Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2736
Views
4
Helpful
4
Replies

ASA IPS module failover

whanson
Level 2
Level 2

‎06-13-2007 11:02 AM - edited ‎03-10-2019 03:39 AM

I have a customer with asa in failover mode; each ASA has an IPS module. My question is how do I configure the IPS in the secondary ASA? or do I?

Labels:
0 Helpful
4 Replies 4

hoogen_82
Level 4
Level 4

‎06-13-2007 11:20 PM

Hi,

The failover is only applicable to the ASA. For the IPS the configuration has to be replicated manually. IPS is always active. If traffic flows through it it will do the inspection. you could do the FTP part for the configuration. If you manage through CSM or VMS. You could possibly push same configuration to the IPS device and also tune signatures on both without having to do them seperately. omething to keep in mind. The 2 SSMs each need their own independant names and ip addresses. If you are using blocking/shunning then only one of the 2 SSMs can block/shun on the firewall.

The rest of the configuration can be the same between the 2 sensors.Automatically copying the configuration on the secondary IPS is planned for the future according to Cisco.

-Hoogen

0 Helpful

whanson
Level 2
Level 2
In response to hoogen_82

‎06-15-2007 07:19 AM

Hoogen,

Thanks, I think you have told me that this is not worth doing because then I have to modify Mars to accept from what it thinks is a different IPS.

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to whanson

‎06-15-2007 08:02 AM

MARS has to be configured to talk to the IPS SSMs in each of the 2 ASAs independantly. MARS needs to treat them as 2 separate sensors.

The ASAs are capable of active/active configurations when using multiple contexts.

For context A the ASA on the left can be active and the ASA on the right in standby.

For context B, however, the ASA on the left can be in standby, and the ASA on the right be active.

So traffic can be actively flowing through each ASA.

So the SSM in the left ASA would be monitoring traffic in context A.

And the SSM in the right ASA would be monitoring traffic in context B.

(NOTE: During an ASA failure, both contexts would be made active in the other running ASA, and both contexts monitored by the SSM in the running ASA.)

Because both SSMs are actively monitoring, each SSM needs its own ip address and MARS needs to connect to and monitor both SSMs.

Unlike the ASA where the ASA has an ip address unique to each context (and passed between ASAs during a failover). The SSMs do NOT have ip addresses unique to the contexts. The SSM has just it's single IP address regardless of the number of contexts or failover configuration of the ASA.

In the future the plan is to have the 2 SSMs be able to sync their sensing configuration settings, but even then they will still each need their own unique ip address and name, because in an active/active ASA configuration both of the SSMs will be actively monitoring different traffic.

So MARS will always need to connect to each SSM's ip address uniquely.

cperkins2
Level 1
Level 1

‎06-16-2007 08:16 AM

n/a

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card