03-12-2010 08:11 AM - edited 03-11-2019 10:21 AM
I have three ASA5520 with AIP-20 modules all with active licenses. Originally I had two in an HA Active/Standby configuration. Unfortunately during our Data Center move one of the firewall was damaged and would not boot. I purchased a replacement but I made a mistake on the software and realized it too late to do an exchange. The unit came with a CSC module, the original two came with an IPS module. I was trying to setup the HA failover but the software would not allow me to due to a mismatch. What can I do to get the software problem corrected? Can I just remove the AIP-20 modules on both since I don't use them anyway and try to setup failover without it? Both ASA are running the same code and revision so the only thing I see is the added software. What is weird is that I took the AIP-20 module from the old one which was in the A/S pair and was not booting into the newly purchased unit and that unit still came up with the CSC software. So it seems the AIP-20 modules are just generic and its the license/software that I need changed?
Solved! Go to Solution.
03-17-2010 10:13 PM
CSC module and AIP module are 2 different modules, and to run ASA in failover mode, you would need to have the same module installed on both ASA.
CSC - Content Security and Control module - protection against virus, spyware, spam, etc for SMTP, POP3, FTP and HTTP traffic
AIP - Advanced Inspection and Prevention module - the normal IPS module
As mentioned, if you don't need to have the module, you can take it out and run the ASA in failover as long as the ASA is the same model, version and has the same license installed.
Here is the requirement to run failover:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html
03-12-2010 01:32 PM
What do you mean with "still came up with the CSC software" ? If it's an AIP running IPS software, then it can't just change into a CSC just by unplugging it and plugging it in another chassis...
In any case, can you post a "show version" of both units?
And what is the exact error you get when you try to enable failover?
03-12-2010 01:45 PM
The error I get is I am not able to create an Failover pair because of a mis-match in AIP-20 modules. The two ASA5520 with AIP-20 modules were bought together, one died on a data center move and I bought another ASA5520 with AIP-20 module but the wizard gives me a failure on security modules when trying to setup HA.
#
#
Primary Running
#
#
#
Cisco Adaptive Security Appliance Software Version 8.0(4)23
Device Manager Version 6.1(5)57
Compiled on Tue 03-Feb-09 20:20 by builders
System image file is "disk0:/asa804-23-k8.bin"
Config file at boot was "disk0:/system.cfg"
padcfw1 up 153 days 2 hours
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: GigabitEthernet0/0 : address is 0024.c49a.6618, irq 9
1: Ext: GigabitEthernet0/1 : address is 0024.c49a.6619, irq 9
2: Ext: GigabitEthernet0/2 : address is 0024.c49a.661a, irq 9
3: Ext: GigabitEthernet0/3 : address is 0024.c49a.661b, irq 9
4: Ext: Management0/0 : address is 0024.c49a.6617, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 2
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5520 VPN Plus license.
Serial Number: JMX1324L1XN
Running Activation Key: 0xbf2edb4b 0xaccbc44a 0x70a06934 0x8420d4f4 0xc52910bf
Configuration register is 0x1
Configuration last modified by mpitogo at 16:00:12.723 EST Fri Mar 12 2010
#
#
03-12-2010 01:56 PM
mpitogo wrote:
The error I get is I am not able to create an Failover pair because of a mis-match in AIP-20 modules. The two ASA5520 with AIP-20 modules were bought together, one died on a data center move and I bought another ASA5520 with AIP-20 module but the wizard gives me a failure on security modules when trying to setup HA.
I suppose you mean you bought another 5520 with CSC module, then replaced the CSC with the AIP you took from the dead ASA?
Anyway, what is the exact error message please?
And can you also add "show module" ?
tnx
H
03-16-2010 07:38 AM
Yes I purchased a new ASA and did exactly that, I thought the modules were the same since the cost was the same and in include a module ending in AIP-20.
#
#
#Module info in new replacement unit (currently active)
#
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5520 Adaptive Security Appliance ASA5520 JMX1324L1XN
1 ASA 5500 Series Content Security Services Mo ASA-SSM-CSC-20 JAF1321BBQA
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
0 0024.c49a.6617 to 0024.c49a.661b 2.0 1.0(11)5 8.0(4)23
1 0024.9796.324e to 0024.9796.324e 1.0 1.0(11)5 CSC SSM 6.2.1599.0
Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
1 CSC SSM Up 6.2.1599.0
Mod Status Data Plane Status Compatibility
--- ------------------ --------------------- -------------
0 Up Sys Not Applicable
1 Up Up
#
#
#Module info in old running but un-configured standby
#
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5520 Adaptive Security Appliance ASA5520 JMX1202L30V
1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 JAF1152BCPR
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
0 001d.a259.4004 to 001d.a259.4008 2.0 1.0(11)2 8.0(4)23
1 001e.7a81.7181 to 001e.7a81.7181 1.0 1.0(11)2
Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
Mod Status Data Plane Status Compatibility
--- ------------------ --------------------- -------------
0 Up Sys Not Applicable
1 Unresponsive Not Applicable
03-17-2010 10:13 PM
CSC module and AIP module are 2 different modules, and to run ASA in failover mode, you would need to have the same module installed on both ASA.
CSC - Content Security and Control module - protection against virus, spyware, spam, etc for SMTP, POP3, FTP and HTTP traffic
AIP - Advanced Inspection and Prevention module - the normal IPS module
As mentioned, if you don't need to have the module, you can take it out and run the ASA in failover as long as the ASA is the same model, version and has the same license installed.
Here is the requirement to run failover:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html
03-18-2010 09:26 AM
Thanks! I was hoping the module is just a different license. I'll just run them both without the security modules. Don't know why I ever got them, more PITA and useless.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide