E-75
Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.1
OL-24002-01
Appendix E Troubleshooting
Troubleshooting the ASA 5585-X IPS SSP
Slot-1 152> CONFIG=
Slot-1 153> LINKTIMEOUT=20
Slot-1 154> PKTTIMEOUT=4
Slot-1 155> RETRY=20
Slot-1 157> TFTP failure: Packet verify failed after 20 retries
Slot-1 158> Rebooting due to Autoboot error ...
Slot-1 159> Rebooting....
Slot-1 160> Cisco Systems ROMMON Version (1.0(10)0) #0: Fri Mar 25 23:02:10 PST 2010
Slot-1 161> Platform ASA5585-SSP-IPS20
Slot-1 162> GigabitEthernet0/0
Slot-1 163> Link is UP
Slot-1 164> MAC Address: 000b.fcf8.0176
Slot-1 165> ROMMON Variable Settings:
Slot-1 166> ADDRESS=192.0.2.3
Slot-1 167> SERVER=192.0.2.15
Slot-1 168> GATEWAY=192.0.2.254
Slot-1 169> PORT=GigabitEthernet0/0
Slot-1 170> VLAN=untagged
Slot-1 171> IMAGE=IPS-SSP_10-K9-sys-1.1-a-7.1-0.1.img
Slot-1 172> CONFIG=
Slot-1 173> LINKTIMEOUT=20
Slot-1 174> PKTTIMEOUT=4
Slot-1 175> RETRY=20
The ASA 5585-X IPS SSP and the Normalizer Engine
The majority of the features in the Normalizer engine are not used on the ASA 5585-X IPS SSP, because
the ASA itself handles the normalization. Packets on the ASA IPS modules go through a special path in
the Normalizer that only reassembles fragments and puts packets in the right order for the TCP stream.
The Normalizer does not do any of the normalization that is done on an inline IPS appliance, because
that causes problems in the way the ASA handles the packets.
The following Normalizer engine signatures are not supported:
• 1300.0
• 1304.0
• 1305.0
• 1307.0
• 1308.0
• 1309.0
• 1311.0
• 1315.0
• 1316.0
• 1317.0
• 1330.0
• 1330.1
• 1330.2
• 1330.9
• 1330.10
Comments to this Manuals