Solved: ASA CX Redundancy

HK Loh · ‎10-07-2013

I am setting up two ASA 5515X -Active/Passive Mode. I want to configure CX Module as Active/Passive also.

Both FIrewall configuration is in-sync just CX's Configuration cannot sync, can i know the actual way to manage the CX in HA Mode (Active/Passive)

Thanks....

Jouni Forss · ‎10-07-2013

Hi,

To my understanding the CX configurations have to be kept identical manually. From what I understand there is no Failover replication of configurations between the ASA CX in the Failover. Just the ASA configurations

Here is a quote from a Cisco ASA CX Documentations Guidelines and Limitations section

Failover Guidelines

Does not support failover directly; when the ASA fails over, any existing ASA CX flows are transferred to the new ASA, but the traffic is allowed through the ASA without being inspected by the ASA CX.

Source:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/modules_cx.html#wp1266392

The above though refers only to the fact that the when Failover happens only the new connections incoming to the now Active ASA CX will be forwarded to it while other existing connections during the Failover will pass the now Active devices ASA CX.

If I am not completely mistaken I think you will need to use the management software on a separate server to be able to keep the configurations synchronized. I dont think the ASAs / ASA-CXs can do that themselves automatically.

Here is another quote:

Step 3

To ensure configuration and policy synchronization, make both devices members of the same PRSM device group.

You can either create a new device group and assign the Active/Standby pair to it, or you can simply assign the secondary device to the primary device group. See Assigning Devices to Device Groups for more information.

Source:

http://www.cisco.com/en/US/docs/security/asacx/9.1/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_1_chapter_0100.html#task_F61A932F60754FCBA559D24DA57E8335

- Jouni

View solution in original post

Jouni Forss · ‎10-07-2013

Hi,

To my understanding the CX configurations have to be kept identical manually. From what I understand there is no Failover replication of configurations between the ASA CX in the Failover. Just the ASA configurations

Here is a quote from a Cisco ASA CX Documentations Guidelines and Limitations section

Failover Guidelines

Does not support failover directly; when the ASA fails over, any existing ASA CX flows are transferred to the new ASA, but the traffic is allowed through the ASA without being inspected by the ASA CX.

Source:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/modules_cx.html#wp1266392

The above though refers only to the fact that the when Failover happens only the new connections incoming to the now Active ASA CX will be forwarded to it while other existing connections during the Failover will pass the now Active devices ASA CX.

If I am not completely mistaken I think you will need to use the management software on a separate server to be able to keep the configurations synchronized. I dont think the ASAs / ASA-CXs can do that themselves automatically.

Here is another quote:

Step 3

To ensure configuration and policy synchronization, make both devices members of the same PRSM device group.

You can either create a new device group and assign the Active/Standby pair to it, or you can simply assign the secondary device to the primary device group. See Assigning Devices to Device Groups for more information.

Source:

http://www.cisco.com/en/US/docs/security/asacx/9.1/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_1_chapter_0100.html#task_F61A932F60754FCBA559D24DA57E8335

- Jouni

Marvin Rhoads · ‎10-07-2013

Jouni is correct.

Normal ASA HA replication does not include the CX moudule - only the policy maps and service policies the ASAs use to redirect the traffic to the PRSM modules.

If you are configuring your CX using on-box PRSM, you need to make any configurations by doing the same steps on each CX manually.

If you use the off-box PRSM running on an external server, then the procedure linked above will keep the configuraitns synchronized.