cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
472
Views
0
Helpful
4
Replies

ASA failover with 1 AIP SSM in Active/Standby?

bob.gull
Level 1
Level 1

I have a customer with two ASAs; in Active/Standby. They want to purchase one AIP. Will failover (without the AIP functionality) to the Standby work if the AIP is configured for Promiscuous mode? Thanks, Bob

4 Replies 4

abinjola
Cisco Employee
Cisco Employee

Secondary SSM-10/20 cannot share primary IP address or vice versa

Firstly, the AIP-SSM operates independently of the ASA in terms of failover. For failover,

all that is needed from an ASA perspective is that the AIP modules be of the same hardware

type, Beyond that, as with any other portion of failover, the configs of the ASA between

the active and standby must be in sync.

As for the set-up of the AIPs themselves, they are effectively independent sensors. There

is no failover between the two and they have no awareness of each other. They can run

independent versions of code ie. they do not have to match and the ASA does not care about

the version of code on the AIP with respect to failover.

ASDM initiates it's connection to the AIP through the management interface IP that you

configured on the AIP. In other words, it connects to the sensor typically through HTTPS

depending on how you set-up the sensor.

Hi,

Just to save some cables ...

Is it possible to access the AIP-SSM without having to connect a cable to mngm interface?

Maybe this is possible internally thru ASA.

yes this is possible on 6.0.x onwards

The only connection to the SSM that can be done internally through the ASA is a "session". This is an internal telnet to the SSM and can be used to access the SSM's CLI.

This is very usefull when you manage your SSM directly through the CLI.

However, most customers prefer to use a graphics based tool like IDM, ASDM, or CSM for managing the configuration of the SSM, and prefer to use a graphics based tool like IEV or CS MARS for monitoring of the alerts from the SSM.

All of these graphics based tools need network access to the SSM through a web port (https on port 443 by default). Access to this port is not allowed internally through the ASA direct to the SSM.

All web connections must be made to the External Management interface of the SSM.

If you are not using all 4 of your ASA interfaces you could choose to wire the External SSM interface directly to one of your ASA interfaces, and create a small subnet for the ASA and IPS IP Addresses. So then all external connections to the SSM would be routed into the ASA, then out of the ASA, and into the external port of the SSM.

That subnet of just the ASA and SSM could be made using a network reserved for local IPs (like a 10, or 172, or 192 network) and then use NAT/PAT for translation on the other network interfaces of the ASA.

But it does still require that wire connected to the external port of the SSM.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: