I am looking for some clarification on the behavior of an ASA Active/Standby failover pair when the units contain AIP modules. My experience with SSMs is mostly with the CSC module.
The documentation states that if the AIP module in the Active unit "fails", a failover will occur. However, the documentation does not clearly define what a failure is. Therefore, I am hoping some of you have experience with this and will be able to describe what happens in the following scenarios:
1. Will a failover occur when the module reloads after a system software upgrade?
2. Will a failover occur when the module reloads after a reimage of the module?
3. Will a failover occur after a signature definition update?
If the answer to any of the above questions is yes, what is the best way to prevent these failover events (i.e. temporarily disable failover? reload the module in the Standby unit first?)? Also, if you have any documentation which explains this, I would appreciate links to that as well.
Thank you for your response. This is what I was expecting, however, the enhancement request says:
"This bug is filed as an Enhancement request to allow this to be a
configurable option, so that a failover will not occur if the AIP-SSM
According to the Bug Toolkit, this enhancement was "fixed", so I assume that this became a configurable option? Could you point me toward the command to toggle this--I am having trouble finding it in any of the documentation.
Sorry, I read that bug again and it looks like the fix only took care of "SSM hang" issue. Therefore, the workaround should be "disable failover" as what you have realized. I am not sure if removing command for IPS in "service-police" will help here.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...