lengthy process short, I simply could not upgrade this IPS module, according to Cisco TAC. I tried many pkg files, none successful. This one will be swapped out by Cisco.
The second one was not so bad. Below is what I did:
ASA#session 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.
login: cisco
Password:
sensor#
sensor# config t
sensor(config)# upgrade ftp://shane@172.24.14.44 /IPS-K9-7.0-7-E4.pkg
Password: ****
Warning: Executing this command will apply a software update to the application partition. The system may be rebooted to complete the upgrade.
Continue with upgrade? []]: yes
Broadcast Message from root@sensor
(somewhere) at 8:02 ...
Applying update IPS-K9-7.0-7-E4.pkg.
Broadcast Message from root@sensor
(somewhere) at 8:02 ...
IPS applications will be stopped and system will be rebooted after upgrade comp
letes .
Broadcast Message from root@sensor
(somewhere) at 8:02 ...
Shutting down IPS applications. Applications will be restarted when update is
complete..
Command session with slot 1 terminated.
Remote card closed command session. Press any key to continue.
Switching to Standby
Switching to Failed state.
Command session with slot 1 terminated.
Command session with slot 1 terminated.
ASA5520-1/asa.net/stby# sh module
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5520 Adaptive Security Appliance ASA5520 JMXXXXXX
1 ASA_5500_Series_Security_Services_Module-10 ASA-SSM-10 JAFXXXXX
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
0 e05f.b904.3324 to e05f.b904.3328 2.0 1.0(11)2 8.2(4)
1 001e.7a81.8960 to 001e.7a81.8960 1.0 1.0(11)5 6.0(6)E4
Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
1 IPS Not Applicable 6.0(6)E4
Mod Status Data Plane Status Compatibility
--- ------------------ --------------------- -------------
0 Up Sys Not Applicable
1 Init Not Applicable
ASA5520-1/asa.net/stby# sh module
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5520 Adaptive Security Appliance ASA5520 JMXXXXXXXXX
1 ASA_5500_Series_Security_Services_Module-10 ASA-SSM-10 JAFXXXXX
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
0 e05f.b904.3324 to e05f.b904.3328 2.0 1.0(11)2 8.2(4)
1 001e.7a81.8960 to 001e.7a81.8960 1.0 1.0(11)5 7.0(7)E4
Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
1 IPS Up 7.0(7)E4
Mod Status Data Plane Status Compatibility
--- ------------------ --------------------- -------------
0 Up Sys Not Applicable
1 Up Up
Upgrade not too bad. Here is some notes that I put down before showing up today.
NOTES:
To upgrade the Engine:1. Log into IPS module: session 1
2. type config t
3. type upgrade ftp://shane@172.24.14.44/IPS-engine-E4-req-6.2-2.pkg
4. type none
5. sensor reboots
IPS system:
6. log into IPS module
7. type config t
8. type upgrade ftp://shane@172.24.14.44/IPS-K9-6.2-2-E4.pkg
9. type none
10. yes
11. sensor reboots.
Signatures:
12. log into the IPS module
13. config t
12. upgrade ftp://shane@172.24.14.44/IPS-sig-S576-req-E4.pkg
13. type yes
complete.
SECOND NOTES: When you upgrade the sensor, you will have to allow yourself access again so that you can HTTPS into it for configuration. Here is what I did:
sensor# conf t
sensor(config)# service host
sensor(config-hos)# network-settings
sensor(config-hos-net)# access-list 172.16.1.0/24
sensor(config-hos-net)# exit
sensor(config-hos)# exit
Apply Changes?[yes]:
Warning: DNS or HTTP proxy is required for global correlation inspection and reputation filtering, but no DNS or proxy servers are defined.
sensor(config)# exit
sensor#
