Reg. ASA-AIP-SSM with failover query

Unanswered Question
Dec 9th, 2009

Hi all

I have a query regarding Cisco ASA Firewalls in failover mode . I want to insert two new AIP-SSM-20 cards inside that .Earlier there was no AIP-SSM modules inserted and the ASA was running smoothly in failover . Now when i will introduce the AIP-SSM modules , i want to ask the following :

a) Can we avoid network traffic flow hampering by putting the AIP-SSM modules one by one ?

b) Is it recommended to switch off one ASA at a time , insert the modules in them and do the same for the second ASA or can we insert both the AIP-SSM Modules simultaneously

c) During AIP-SSM module insertion , do i need to let the power cables be switched on while inserting it inside ASA backplane ?

According to me the ideal config would be to make the Primary firewall into standby mode (and secondary as Active) , insert the module ; configure the network settings of AIP SSM Module via ASDM .Now , as the Primary ASA is having its child node as AIP-SSM ready and the Secondary firewall not having it , what would be the result ? Will there be any kind of error considering that one ASA has a module and one doesnot .Also , Can i safely switch on the Primary and re-introduce it in the network as Standby so that i should proceed for the Secondary firewall activity ?

Ankur

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Loading.
JORGE RODRIGUEZ Wed, 12/09/2009 - 16:51

Hi all

I have a query regarding Cisco ASA Firewalls in failover mode . I want to insert two new AIP-SSM-20 cards inside that .Earlier there was no AIP-SSM modules inserted and the ASA was running smoothly in failover . Now when i will introduce the AIP-SSM modules , i want to ask the following :

a) Can we avoid network traffic flow hampering by putting the AIP-SSM modules one by one ?

b) Is it recommended to switch off one ASA at a time , insert the modules in them and do the same for the second ASA or can we insert both the AIP-SSM Modules simultaneously

c) During AIP-SSM module insertion , do i need to let the power cables be switched on while inserting it inside ASA backplane ?

According to me the ideal config would be to make the Primary firewall into standby mode (and secondary as Active) , insert the module ; configure the network settings of AIP SSM Module via ASDM .Now , as the Primary ASA is having its child node as AIP-SSM ready and the Secondary firewall not having it , what would be the result ? Will there be any kind of error considering that one ASA has a module and one doesnot .Also , Can i safely switch on the Primary and re-introduce it in the network as Standby so that i should proceed for the Secondary firewall activity ?

Hi Ankur, 

For these type of installations I would first suggest to implement them during non production hours even in a failover architecture. 

My approach would be install the modules before worrying about configuration – you can do that after both firewall have the AIP successfully installed and both in a well failover state.

a)   You can avoid network disruption  by working  with the Standby unit first – simply powering it down  and install the AIP module – and powering it on to be back online as the Standby unit.  During that process of installing the AIP in the standby your Active firewall had processed and will continue process network traffic normally as it should  as well as after the secondary unit comes online,   by which you can then check your failover status    on your Primary firewall to ensure all is good before proceeding with your Active firewall installation maintenance -  At this point  do not even worry about AIP configuration – remember that even though the AIP houses itself in the ASA5520 roof  it is an autonomous system and has no effect on ASA traffic until it gets configured which you can do  at a later time. 

b)  After ALL above is successful with the Standby AIP ,  you can then proceed with the same principle ,  on the Standby you can force it to become the Primary – by connecting to the secondary you can issues “ ASAFW#failover active  “ and issue several times “ show failover “ to ensure  that  all your interfaces  have synched  with the NORMAL output and that that Standby is now Active .  You may then proceed to power down your NOW Secondary Standby firewall  and do exactly the same you did before.    You may force back the Primary active  principle on the Standby  and check failover status several times to ensure ALL is good. 

Then you can start working with your AIP modules connections and configuration - at this point you do not need to go back to hardware etc.. .. this process of simply installing the hardware should not take you more than 30 minutes provided your Firewalls physical interfaces  and failover status are GOOD prior to implementation

Regards

mwessling Tue, 01/05/2010 - 09:00

I am sorry that is not going to work. At least it didn't work for me. I tried this approach a few weeks ago and ended up with an service interruption. Luckly in the maintenance window.

The problem is that the firewalls will detect a hardware mismatch and the standby firewall will be a cold standby without a configuration. And active firewal updated its failover mac addresses which caused the outage on several servers. It was fixed by installing the SSM the active firewall and starting everything up again.

Actions

This Discussion