cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3275
Views
15
Helpful
5
Replies

Should reboot of ASM-SSM-10 cause ASA failover?

d-szczepanski
Level 1
Level 1

I have two ASA 5520's with SSM-10 modules configured in active/standby failover mode running 7.2(1).

The IPS policy on the ASA is configured for IPS inline and permit traffic if the module fails. The ASA Criteia tab has the number of interfaces the triggers failover set to 2. The SSM Bypass mode is configured for Auto.

If I execute a reboot of the sensor from the gui (where is states is safely shuts down and reboots the sensor), should it cause the ASA to failover to the secondary?

Thanks.

5 Replies 5

vitripat
Level 7
Level 7

Reboot of SSM module will trigger failover to secondary ASA. When this happens, following debug message is logged if debugs are enabled-

fover_health_monitoring_thread: Primary: Switching to FAILED for reason Detect service card failure.

Regards,

Vibhor.

tim.weid
Level 1
Level 1

That is correct. I have 2 sets of ASAs with AIP SSMs and even adding a new Sig update will cause the ASAs to failover. The ASA reads the reload of the SSM card as a failure and fails from primary to secondary.

Hello,

I wish i could help but i have very little knowledge of IPS.

I also have a pair of asa-5520 that i was told is configured for IPS. But I can't find anything matching/describing an ips configuration in the 'show run' from the cli. Can anyone tell me how to get there to view the ips config that is apparently incomplete (no signature update, notification etc are also missing). what command do I need to issue to view IPS config details. can this be done from cli?

Thanks in advance.

Oumar

I don't know if this posting has been closed but you can access the module through the CLI:

firewall# session 1

this will take you to the module. once there just do a show conf to see the configuration.

Nick Egloff
Level 1
Level 1

Originally, Cisco called this a bug.. I don't know if it's being considered a feature now, or if it's still a bug, and if so when it might be fixed; this is a real pain because a number of signature updates reload at the end, which triggers a failover...

My .02....

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: