ASA failover when IPS SSM fails

Unanswered Question

Is there a way to trigger stateful (or stateless) failover on ASA 55xx (8.0.3) when there's a failure on the IPS unit? I understand the fail open/fail close and its application on a single firewall, but the better solution for an IPS failure in a redundant pair would seem to be a stateful failover to the other ASA, and I don't see that as a documented feature.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
satish_zanjurne Thu, 08/28/2008 - 05:47

Hi,

ASA has only following Failover Triggers , IPS failover trigger is not present..

The ASA unit can fail if one of the following events occurs:

• The unit has a hardware failure or a power failure.

• The unit has a software failure.

• Too many monitored interfaces fail.

Jmayes, what you are saying is good feature..but i think it is not incorporated yet..!!!!

robertson.michael Thu, 08/28/2008 - 07:56

Hi Joseph,

If the SSM in the Active unit fails (i.e. 'show module' shows the SSM as "Down"), a failover will occur and the Standby unit will now become Active. The ASA does interpret a failed SSM as being less healthy than its mate who has an available SSM.

Hope that helps.

-Mike

robertson.michael Thu, 08/28/2008 - 09:03

Hi Joseph,

Oddly enough, I wasn't able to find this mentioned in the ASA documentation. However, from experience I can tell you that a failed SSM will cause the unit to mark itself as unhealthy.

-Mike

satish_zanjurne Thu, 08/28/2008 - 10:30

Hi Robertson, if it is working..then it must be..but i have not seen it documentted

dazza_johnson Tue, 05/03/2011 - 19:07

Excellent post, I'm surprised this isnt documented better. To test this I did the following;

Command on the Active ASA to shutdown the IPS module;

hw-module module 1 shutdown

this forces a failover to the Standby ASA. To restart the IPS module again, enter;

hw-module module 1 reset

Good work guys :-)

Dazzler

Actions

This Discussion