cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2907
Views
10
Helpful
8
Replies

ASA failover when IPS SSM fails

jmayes
Level 1
Level 1

Is there a way to trigger stateful (or stateless) failover on ASA 55xx (8.0.3) when there's a failure on the IPS unit? I understand the fail open/fail close and its application on a single firewall, but the better solution for an IPS failure in a redundant pair would seem to be a stateful failover to the other ASA, and I don't see that as a documented feature.

8 Replies 8

satish_zanjurne
Level 4
Level 4

Hi,

ASA has only following Failover Triggers , IPS failover trigger is not present..

The ASA unit can fail if one of the following events occurs:

• The unit has a hardware failure or a power failure.

• The unit has a software failure.

• Too many monitored interfaces fail.

Jmayes, what you are saying is good feature..but i think it is not incorporated yet..!!!!

Hi Joseph,

If the SSM in the Active unit fails (i.e. 'show module' shows the SSM as "Down"), a failover will occur and the Standby unit will now become Active. The ASA does interpret a failed SSM as being less healthy than its mate who has an available SSM.

Hope that helps.

-Mike

Is this a documented feature, or is this something you've exprienced...

Hi Joseph,

Oddly enough, I wasn't able to find this mentioned in the ASA documentation. However, from experience I can tell you that a failed SSM will cause the unit to mark itself as unhealthy.

-Mike

Hi Robertson, if it is working..then it must be..but i have not seen it documentted

Hi Joseph and Satish,

I found this in the ASA documentation today and remembered this thread, so I wanted to share it with you:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1149492

Specifically, this line indicates that the ASA will failover if the SSM fails:

Active unit IPS or CSC card fails. 2 seconds

Hope that helps.

-Mike

Finally Found..!!!

Excellent post, I'm surprised this isnt documented better. To test this I did the following;

Command on the Active ASA to shutdown the IPS module;

hw-module module 1 shutdown

this forces a failover to the Standby ASA. To restart the IPS module again, enter;

hw-module module 1 reset

Good work guys :-)

Dazzler

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: