ASA failover when IPS SSM fails

Unanswered Question

Is there a way to trigger stateful (or stateless) failover on ASA 55xx (8.0.3) when there's a failure on the IPS unit? I understand the fail open/fail close and its application on a single firewall, but the better solution for an IPS failure in a redundant pair would seem to be a stateful failover to the other ASA, and I don't see that as a documented feature.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
satish_zanjurne Thu, 08/28/2008 - 05:47
User Badges:
  • Silver, 250 points or more

Hi,



ASA has only following Failover Triggers , IPS failover trigger is not present..


The ASA unit can fail if one of the following events occurs:


• The unit has a hardware failure or a power failure.

• The unit has a software failure.

• Too many monitored interfaces fail.


Jmayes, what you are saying is good feature..but i think it is not incorporated yet..!!!!

robertson.michael Thu, 08/28/2008 - 07:56
User Badges:
  • Silver, 250 points or more

Hi Joseph,


If the SSM in the Active unit fails (i.e. 'show module' shows the SSM as "Down"), a failover will occur and the Standby unit will now become Active. The ASA does interpret a failed SSM as being less healthy than its mate who has an available SSM.


Hope that helps.


-Mike

robertson.michael Thu, 08/28/2008 - 09:03
User Badges:
  • Silver, 250 points or more

Hi Joseph,


Oddly enough, I wasn't able to find this mentioned in the ASA documentation. However, from experience I can tell you that a failed SSM will cause the unit to mark itself as unhealthy.


-Mike

satish_zanjurne Thu, 08/28/2008 - 10:30
User Badges:
  • Silver, 250 points or more


Hi Robertson, if it is working..then it must be..but i have not seen it documentted

robertson.michael Fri, 09/05/2008 - 06:47
User Badges:
  • Silver, 250 points or more

Hi Joseph and Satish,


I found this in the ASA documentation today and remembered this thread, so I wanted to share it with you:


http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1149492


Specifically, this line indicates that the ASA will failover if the SSM fails:


Active unit IPS or CSC card fails. 2 seconds


Hope that helps.


-Mike

dazza_johnson Tue, 05/03/2011 - 19:07
User Badges:

Excellent post, I'm surprised this isnt documented better. To test this I did the following;


Command on the Active ASA to shutdown the IPS module;


hw-module module 1 shutdown


this forces a failover to the Standby ASA. To restart the IPS module again, enter;


hw-module module 1 reset


Good work guys :-)


Dazzler

Actions

This Discussion