Image Ips
Image Ips
This chapter describes how to upgrade, downgrade, and install system images. It contains the following
sections:
• Upgrades, Downgrades, and System Images, page 21-1
• Supported FTP and HTTP/HTTPS Servers, page 21-2
• Upgrading the Sensor, page 21-2
• Configuring Automatic Upgrades, page 21-6
• Downgrading the Sensor, page 21-10
• Recovering the Application Partition, page 21-10
• Installing System Images, page 21-12
You can upgrade and downgrade the software on the sensor. Upgrading applies a service pack, signature
update, signature engine update, minor version, major version, or recovery partition file. Downgrading
removes the last applied service pack or signature update from the sensor.
Caution You cannot use the downgrade command to revert to a previous major or minor version, for example,
from Cisco IPS 7.0 to 6.2. You can only use the downgrade command to downgrade from the latest
signature update or signature engine update. To revert to 6.2, you must reimage the sensor.
You can recover the application partition image on your sensor if it becomes unusable. Using the recover
command lets you retain your host settings while other settings revert to the factory defaults.
To install a new system image on the sensor, use ROMMON, the bootloader file, or the maintenance
partition depending on which platform you have. When you install a new system image on your sensor,
all accounts are removed and the default cisco account is reset to use the default password cisco. After
installing the system image, you must initialize the sensor again.
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
OL-18488-01 21-1
Chapter 21 Upgrading, Downgrading, and Installing System Images
Supported FTP and HTTP/HTTPS Servers
After you reimage and initialize your sensor, upgrade your sensor with the most recent service pack,
signature update, signature engine update, minor update, major update, and recovery partition file.
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
21-2 OL-18488-01
Chapter 21 Upgrading, Downgrading, and Installing System Images
Upgrading the Sensor
– scp:—Source URL for the SCP network server. The syntax for this prefix is:
scp://[[username@]location][/relativeDirectory]/filename
scp://[[username@]location][//absoluteDirectory]/filename
Note You are prompted for a password. You must add the remote host to the SSH known hosts
list.
– http:—Source URL for the web server. The syntax for this prefix is:
http://[[username@]location][/directory]/filename
Note The directory specification should be an absolute path to the desired file.
– https:—Source URL for the web server. The syntax for this prefix is:
https://[[username@]location][/directory]/filename
Note The directory specification should be an absolute path to the desired file. The remote
host must be a TLS trusted host.
Caution When you upgrade the AIM IPS or the NME IPS using manual upgrade, you must disable heartbeat reset
on the router before installing the upgrade. You can reenable heartbeat reset after you complete the
upgrade. If you do not disable heartbeat reset, the upgrade can fail and leave the AIM IPS or the
NME IPS in an unknown state, which can require a system reimage to recover.
Caution You must log in to Cisco.com using an account with cryptographic privileges to download software. The
first time you download software on Cisco.com, you receive instructions for setting up an account with
cryptographic privileges.
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
OL-18488-01 21-3
Chapter 21 Upgrading, Downgrading, and Installing System Images
Upgrading the Sensor
Caution Do not change the filename. You must preserve the original filename for the sensor to accept the update.
Step 1 Download the appropriate file to an FTP, SCP, HTTP, or HTTPS server that is accessible from your
sensor.
Step 2 Log in to the CLI using an account with administrator privileges.
Step 3 Enter configuration mode.
sensor# configure terminal
The URL points to where the update file is located, for example, to retrieve the update using FTP, enter
the following:
sensor(config)# upgrade ftp://username@ip_address//directory/IPS-K9-7.0-1-E3.pkg
Note Major updates, minor updates, and service packs may force a restart of the IPS processes or even
force a reboot of the sensor to complete installation.
Note The operating system is reimaged and all files that have been placed on the sensor through the
service account are removed.
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
21-4 OL-18488-01
Chapter 21 Upgrading, Downgrading, and Installing System Images
Upgrading the Sensor
Note Recovery partition images are generated for major and minor updates and only in rare situations for
service packs or signature updates.
Note The AIM IPS and the NME IPS have unique recovery images that you must use to upgrade the recovery
partition:
AIM IPS—IPS-AIM-K9-r-1.1-a-7.0-1-E3.pkg
NME IPS—IPS-NME-K9-r-1.1-a-7.0-1-E3.pkg
Use the upgrade command to upgrade the recovery partition with the most recent version so that it is
ready if you need to recover the application partition on your sensor.
To upgrade the recovery partition on your sensor, follow these steps:
Step 1 Download the recovery partition image file to an FTP, SCP, HTTP, or HTTPS server that is accessible
from your sensor.
Caution Some browsers add an extension to the filename. The filename of the saved file must match what is
displayed on the download page or you cannot use it to upgrade the recovery partition.
sensor(config)#
upgrade ftp://user@server_ipaddress//upgrade_path/IPS-K9-r-1.1-a-7.0-1-E3.pkg
Note This procedure only reimages the recovery partition. The application partition is not modified
by this upgrade. To reimage the application partition after the recovery partition, use the recover
application-partition command.
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
OL-18488-01 21-5
Chapter 21 Upgrading, Downgrading, and Installing System Images
Configuring Automatic Upgrades
• For a list of supported FTP and HTTP/HTTPS servers, see Supported FTP and HTTP/HTTPS
Servers, page 21-2.
• For the procedure for locating software on Cisco.com, see Obtaining Cisco IPS Software, page 20-1.
• For the procedure for using the recover command, see Using the recover Command, page 21-11.
Automatic Upgrades
Caution In IPS 7.0(8)E4 the default value of the Cisco server IP address has been changed from 198.133.219.25
to 72.163.4.161 in the Auto Update URL configuration. If you have automatic update configured on your
sensor, you may need to update firewall rules to allow the sensor to connect to this new IP address.
You can configure the sensor to look for new upgrade files in your upgrade directory automatically. For
example, several sensors can point to the same remote FTP server directory with different update
schedules, such as every 24 hours, or Monday, Wednesday, and Friday at 11:00 pm. You must download
the software upgrade from Cisco.com and copy it to the upgrade directory before the sensor can poll for
automatic upgrades. Or you can configure your sensor to automatically download updates from
Cisco.com.
You specify the following information to schedule automatic upgrades:
• Server IP address
• Path of the directory on the file server where the sensor checks for upgrade files
• File copy protocol (SCP or FTP)
• Username and password
• Upgrade schedule
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
21-6 OL-18488-01
Chapter 21 Upgrading, Downgrading, and Installing System Images
Configuring Automatic Upgrades
Note If you use SCP, you must use the ssh host-key command to add the server to the SSH known
hosts list so the sensor can communicate with it through SSH.
Caution In IPS 7.0(8)E4 the default value of the Cisco server IP address has been changed from 198.133.219.25
to 72.163.4.161 in the Auto Update URL configuration. If you have automatic update configured on your
sensor, you may need to update firewall rules to allow the sensor to connect to this new IP address.
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
OL-18488-01 21-7
Chapter 21 Upgrading, Downgrading, and Installing System Images
Configuring Automatic Upgrades
Note If you get an unauthorized error message while configuring an automatic update, make sure you have the
correct ports open on any firewalls between the sensor and Cisco.com. For example, you need
198.133.219.25 port 443 for the initial automatic update connection to www.cisco.com, and you need
198.133.219.243 port 80 to download the chosen package from a Cisco file server. The IP address may
change for the Cisco file server, but you can find it in the lastDownloadAttempt section in the output of
the show statistics host command.
Note To check the status of the last automatic update or the next scheduled automatic update, run the show
statistics host command and check the Auto Update Statistics section.
Step 3 Configure the sensor to automatically look for new upgrades either on Cisco.com or on your file server.
a. On Cisco.com. Continue with Step 4.
sensor(config-hos-aut)# cisco-server enabled
d. Specify the directory where the upgrade files are located on the file server.
sensor(config-hos-ena)# directory /tftpboot/sensor_updates
Note If you use SCP, you must use the ssh host-key command to add the server to the SSH known
hosts list so the sensor can communicate with it through SSH.
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
21-8 OL-18488-01
Chapter 21 Upgrading, Downgrading, and Installing System Images
Configuring Automatic Upgrades
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
OL-18488-01 21-9
Chapter 21 Upgrading, Downgrading, and Installing System Images
Downgrading the Sensor
Use the downgrade command to remove the last applied signature upgrade or signature engine upgrade
from the sensor.
To remove the last applied signature update or signature engine update from the sensor, follow these
steps:
Step 3 If there is no recently applied service pack or signature update, the downgrade command is not
available.
sensor(config)# downgrade
No downgrade available.
sensor(config)#
Application Partition
You can recover the application partition image for the sensor if it becomes unusable. Some network
configuration information is retained when you use this method, which lets you have network access
after the recovery is performed.
Use the recover application-partition command to boot to the recovery partition, which automatically
recovers the application partition on your sensor. Because you can execute the recover
application-partition command through a Telnet or SSH connection, we recommend using this
command to recover sensors that are installed at remote locations.
Note If you have upgraded your recovery partition to the most recent version before you recover the
application partition image, you can install the most up-to-date software image.
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
21-10 OL-18488-01
Chapter 21 Upgrading, Downgrading, and Installing System Images
Recovering the Application Partition
Note When you reconnect to the sensor after recovery, you must log in with the default username and
password cisco.
Step 1 Download the recovery partition image file to an FTP, HTTP, or HTTPS server that is accessible from
your sensor.
Step 2 Log in to the CLI using an account with administrator privileges.
Step 3 Enter configuration mode.
sensor# configure terminal
Note To upgrade the recovery partition the sensor must already be running IPS 7.0(1).
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
OL-18488-01 21-11
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
Caution All user configuration settings are lost when you install the system image. Before trying to recover the
sensor by installing the system image, try to recover by using the recover application-partition
command or by selecting the recovery partition during sensor bootup.
Understanding ROMMON
Some Cisco sensors include a preboot CLI called ROMMON, which lets you boot images on sensors
where the image on the primary device is missing, corrupt, or otherwise unable to boot the normal
application. ROMMON is particularly useful for recovering remote sensors as long as the serial console
port is available.
Access to ROMMON is available only through the serial console port, a Cisco-standard asynchronous
RS-232C DTE available in an RJ-45F connector on the sensor chassis. The serial port is configured for
9600 baud, 8 data bits, 1 stop bit, no parity, and no flow control.
TFTP Servers
ROMMON uses TFTP to download an image and launch it. TFTP does not address network issues such
as latency or error recovery. It does implement a limited packet integrity check so that packets arriving
in sequence with the correct integrity value have an extremely low probability of error. But TFTP does
not offer pipelining so the total transfer time is equal to the number of packets to be transferred times
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
21-12 OL-18488-01
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
the network average RTT. Because of this limitation, we recommend that the TFTP server be located on
the same LAN segment as the sensor. Any network with an RTT less than a 100 milliseconds should
provide reliable delivery of the image. Be aware that some TFTP servers limit the maximum file size that
can be transferred to ~32 MB.
Step 3 Be sure to properly close a terminal session to avoid unauthorized access to the appliance.
If a terminal session is not stopped properly, that is, if it does not receive an exit(0) signal from the
application that initiated the session, the terminal session can remain open. When terminal sessions are
not stopped properly, authentication is not performed on the next session that is opened on the serial port.
Caution Always exit your session and return to a login prompt before terminating the application used to establish
the connection.
Caution If a connection is dropped or terminated by accident, you should reestablish the connection and exit
normally to prevent unauthorized access to the appliance.
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
OL-18488-01 21-13
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
Note This procedure is for the IPS 4240, but is also applicable to the IPS 4255. The system image for the
IPS 4255 has “4255” in the filename.
You can install the IPS 4240 and IPS 4255 system image by using the ROMMON on the appliance to
TFTP the system image onto the compact flash device.
To install the IPS 4240 and IPS 4255 system image, follow these steps:
Step 1 Download the IPS 4240 system image file to the tftp root directory of a TFTP server that is accessible
from your IPS 4240.
Note Make sure you can access the TFTP server location from the network connected to the Ethernet
port of your IPS 4240.
CISCO SYSTEMS
Embedded BIOS Version 1.0(5)0 09/14/04 12:23:35.90
Cisco Systems ROMMON Version (1.0(5)0) #1: Tue Sep 14 12:20:30 PDT 2004
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
21-14 OL-18488-01
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
Step 3 Press Break or Esc at the following prompt while the system is booting to interrupt boot. Press the
spacebar to begin boot immediately.
Note Not all values are required to establish network connectivity. The address, server, gateway, and
image values are required. If you are not sure of the settings needed for your local environment,
contact your system administrator.
Step 5 If necessary, change the interface used for the TFTP download.
Note The default interface used for TFTP downloads is Management0/0, which corresponds to the
MGMT interface of the IPS 4240.
rommon> PORT=interface_name
Step 6 If necessary, assign an IP address for the local port on the IPS 4240.
rommon> ADDRESS=ip_address
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
OL-18488-01 21-15
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
Note Use the same IP address that is assigned to the IPS 4240.
Step 9 Verify that you have access to the TFTP server by pinging it from your local Ethernet port with one of
the following commands.
rommon> ping server_ip_address
rommon> ping server
Step 10 If necessary define the path and filename on the TFTP file server from which you are downloading the
image.
rommon> IMAGE=path/file_name
Caution Make sure that you enter the IMAGE command in all uppercase. You can enter the other ROMMON
commands in either lower case or upper case, but the IMAGE command specifically must be all
uppercase.
UNIX Example
rommon> IMAGE=/system_images/IPS 4240-K9-sys-1.1-a-7.0-1-E3.img
Note The path is relative to the default tftpboot directory of the UNIX TFTP server. Images located
in the default tftpboot directory do not have any directory names or slashes in the IMAGE
specification.
Windows Example
rommon> IMAGE=\system_images\IPS 4240-K9-sys-1.1-a-7.0-1-E3.img
Step 11 Enter set and press Enter to verify the network settings.
Note You can use the sync command to store these settings in NVRAM so they are maintained across
boots. Otherwise, you must enter this information each time you want to boot an image from
ROMMON.
Caution To avoid corrupting the system image, do not remove power from the IPS 4240 while the system image
is being installed.
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
21-16 OL-18488-01
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
Note If the network settings are correct, the system downloads and boots the specified image on the
IPS 4240. Be sure to use the IPS 4240 image.
Step 1 Download the IPS 4260 system image file to the tftp root directory of a TFTP server that is accessible
from your IPS 4260. Make sure you can access the TFTP server location from the network connected to
your IPS 4260 Ethernet port.
Step 2 Boot the IPS 4260.
Step 3 Press Ctrl-R at the following prompt while the system is booting.
Evaluating Run Options...
Cisco Systems ROMMON Version (1.0(11)1c) #26: Mon Mar 13 18:05:54 CST 2006
Step 4 If necessary, change the port used for the TFTP download.
rommon #1> interface name
The port in use is listed just after the platform identification. In the example, port Management0/0 is
being used.
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
OL-18488-01 21-17
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
Note The default port used for TFTP downloads is Management0/0, which corresponds with the
command and control (MGMT) interface of the IPS 4260.
Note Ports Management0/0 (MGMT) and GigabitEthernet0/1 (GE 0/1) are labeled on the back of the
chassis.
Step 5 Specify an IP address for the local port on the IPS 4260.
rommon> address ip_address
Note Use the same IP address that is assigned to the IPS 4260.
Step 8 Verify that you have access to the TFTP server by pinging it from the local Ethernet port.
rommon> ping server_ip_address
rommon> ping server
Step 9 Specify the path and filename on the TFTP file server from which you are downloading the image.
rommon> file path/filename
UNIX Example
rommon> file /system_images/IPS 4260-K9-sys-1.1-a-7.0-1-E3.img
Note The path is relative to the default tftpboot directory of the UNIX TFTP server. Images located
in the default tftpboot directory do not have any directory names or slashes in the file location.
Windows Example
rommon> file <tftpboot_directory>IPS 4260-K9-sys-1.1-a-7.0-1-E3.img
Note The IPS 4260 reboots once during the reimaging process. Do not remove power from the IPS
4260 during the update process or the upgrade can become corrupted.
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
21-18 OL-18488-01
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
Step 1 Download the IPS 4270-20 system image file to the tftp root directory of a TFTP server that is accessible
from your IPS 4270-20.
Note Make sure you can access the TFTP server location from the network connected to the Ethernet
port of your IPS 4270-20.
Note The controller type errors are a known issue and can be disregarded.
Step 3 Press Break or Esc at the following prompt while the system is booting to interrupt boot. Press the
spacebar to begin boot immediately.
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
OL-18488-01 21-19
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
LINKTIMEOUT=20
PKTTIMEOUT=2
RETRY=20
Note Not all values are required to establish network connectivity. The address, server, gateway, and
image values are required. If you are not sure of the settings needed for your local environment,
contact your system administrator.
Step 5 If necessary, assign an IP address for the local port on the IPS 4270-20.
rommon> ADDRESS=ip_address
Note Use the same IP address that is assigned to the IPS 4270-20.
Step 8 Verify that you have access to the TFTP server by pinging it from your local Ethernet port with one of
the following commands:
rommon> ping server_ip_address
rommon> ping server
Step 9 If necessary define the path and filename on the TFTP file server from which you are downloading the
image.
rommon> IMAGE=path/file_name
UNIX Example
rommon> IMAGE=/system_images/IPS-4270_20-K9-sys-1.1-a-7.0-1-E3.img
Note The path is relative to the UNIX TFTP server default tftpboot directory. Images located in the
default tftpboot directory do not have any directory names or slashes in the IMAGE
specification.
Windows Example
rommon> IMAGE=\system_images\IPS-4270_20-K9-sys-1.1-a-7.0-1-E3.img
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
21-20 OL-18488-01
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
Step 10 Enter set and press Enter to verify the network settings.
Note You can use the sync command to store these settings in NVRAM so they are maintained across
boots. Otherwise, you must enter this information each time you want to boot an image from
ROMMON.
Caution To avoid corrupting the system image, do not remove power from the IPS 4270-20 while the system
image is being installed.
Note If the network settings are correct, the system downloads and boots the specified image on the
IPS 4270-20. Be sure to use the IPS 4270-20 image.
Step 1 Download the AIM IPS system image file, and place it on a TFTP server relative to the tftp root
directory.
Note Make sure the network is configured so that the AIM IPS can access the TFTP server.
If no TFTP server is available, you can configure the router to operate as a TFTP server.
router# copy tftp: flash:
router# configure terminal
router(config)# tftp-server flash:IPS-AIM-K9-sys-1.1-7.0-1-E3.img
router(config)# exit
router#
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
OL-18488-01 21-21
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
Note Disabling the heartbeat reset prevents the router from resetting the module during system image
installation if the process takes too long.
Note Use the show configuration | include interface IDS-Sensor command to determine the
AIM IPS slot number.
Step 4 Suspend the session by pressing Shift-Ctrl-6 X. You should see the router# prompt. If you do not see
this prompt, try Ctrl-6 X.
Step 5 Reset the AIM IPS.
router# service-module IDS-Sensor 0/slot_number reset
Step 8 Enter *** during the 15-second delay. The bootloader prompt appears.
Step 9 Press Enter to session back to the AIM IPS.
Step 10 Configure the bootloader.
ServicesEngine bootloader> config
IP Address [10.89.148.188]>
Subnet mask [255.255.255.0]>
TFTP server [10.89.150.74]>
Gateway [10.89.148.254]>
Default boot [disk]>
Number cores [2]>
ServicesEngine boot-loader >
For each prompt, enter a value or accept the previously stored input that appears inside square brackets
by pressing Enter.
Note The gateway IP address must match the IP address of the IDS-Sensor slot/port interface.
Note If you set up the module interfaces using the unnumbered command, the gateway IP address
should be the IP address of the other router interface being used as part of the unnumbered
command.
Caution The pathname for the AIM IPS image is full but relative to the tftp server root directory (typically
/tftpboot).
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
21-22 OL-18488-01
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
Step 12 Follow the bootloader instructions to install the software (choose option 1 and follow the wizard
instructions).
Note In the following example, the AIM IPS IP address is 10.1.9.201. The imaging process accesses
the AIM IPS image from the router TFTP server at IP address 10.1.9.1.
Example
Booting from flash...please wait.
Please enter '***' to change boot configuration:
11 ***
ServicesEngine boot-loader Version : 1.1.0
ServicesEngine boot-loader > config
IP Address [10.1.9.201]>
Subnet mask [255.255.255.0]>
TFTP server [10.1.9.1]>
Gateway [10.1.9.1]>
Default boot [disk]>
Number cores [2]>
ServicesEngine boot-loader > upgrade
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
OL-18488-01 21-23
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
#################################################################
#######################
done
Step 13 Suspend the session by pressing Shift-Ctrl-6 X. You should see the router# prompt. If you do not see
this prompt, try Ctrl-6 X.
Step 14 From the router CLI, clear the session.
router# service-module interface ids-sensor 0/slot_number session clear
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
21-24 OL-18488-01
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
Note Be sure the TFTP server that you specify can transfer files up to 60 MB in size.
Note This process can take approximately 15 minutes to complete, depending on your network and the size
of the image.
If the AIP SSM suffers a failure and the module application image cannot run, you can transfer
application images from a TFTP server to the module using the adaptive security appliance CLI. The
adaptive security appliance can communicate with the module ROMMON application to transfer the
image.
To install the AIP SSM system image, follow these steps:
Note If you make an error in the recovery configuration, use the hw-module module 1 recover stop
command to stop the system reimaging and then you can correct the configuration.
Example
Image URL [tftp://0.0.0.0/]: tftp://10.89.146.1/IPS-SSM-K9-sys-1.1-a-7.0-1-E3.img
Step 5 Specify the command and control interface of the AIP SSM.
Note The port IP address is the management IP address of the AIP SSM.
Example
Port IP Address [0.0.0.0]: 10.89.149.231
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
OL-18488-01 21-25
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
Example
Gateway IP Address [0.0.0.0]: 10.89.149.254
This transfers the image from the TFTP server to the AIP SSM and restarts it.
Note The status reads Recovery during recovery and reads Up when reimaging is complete.
Mod Status
--- ------------------
0 Up Sys
1 Up
asa#
Note The Status field in the output indicates the operational status of the AIP SSM. An AIP SSM
operating normally shows a status of “Up.” While the adaptive security appliance transfers an
application image to the AIP SSM, the Status field in the output reads “Recover.” When the
adaptive security appliance completes the image transfer and restarts the AIP SSM, the newly
transferred image is running.
Note To debug any errors that may happen in the recovery process, use the debug module-boot
command to enable debugging of the system reimaging process.
Step 10 Session to the AIP SSM and initialize it with the setup command.
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
21-26 OL-18488-01
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
Step 1 Download the IDSM2 system image file to the FTP root directory of an FTP server that is accessible
from your IDSM2.
Step 2 Log in to the switch CLI.
Step 3 Boot the IDSM2 to the maintenance partition.
console> (enable) reset module_number cf:1
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
OL-18488-01 21-27
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
Step 6 Specify the FTP server password. After the application partition file has been downloaded, you are asked
if you want to proceed:
Upgrading will wipe out the contents on the hard disk. Do you want to proceed installing
it [y|n]:
Step 7 Enter y to continue. When the application partition file has been installed, you are returned to the
maintenance partition CLI.
Step 8 Exit the maintenance partition CLI and return to the switch CLI.
Step 9 Reboot the IDSM2 to the application partition.
console> (enable) reset module_number hdd:1
Step 10 When the IDSM2 has rebooted, check the software version.
Step 11 Log in to the application partition CLI and initialize the IDSM2 using the setup command.
Step 1 Download the IDSM2 system image file to the FTP root directory of an FTP server that is accessible
from your IDSM2.
Step 2 Log in to the switch CLI.
Step 3 Boot the IDSM2 to the maintenance partition.
router# hw-module module module_number reset cf:1
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
21-28 OL-18488-01
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
Note Choose an address that is appropriate for the VLAN on which the IDSM2 management interface
is located based on the switch configuration.
Step 10 Enter y to continue. When the application partition file has been installed, you are returned to the
maintenance partition CLI.
Step 11 Exit the maintenance partition CLI and return to the switch CLI.
Step 12 Reboot the IDSM2 to the application partition.
router# hw-module module module_number reset hdd:1
Step 13 Verify that the IDSM2 is online and that the software version is correct and that the status is ok.
router# show module module_number
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
OL-18488-01 21-29
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
Note You cannot Telnet or SSH to the IDSM2 maintenance partition.You must session to it from the
switch CLI.
Note You can change the guest password, but we do not recommend it. If you forget the maintenance
partition guest password, and you cannot log in to the IDSM2 application partition for some
reason, the IDSM2 requires an RMA.
login: guest
Password: cisco
IP address : 10.89.149.74
Subnet Mask : 255.255.255.128
IP Broadcast : 10.255.255.255
DNS Name : idsm2.localdomain
Default Gateway : 10.89.149.126
Nameserver(s) :
Step 7 Clear the IDSM2 maintenance partition host configuration (ip address, gateway, hostname).
[email protected]# clear ip
[email protected]# show ip
IP address : 0.0.0.0
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
21-30 OL-18488-01
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
IP address : 10.89.149.74
Subnet Mask : 255.255.255.128
IP Broadcast : 10.255.255.255
DNS Name : idsm2.localdomain
Default Gateway : 10.89.149.126
Nameserver(s) :
Step 11 Verify the maintenance partition version (including the BIOS version).
[email protected]# show version
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
OL-18488-01 21-31
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
ftp://[email protected]//RELEASES/Latest/7.0-1/IPS-IDSM2-K9-sys-1.1-a-7.0-1-E3.bin.gz
(unknown size)
/tmp/upgrade.gz [|] 28616K
29303086 bytes transferred in 5.34 sec (5359.02k/sec)
Upgrade file
ftp://[email protected]//RELEASES/Latest/7.0-1/IPS-IDSM2-K9-sys-1.1-a-7.0-1-E3.bin.gz
is downloaded.
Upgrading will wipe out the contents on the storage media.
Do you want to proceed installing it [y|N]:
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
21-32 OL-18488-01
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
Note You cannot specify a partition when issuing the reset command from the maintenance partition.
The IDSM2 boots to whichever partition is specified in the boot device variable. If the boot
device variable is blank, the IDSM2 boots to the application partition.
[email protected]# reset
[email protected]#
2005 Mar 11 21:55:46 CST -06:00 %SYS-4-MOD_SHUTDOWNSTART:Module 9 shutdown in progress. Do
not remove module until shutdown completes
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
OL-18488-01 21-33
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
Note You cannot Telnet or SSH to the IDSM2 maintenance partition.You must session to it from the
switch CLI.
Note You can change the guest password, but we do not recommend it. If you forget the maintenance
partition guest password, and you cannot log in to the IDSM2 application partition for some
reason, you will have to RMA the IDSM2.
login: guest
password: cisco
IP address : 10.89.149.74
Subnet Mask : 255.255.255.128
IP Broadcast : 10.255.255.255
DNS Name : idsm2.localdomain
Default Gateway : 10.89.149.126
Nameserver(s) :
Step 5 Clear the maintenance partition host configuration (ip address, gateway, hostname).
[email protected]# clear ip
[email protected]# show ip
IP address : 0.0.0.0
Subnet Mask : 0.0.0.0
IP Broadcast : 0.0.0.0
DNS Name : localhost.localdomain
Default Gateway : 0.0.0.0
Nameserver(s) :
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
21-34 OL-18488-01
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
IP address : 10.89.149.74
Subnet Mask : 255.255.255.128
IP Broadcast : 10.255.255.255
DNS Name : idsm2.localdomain
Default Gateway : 10.89.149.126
Nameserver(s) :
Step 9 Verify the maintenance partition version (including the BIOS version).
[email protected]# show version
ftp://[email protected]//RELEASES/Latest/7.0-1/IPS-IDSM2-K9-sys-1.1-a-7.0-1-E3.img
(unknown size)
/tmp/upgrade.gz [|] 28616K
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
OL-18488-01 21-35
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
Upgrade file
ftp://[email protected]//RELEASES/Latest/7.0-1/IPS-IDSM2-K9-sys-1.1-a-7.0-1-E3.img is
downloaded.
Upgrading will wipe out the contents on the storage media.
Do you want to proceed installing it [y|N]:
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
21-36 OL-18488-01
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
Note You cannot specify a partition when issuing the reset command from the maintenance partition.
The IDSM2 boots to whichever partition is specified in the boot device variable. If the boot
device variable is blank, the IDSM2 boots to the application partition.
[email protected]# reset
[email protected]#
Broadcast message from root Fri Mar 11 22:04:53 2005...
Step 1 Download the IDSM2 maintenance partition file (c6svc-mp.2-1-2.bin.gz) to the FTP root directory of an
FTP server that is accessible from your IDSM2.
Step 2 Session to the IDSM2 from the switch.
console>(enable) session slot_number
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
OL-18488-01 21-37
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
Step 5 Upgrade the maintenance partition. You are asked whether you want continue.
idsm2(config)# upgrade
ftp://user@ftp_server_IP_address/directory_path/c6svc-mp.2-1-2.bin.gz
Step 1 Download the IDSM2 maintenance partition file (c6svc-mp.2-1-2.bin.gz) to the FTP root directory of an
FTP server that is accessible from your IDSM2.
Step 2 Log in to the switch CLI.
Step 3 Session in to the application partition CLI.
router# session slot slot_number processor 1
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
21-38 OL-18488-01
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
Note Use the show configuration | include interface ids-sensor command to determine the NME IPS slot
number.
Step 1 Download the NME IPS system image file, and place it on a TFTP server relative to the tftp root
directory.
Note Make sure the network is configured so that the NME IPS can access the TFTP server.
If no TFTP server is available, you can configure the router to operate as a TFTP server.
router# copy tftp: flash:
router# configure terminal
router(config)# tftp-server flash:IPS-NME-K9-sys-1.1-7.0-1-E3.img
router(config)# exit
router#
Note Disabling the heartbeat reset prevents the router from resetting the module during system image
installation if the process takes too long.
Step 4 Suspend the session by pressing Shift-Ctrl-6 X. You should see the router# prompt. If you do not see
this prompt, try Ctrl-6 X.
Step 5 Reset the NME IPS.
router# service-module ids-sensor 1/0 reset
Step 8 Enter *** during the 15-second delay. The bootloader prompt appears.
Step 9 Press Enter to session back to the NME IPS.
Step 10 Configure the bootloader.
ServicesEngine bootloader> config
IP Address [10.89.148.195]>
Subnet mask [255.255.255.0]>
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
OL-18488-01 21-39
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
For each prompt, enter a value or accept the previously stored input that appears inside square brackets
by pressing Enter.
Caution The pathname for the NME IPS image is full but relative to the tftp server root directory (typically
/tftpboot).
Step 12 Follow the bootloader instructions to install the software (choose option 1 and follow the wizard
instructions).
Example
Booting from flash...please wait.
Please enter '***' to change boot configuration:
12 ***
ServicesEngine boot-loader Version : 1.2.0
ServicesEngine boot-loader > config
IP Address [10.89.148.195]>
Subnet mask [255.255.255.0]>
TFTP server [10.89.150.74]>
Gateway [10.89.148.254]>
Default boot [disk]>
Number cores [2]>
ServicesEngine boot-loader > upgrade
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
21-40 OL-18488-01
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
T T T T T T T T T #################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
######
32 MB received
#################################################################
#################################################################
##################
done
Step 13 Suspend the session by pressing Shift-Ctrl-6 X. You should see the router# prompt. If you do not see
this prompt, try Ctrl-6 X.
Step 14 From the router CLI, clear the session.
router# service-module interface ids-sensor 1/0 session clear
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
OL-18488-01 21-41
Chapter 21 Upgrading, Downgrading, and Installing System Images
Installing System Images
Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.0
21-42 OL-18488-01