Unanswered Question
May 19th, 2010

Hi all.  I have 2 Cisco ASA 5520's setup in a Active/Standby failover mode.  Both units have a AIP-SSM-20 module as well.  It seems that when ever I reboot the AIP-SSM module on the primary ASA this causes the ASA's to failover.  Any suggestions as to why this is happening?  Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
jstone Wed, 08/31/2011 - 06:11

So are you saying there is no way to avoid triggering failover when an AIP is reset?

Christopher Dreier Wed, 08/31/2011 - 08:06

You can temporarily remove the Modular Policy Framework configuration that forwards traffic down to the AIP, which will disassociate the AIP's availability from the failover mechanism. However, failovers are not a bad thing fundamentally. Are you trying to avoid triggering an alarm or alert that you or your team has configured when a failover occurs? If that is the case, altering the MPF may be the best solution for you.

Thank you,

Blayne Dreier

Cisco TAC Escalation Team

**Please check out our Podcasts**

TAC Security Show:

TAC IPS Media Series:

jstone Wed, 08/31/2011 - 11:22

Thanks!  So there's a choice to be made between disabling IPS functions for a short time, and taking the performance hit of enabling failover replication for HTTP traffic, assuming long-lived HTTP sessions (Citrix comes to mind). 

kulkarni.chaitanya Thu, 05/24/2012 - 06:10

What happens if the Secondary SSM module fails as well ? Will the module FAIL - OPEN, meaning permit the traffic to flow to the ASA or drop the traffic ? The logic says all the traffic will be dropped as the appliance will consider this as a hardware failure.

Please advise.


This Discussion

Related Content