08-28-2008 03:59 AM - edited 03-11-2019 06:36 AM
Is there a way to trigger stateful (or stateless) failover on ASA 55xx (8.0.3) when there's a failure on the IPS unit? I understand the fail open/fail close and its application on a single firewall, but the better solution for an IPS failure in a redundant pair would seem to be a stateful failover to the other ASA, and I don't see that as a documented feature.
08-28-2008 05:47 AM
Hi,
ASA has only following Failover Triggers , IPS failover trigger is not present..
The ASA unit can fail if one of the following events occurs:
⢠The unit has a hardware failure or a power failure.
⢠The unit has a software failure.
⢠Too many monitored interfaces fail.
Jmayes, what you are saying is good feature..but i think it is not incorporated yet..!!!!
08-28-2008 07:56 AM
Hi Joseph,
If the SSM in the Active unit fails (i.e. 'show module' shows the SSM as "Down"), a failover will occur and the Standby unit will now become Active. The ASA does interpret a failed SSM as being less healthy than its mate who has an available SSM.
Hope that helps.
-Mike
08-28-2008 08:25 AM
Is this a documented feature, or is this something you've exprienced...
08-28-2008 09:03 AM
Hi Joseph,
Oddly enough, I wasn't able to find this mentioned in the ASA documentation. However, from experience I can tell you that a failed SSM will cause the unit to mark itself as unhealthy.
-Mike
08-28-2008 10:30 AM
Hi Robertson, if it is working..then it must be..but i have not seen it documentted
09-05-2008 06:47 AM
Hi Joseph and Satish,
I found this in the ASA documentation today and remembered this thread, so I wanted to share it with you:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1149492
Specifically, this line indicates that the ASA will failover if the SSM fails:
Active unit IPS or CSC card fails. 2 seconds
Hope that helps.
-Mike
09-05-2008 07:02 AM
Finally Found..!!!
05-03-2011 07:07 PM
Excellent post, I'm surprised this isnt documented better. To test this I did the following;
Command on the Active ASA to shutdown the IPS module;
hw-module module 1 shutdown
this forces a failover to the Standby ASA. To restart the IPS module again, enter;
hw-module module 1 reset
Good work guys :-)
Dazzler
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide