Active/Standby failover behavior with AIP-SSM

robertson.michael · ‎03-26-2009

Hi everyone,

I am looking for some clarification on the behavior of an ASA Active/Standby failover pair when the units contain AIP modules. My experience with SSMs is mostly with the CSC module.

The documentation states that if the AIP module in the Active unit "fails", a failover will occur. However, the documentation does not clearly define what a failure is. Therefore, I am hoping some of you have experience with this and will be able to describe what happens in the following scenarios:

1. Will a failover occur when the module reloads after a system software upgrade?

2. Will a failover occur when the module reloads after a reimage of the module?

3. Will a failover occur after a signature definition update?

If the answer to any of the above questions is yes, what is the best way to prevent these failover events (i.e. temporarily disable failover? reload the module in the Standby unit first?)? Also, if you have any documentation which explains this, I would appreciate links to that as well.

Thanks in advance,

-Mike

Yudong Wu · ‎04-01-2009

Hi Mike, Check this bug CSCse47023, it will answer some of your question.

robertson.michael · ‎04-02-2009

Hi Kevin,

Thank you for your response. This is what I was expecting, however, the enhancement request says:

"This bug is filed as an Enhancement request to allow this to be a

configurable option, so that a failover will not occur if the AIP-SSM

is upgraded."

According to the Bug Toolkit, this enhancement was "fixed", so I assume that this became a configurable option? Could you point me toward the command to toggle this--I am having trouble finding it in any of the documentation.

Thanks again,

-Mike

Yudong Wu · ‎04-02-2009

Sorry, I read that bug again and it looks like the fix only took care of "SSM hang" issue. Therefore, the workaround should be "disable failover" as what you have realized. I am not sure if removing command for IPS in "service-police" will help here.