Sync configs between AIP-SSMs

bnidacoc · ‎12-03-2008

We have a pair of ASA 5520s in active/stanby mode. This part of the situation works great, configurations are always synced to the standby, nothing is lost. Planned failover has worked every time without users even noticing.

We have an AIP-SSM-20 in each.

The challenge arises as it seems there is still no easy and automatic way to sync the configuration of the SSMs together.

Due to all the false positives, we need to perform configurations on the AIP-SSMs. Is there a method I am overlooking, how do you do it?

Thanks.

mathias.mahnke · ‎12-04-2008

We more or less suffer from the same. We are using Cisco IME (IPS Manager Express) to configure the units. If a change is needed, you could sync the changes manually via the IME gui.

Would be very interessting to automatically sync both AIP units.

bnidacoc · ‎12-30-2008

Thanks for your reply. I've gotten back on this subject....

Does this run as a service, like it is running all the time and needs to be installed on a system which is always up, or does this run as an application only as needed.

Based on the requirements, I can not tell. It can run on desktop OSes or Server OSes.

"Hard Drive

â€¢ 100 GB

Memory (RAM)

â€¢ 2 GB

Supported Operating Systems

â€¢ Windows Vista Business and Ultimate (32-bit only)

â€¢ Windows XP Professional (32-bit only)

â€¢ Windows 2003 server

Note: Cisco IPS Manager Express supports only the 32-bit U.S. English version of Windows."

100GB for an application, seems rather hefty to me. Is this for real?

Thanks

rmeans · ‎12-31-2008

I have a similar situation (ASA 5540 active/standby with 2 IPS modules). I have installed IPS Manager Express on my laptop. I have found it's the best way to keep my configuration in sync. I make a change on 1 IPS then can easily switch to the other IPS.

Requirements - Must be a miss print. I have had IME on 2 laptops (40GB and 80GB harddrives) and run the program without troubles.

bnidacoc · ‎12-31-2008

Thanks rmeans and mathias.mahnke. I'll begin research with IPS Express.

robertson.michael · ‎06-05-2009

Hi Bob,

IME can be used in both ways. It is installed as a service, but you can also use it on a box that is not always on.

For example, I have IME installed on an always-on monitoring server so that the IME service can run and send email notifications when alerts are fired. I also have IME installed on my laptop which I occasionally use to make config changes (this is easier for me than connecting to the monitoring server and opening that instance of IME).

Hope that helps.

-Mike

s.both · ‎04-13-2009

you can sync the IPS units when using SDM.

Best regards,

siebe b

bnidacoc · ‎04-20-2009

Thanks. I must be overlooking something. It looks like to me the release notes don't list the AIP-SSM modules in the list of supported hardware.

http://www.cisco.com/en/US/docs/routers/access/cisco_router_and_security_device_manager/software/release/notes/SDMr25.html

cstockwe · ‎06-03-2009

I read somewhere that you can upload the current config of a 'primary' AIP-SSM to a ftp server and then tell the 'secondary' AIP-SSM to copy the same config from the ftp server.

During this process it will ask you if you want to overwrite host/network settings (of course say no).

However, when I've attempted this, the secondary unit starts "Processing config: ....\" but just hangs there.

So far I've had to run a recovery on the secondary IPS so for me this method has not worked.

I am wondering if anyone else has attempted this and had it work ok (or another method to sync the 2 modules)?

marcabal · ‎06-03-2009

This will only work with version 6.1(1) and higher.

Both sensors must also be at the exact same version (including sig level) at the time of the copy to/from the ftp server.

What version of sensors were you running?

For the first few times I would also recommend running a second CLI connection to the secondary sensor.

In this second CLI connection I would recommend running "show events" prior to executing the copy command in the first CLI connection to the secondary sensor. This way you can see if any errors are being generated as the commands are being copied in.

cstockwe · ‎06-03-2009

That could be it - the secondary sensor was upgraded to version 7 prior to the attempt at pulling the config down from the ftp server.

The primary is still on 6.2 software.

Thanks for that.