marcabal Mon, 05/05/2008 - 21:56
User Badges:
  • Cisco Employee,

The ASA 5510 itself supports high availablity which includes both keeping the configuration of the 2 ASA's in sync, and failing over traffic to the other ASA.

The SSM-10 does not technically support high availability itself, but will function just fine in ASA's that support high availability.

The SSM-10s will not sync their configuration so each SSM-10 needs it's own ip address and must be independantly configured. (Some users use CSM to manage the IPS configuration so they can make a single change and apply that config change to both of the SSM-10s).

The SSM-10s will not share monitoring information, but will not stop a session that fails over from one ASA to the other.

The SSM-10 relies on the ASA to track session state and validate that the packet is legitimate. So if a session is being monitored by one SSM-10 and that ASA fails, then the session fails over to the second ASA, and the SSM-10 in the second ASA starts seeing the packets for that session. That second SSM-10 will assume that the ASA has validated that the session should be allowed, so the SSM-10 simply starts monitoring that connection from the point in which it failed over to the second ASA.

It does not stop the connection (unless it sees an attack in the connection).

MortezaSoltani Mon, 05/05/2008 - 22:27
User Badges:

So if we order ASA5510-AIP10-K9 then does it has needed license for high availability also ?


This Discussion