Solved: ASA with wrong AIP software for A/S failover?

mpitogo · ‎03-12-2010

I have three ASA5520 with AIP-20 modules all with active licenses. Originally I had two in an HA Active/Standby configuration. Unfortunately during our Data Center move one of the firewall was damaged and would not boot. I purchased a replacement but I made a mistake on the software and realized it too late to do an exchange. The unit came with a CSC module, the original two came with an IPS module. I was trying to setup the HA failover but the software would not allow me to due to a mismatch. What can I do to get the software problem corrected? Can I just remove the AIP-20 modules on both since I don't use them anyway and try to setup failover without it? Both ASA are running the same code and revision so the only thing I see is the added software. What is weird is that I took the AIP-20 module from the old one which was in the A/S pair and was not booting into the newly purchased unit and that unit still came up with the CSC software. So it seems the AIP-20 modules are just generic and its the license/software that I need changed?

Jennifer Halim · ‎03-17-2010

CSC module and AIP module are 2 different modules, and to run ASA in failover mode, you would need to have the same module installed on both ASA.

CSC - Content Security and Control module - protection against virus, spyware, spam, etc for SMTP, POP3, FTP and HTTP traffic

AIP - Advanced Inspection and Prevention module - the normal IPS module

As mentioned, if you don't need to have the module, you can take it out and run the ASA in failover as long as the ASA is the same model, version and has the same license installed.

Here is the requirement to run failover:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html

View solution in original post

Herbert Baerten · ‎03-12-2010

What do you mean with "still came up with the CSC software" ? If it's an AIP running IPS software, then it can't just change into a CSC just by unplugging it and plugging it in another chassis...

In any case, can you post a "show version" of both units?

And what is the exact error you get when you try to enable failover?

mpitogo · ‎03-12-2010

The error I get is I am not able to create an Failover pair because of a mis-match in AIP-20 modules. The two ASA5520 with AIP-20 modules were bought together, one died on a data center move and I bought another ASA5520 with AIP-20 module but the wizard gives me a failure on security modules when trying to setup HA.

#

Primary Running

#

Cisco Adaptive Security Appliance Software Version 8.0(4)23

Device Manager Version 6.1(5)57

Compiled on Tue 03-Feb-09 20:20 by builders

System image file is "disk0:/asa804-23-k8.bin"

Config file at boot was "disk0:/system.cfg"

padcfw1 up 153 days 2 hours

Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

0: Ext: GigabitEthernet0/0 : address is 0024.c49a.6618, irq 9

1: Ext: GigabitEthernet0/1 : address is 0024.c49a.6619, irq 9

2: Ext: GigabitEthernet0/2 : address is 0024.c49a.661a, irq 9

3: Ext: GigabitEthernet0/3 : address is 0024.c49a.661b, irq 9

4: Ext: Management0/0 : address is 0024.c49a.6617, irq 11

5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11

6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 150

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : 750

WebVPN Peers : 2

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

Advanced Endpoint Assessment : Disabled

UC Proxy Sessions : 2

This platform has an ASA 5520 VPN Plus license.

Serial Number: JMX1324L1XN

Running Activation Key: 0xbf2edb4b 0xaccbc44a 0x70a06934 0x8420d4f4 0xc52910bf

Configuration register is 0x1

Configuration last modified by mpitogo at 16:00:12.723 EST Fri Mar 12 2010

#

Second Running ASA but can't be made into A/S pair

#

Cisco Adaptive Security Appliance Software Version 8.0(4)23

Device Manager Version 6.1(5)57

Compiled on Tue 03-Feb-09 20:20 by builders

System image file is "disk0:/asa804-23-k8.bin"

Config file at boot was "disk0:/system.cfg"

padcfw1 up 19 days 18 hours

Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

0: Ext: GigabitEthernet0/0 : address is 001d.a259.4004, irq 9

1: Ext: GigabitEthernet0/1 : address is 001d.a259.4005, irq 9

2: Ext: GigabitEthernet0/2 : address is 001d.a259.4006, irq 9

3: Ext: GigabitEthernet0/3 : address is 001d.a259.4007, irq 9

4: Ext: Management0/0 : address is 001d.a259.4008, irq 11

5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11

6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 150

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : 750

WebVPN Peers : 2

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

Advanced Endpoint Assessment : Disabled

UC Proxy Sessions : 2

This platform has an ASA 5520 VPN Plus license.

Serial Number: JMX1202L30V

Running Activation Key: 0xf33b5644 0xa00f2b1e 0x14b3cd80 0xbc2c140c 0x46178286

Configuration register is 0x1

Configuration has not been modified since last system restart.

Herbert Baerten · ‎03-12-2010

mpitogo wrote:

The error I get is I am not able to create an Failover pair because of a mis-match in AIP-20 modules. The two ASA5520 with AIP-20 modules were bought together, one died on a data center move and I bought another ASA5520 with AIP-20 module but the wizard gives me a failure on security modules when trying to setup HA.

I suppose you mean you bought another 5520 with CSC module, then replaced the CSC with the AIP you took from the dead ASA?

Anyway, what is the exact error message please?

And can you also add "show module" ?

tnx

H

mpitogo · ‎03-16-2010

Yes I purchased a new ASA and did exactly that, I thought the modules were the same since the cost was the same and in include a module ending in AIP-20.

#

#Module info in new replacement unit (currently active)

#

Mod Card Type Model Serial No.

--- -------------------------------------------- ------------------ -----------

0 ASA 5520 Adaptive Security Appliance ASA5520 JMX1324L1XN

1 ASA 5500 Series Content Security Services Mo ASA-SSM-CSC-20 JAF1321BBQA

Mod MAC Address Range Hw Version Fw Version Sw Version

--- --------------------------------- ------------ ------------ ---------------

0 0024.c49a.6617 to 0024.c49a.661b 2.0 1.0(11)5 8.0(4)23

1 0024.9796.324e to 0024.9796.324e 1.0 1.0(11)5 CSC SSM 6.2.1599.0

Mod SSM Application Name Status SSM Application Version

--- ------------------------------ ---------------- --------------------------

1 CSC SSM Up 6.2.1599.0

Mod Status Data Plane Status Compatibility

--- ------------------ --------------------- -------------

0 Up Sys Not Applicable

1 Up Up

#

#Module info in old running but un-configured standby

#