What does the IPS message “IPS SSP application reloading IPS" mean?

Available Languages

Updated:May 30, 2016
Document ID:116099

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes what "Intrusion Prevention System (IPS) Security Services Processor (SSP) application reloading IPS" means in Cisco Adaptive Security Appliance (ASA) syslog messages.

What does the IPS message “IPS SSP application reloading IPS" mean?

These syslog messages appear on the ASA:

ASA5585-SSP-IPS20 Module in slot 1, application up "IPS", version "7.1(1)E4" 
Normal Operation


ASA5585-SSP-IPS20 Module in slot 1, application reloading "IPS", version 
"7.1(1)E4" Config Change


The ASA does not failover, and the IPS does not show "failed".  

These messages are generated during some of the Global Correlation (GC) updates that are attempted every five minutes. They are also generated during an IPS signature update and are known to be an expected behavior. 

A GC check occurs every five minutes, however, updates might not be available. This GC check is why the message can appear every hour or so during the normal operation. When a GC update actually takes place or a signature update starts, the IPS sends a message to the ASA that indicates that a configuration change is underway.

May 22 2013 03:20:16: %ASA-1-505013: Module ASA-SSM-10 in slot 1 application reloading "IPS" version "7.1(7)E4" Config Change

The application does not actually reload as an ASA would if the reload command was issued. The IPS adjusts the Analysis Engine and notifies the ASA of the change. This operation can occur at the same time that the IPS goes into bypass mode while it processes the updates. Again, this is normal operation, and there is no functional impact to the IPS or the ASA performance.

When the ASA receives this message it will not Failover immediately. During this time the ASA will follow the fail-close or fail-open configuration. If fail-close was configured, the ASA will drop all packets sent to the IPS until either the sensor sends a message saying it is ready again for monitoring, or the timeout is reached (at which point the ASA will be marked as failed).

May 22 2013 03:20:16: %ASA-3-420001: IPS card not up and fail-close mode used dropping TCP packet from Outside:213.248.117.16/80 to INSIDE:193.128.137.2/40860

Cisco bug ID CSCts98806 was filed to resolve possible card/application failure due to the causes of the messages mentioned. 

Cisco bug ID CSCub28854  was filed to resolve or document this issue from the IPS side.

Cisco bug ID CSCts98836  was filed to resolve the message on the ASA.

Data channel down messages might display on an ASA failover during IPS signature or GC updates. This ASA bug addresses this situation:

Cisco bug ID CSCuc32250



Related Information

Revision History

Revision Publish Date Comments
1.0
15-Apr-2013
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • David Houck
    Cisco TAC Engineer
  • Corey Lawrence
    Cisco TAC Engineer

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products