Introduction
This document describes what "Intrusion Prevention System (IPS) Security Services Processor (SSP) application reloading IPS" means in Cisco Adaptive Security Appliance (ASA) syslog messages.
What does the IPS message “IPS SSP application reloading IPS" mean?
These syslog messages appear on the ASA:
ASA5585-SSP-IPS20 Module in slot 1, application up "IPS", version "7.1(1)E4"
Normal Operation
ASA5585-SSP-IPS20 Module in slot 1, application reloading "IPS", version
"7.1(1)E4" Config Change
The ASA does not failover, and the IPS does not show "failed".
These messages are generated during some of the Global Correlation (GC) updates that are attempted every five minutes. They are also generated during an IPS signature update and are known to be an expected behavior.
A GC check occurs every five minutes, however, updates might not be available. This GC check is why the message can appear every hour or so during the normal operation. When a GC update actually takes place or a signature update starts, the IPS sends a message to the ASA that indicates that a configuration change is underway.
May 22 2013 03:20:16: %ASA-1-505013: Module ASA-SSM-10 in slot 1 application reloading "IPS" version "7.1(7)E4" Config Change
The application does not actually reload as an ASA would if the reload command was issued. The IPS adjusts the Analysis Engine and notifies the ASA of the change. This operation can occur at the same time that the IPS goes into bypass mode while it processes the updates. Again, this is normal operation, and there is no functional impact to the IPS or the ASA performance.
When the ASA receives this message it will not Failover immediately. During this time the ASA will follow the fail-close or fail-open configuration. If fail-close was configured, the ASA will drop all packets sent to the IPS until either the sensor sends a message saying it is ready again for monitoring, or the timeout is reached (at which point the ASA will be marked as failed).
May 22 2013 03:20:16: %ASA-3-420001: IPS card not up and fail-close mode used dropping TCP packet from Outside:213.248.117.16/80 to INSIDE:193.128.137.2/40860
Cisco bug ID CSCts98806 was filed to resolve possible card/application failure due to the causes of the messages mentioned.
Cisco bug ID CSCub28854 was filed to resolve or document this issue from the IPS side.
Cisco bug ID CSCts98836 was filed to resolve the message on the ASA.
Data channel down messages might display on an ASA failover during IPS signature or GC updates. This ASA bug addresses this situation:
Cisco bug ID CSCuc32250
Related Information