ASA Failover with IPS module

Unanswered Question
Jun 1st, 2009


Are there any issues in configuring failover between an ASA with an IPS module and an ASA without?

As the status of the module is reported on during failover monitoring my guess is that it can't be done.

Has anyone tried this ?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (3 ratings)
Todd Pula Tue, 06/02/2009 - 09:06

In an active/standby scenario, the failover process will shut down automatically because the hardware is not the same on both ASAs. You will either need to add another AIP-SSM or pull the existing one for the failover to function.

I have a related question about this scenario, so I figured I'd reply here rather than create a new topic.

I have an ASA 5505 (with security plus license) with the AIP Intrusion prevention module.

I just purchased another ASA 5505 (with security plus license).

From the post above, I have gathered that in order to have failover function at all, I must also get the AIP card for the second ASA.

I am wondering if there are any other restrictions as far as what must be the same on the second ASA. Is it enough that both ASAs have Sec-plus licenses or is there something else that I'm missing? I saw something mentioned elsewhere that an "unrestricted" license is needed for the primary... what exactly does this mean?


praprama Tue, 11/16/2010 - 09:59


Here's the details of what all need to match for failover :

The "unrestricted" license thing is onlny for PIXs and not for ASAs and hence you do not need to bother about it. Also, youa re right about needing to purchase another IPS card for the other ASA. Hope that clears things out.




This Discussion