E-64
Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.1
OL-24002-01
Appendix E Troubleshooting
Troubleshooting the ASA 5500-X IPS SSP
TCP Reset Differences Between IPS Appliances and ASA IPS Modules
The IPS appliance sends TCP reset packets to both the attacker and victim when Reset TCP Connection
is selected. The IPS appliance sends a TCP reset packet only to the victim under the following
circumstances:
• When a Deny Packet Inline or Deny Connection Inline is selected
• When TCP-based signatures and Reset TCP Connection have NOT been selected
In the case of the ASA IPS module, the TCP reset request is sent to the ASA, and the ASA then sends
the TCP reset packets. The ASA sends TCP reset packets to both the attacker and victim when the Reset
TCP Connection is selected. When Deny Packet Inline or Deny Connection Inline is selected, the ASA
sends the TCP reset packet to either the attacker or victim depending on the configuration of the
signature. Signatures configured to swap the attacker and victim when reporting the alert can cause the
ASA to send the TCP reset packet to the attacker.
For More Information
For detailed information about event actions, refer to Event Actions.
IPS Reloading Messages
Symptom ASA syslog messages similar to the following are observed and the root cause of the message
is not clear:
%ASA-1-505013: ASA-SSM-10 Module in slot 1, application reloading "IPS", version
"7.1(6)E4" Config Change
%ASA-1-505013: ASA5585-SSP-IPS10 Module in slot 1, application reloading "IPS", version
"7.1(1)E4" Config Change
These messages occur once an hour for sensors not actively being configured or more often for sensors
being configured.
Conditions ASA adaptive appliances running an affected software version with an ASA IPS module
(ASA 5500 AIP SSMASA 5500-X IPS SSPASA 5585-X IPS SSP) installed that is running IPS 7.1 or
later. The common cause for these messages is global correlation and/or signature updates occurring on
the ASA IPS module that results in these messages being generated for some, but not necessarily all of
the updates, which are attempted every five minutes.
Workaround None. The cause of these messages can be confirmed on the sensor module by reviewing the
show events status past command output and identifying a status event that corresponds to the ASA
syslog message that matches the date and time. The sensor’s status event should provide further details
about what operation occurred that resulted in the ASA syslog message.
Troubleshooting the ASA 5500-X IPS SSP
Tip Before troubleshooting the ASA 5500-X IPS SSP, check the Caveats section of the Readme for the
software version installed on your sensor to see if you are dealing with a known issue.
Comments to this Manuals