IPS upgrade at ASA Failover Scenario

pablo.perez · ‎11-05-2007

Hi guys. We have the following scenario.

Two ASA 5520 in failover, as active/standby, and each ASA has a IPS ASA-SSM-20.

Well, the issue is , when we upgraded the ASA-SSM-20 intalled on Primary (Active) ASA from 5.1.5(E1) to 6.0(1) version, when we reloaded the IPS Module, the secundary ASA became Active.

Is it possible, that the ASA monitoring the IPS Module as a common interface.

I think that the ASA do not to change its failover status because we reloaded the IPS Module.

When we upgraded the IPS Module at the secundary ASA, the issue were the same, and the ASA primary (at this point as standby ready, after the IPS Module comes back online) becames as active.

Thanks in advance!!!

jwalker · ‎11-05-2007

Your ASAs should failover like you explained if your module becomes unavailable (rebooted). This is normal behavior.

hoyleanderson · ‎12-20-2017

10 year old thread but here goes:

The module health is part of what the ASAs use to determine overall health (and which firewall should therefore be active). The way I do this is upgrade the module in the standby firewall first and reboot it. No failover happens because active remains more healthy and stays active. Then once it's up and healthy I shut down the module in the standby device (hw module module 1 shutdown, or sw module). Then I upgrade the module in the active firewall and let it reboot. Again no failover happens because the standby device's module is down, so the active is either MORE healthy or EQUALLY healthy. Then once the active module is up and healthy I log into the standby and tell it to reset the module so that it will come up and both active and standby have healthy upgraded modules.