ASA Active/Active failover with IPS module in multi-context senario
We have pair of 5585-X running 9.1.x with multi-contexts and IPS SSP60 modules on both ASA. Currently only two contexts are created and both are in failover group 1. While doing failover tests we noticed that once the secondary ASA is active and IPS is reboot there are considerable number of packets loss (around 25-30 packets with 2-3 minutes time) and services behind DC including voice get disconnected at this time.
However it does not happen so in following situation except some 3-4 packets loss
- when primary ASA is active reboot the IPS
- when complete primary ASA (box) is reload while its on active
- when complete secodary ASA (box) is reload while its on active
Both IPS configuration is having the same config, except that we could noticed some iplogs were there in IPS2 (secondary ASA IPS) but not in primary ASA IPS (IPS1) as follow:
Yes, once the secondary is active and when reload the IPS on it, it will fail over to primary (become active). our issues lies there, it took around 2-3 minutes to pass traffic through primary and there were some 20-25 packets loss till then which is really a considerable amount.
This is a IPS module on ASA5585X and had no physical port connectivity, however other connections to firewall are verified and correct.
Therewere no time to troubleshoot more as we had to revert back since some service disruptions (specially voice).
Is there any troubleshooting method at this time, or is this a normal behavior.?
We verified the switch config and has no issue. This happens only when the secondary box IPS is reload, however when we force failover active to primary from the secondary box or when secondary is completely reboot this delay or packet loss not seen.???
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :