AIP-SSM failover

May 22nd, 2009

Hi All,

we plan to implement two ASA 5510 as passive and active failover with AIP-SSM IPS. is it possible to configure two AIP-SSM as failover as well? How can I implement two AIP-SSM in two ASA with failover capability? if it's not possible, what's the best approach to have IPS in the case of primary ASA failed. There is no budget to purchase IPS 44xx appliance though.

very appreciate for any suggestion.


marcabal Mon, 05/25/2009 - 18:24

You can deploy an AIP-SSM within each of the 2 ASAs.

The AIP-SSMs do support running inside ASAs configured for failover, but the AIP-SSMs do not support any failover communication between the 2 AIP-SSMs.

The 2 AIP-SSMs will be unaware that another AIP-SSM exists.

The AIP-SSM just monitors whatever it's parent ASA sends to it.

So the SSM in the active ASA will be monitoring because that ASA is seeing the traffic and sending it to its SSM.

The SSM in the standby ASA will just be waiting for traffic without doing any monitoring because the ASA is in standby mode.

If there is a failover event between the ASAs, then the standby ASA will start seeing the traffic and send it to its own SSM. The standby SSM will have just been waiting for traffic so it will immediately begin monitoring as soon as its ASA starts sending traffic to it.

So there is no special configuration within the AIP-SSM configuration.

So the AIP-SSMs are fully supported for placing them inside ASAs configured for failover. But all of the failover is configured and managed by the ASAs themselves.

The 2 SSMs are configured and treated as if they were just any 2 sensors. If you want them to have the same configuration then you will need to configure them the same. They will not communicate with each other, and will not automatically share configuration.

michael.d.brown... Wed, 05/27/2009 - 07:35

i echo this, one thought to keep in mind is your ASA failover setup which will dictate the above settings. Meaning, if you setup the ASA's in a pure failover/standby configuration then what marcabal has said is 100% accurate. If you setup your ASA's in a Active/Active mode, then both IPS modules will recieve traffic based on your network topology. You also will have to consider if you will be running your firewalls in a context mode as well as that will determine if both modules will recieve traffic.

just something to think about.

michael.d.brown... Wed, 05/27/2009 - 07:38

also, you can share/export the configuration of the primary IPS module with the secondary. that will help to keep the same level of configuration when your firewall do failover.

munim5211 Tue, 06/16/2009 - 02:16

What should the ip addresses will be? Can I use same ip address for the 2 AIP-SSM that are reside in active/standby firewall,i;e:one in active & another one in standby


