IPS + Failover?

jt3rry · ‎02-23-2007

Hello, I'm researching the ASA platform I'm interested in Active/Active & Active/Standby configurations. I've not found any documentation (or configuration options) that would allow the IPS module to take part in the failover or loadbalance process. In other words, if I were to run two ASA's in a failover mode (either A/A or A/S) it apears each IPS module would need to be maintained separately, can anyone help me verify this?

Thanks!

vitripat · ‎02-23-2007

That is true. Currently both the SSM modules have to be maintained separately. Unlike in ASA where configuration is replicated from Active to Standby ASA, there is no such concept in SSM modules.

We need to make sure that both SSM modules have exactly same configuration. Now depending on the active ASA, SSM module in the respective ASA will be inspecting the traffic.

Hope this clears things.

Regards,

Vibhor.

gdntsoc · ‎02-28-2007

I'd like to ask a follow-up question. Suppose, I have two ASA's in HA mode (Active-Standby) each with an IDS SSM module.

Does the health of the SSM module have any affect on the HA status of the ASA's?

In other words, if the SSM module in the Active ASA fails, will there be a failover to the Standby? My guy tells me NO but I'd like to confirm with folks in the forum. Thank you.

vitripat · ‎02-28-2007

Yes. If SSM module fails, your Active PIX will also failover to the Standby PIX. When this happens, following debug message is logged if debugs are enabled-

fover_health_monitoring_thread: Primary: Switching to FAILED for reason Detect service

card failure.

Hope this helps.

Regards,

Vibhor.

jt3rry · ‎02-28-2007

I was able to so some testing today, and in "inline fail-close" mode the reset of just the IPS module (not the ASA) will initiate the failover of the whole ASA. Might be a handy for upgrades mid-day, but then again there's always inline fail-open mode for that