Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA CX Redundancy

I am setting up two ASA 5515X -Active/Passive Mode. I want to configure CX Module as Active/Passive also.

Both FIrewall configuration is in-sync just CX's Configuration cannot sync, can i know the actual way to manage the CX in HA Mode (Active/Passive)

Thanks....

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

ASA CX Redundancy

Hi,

To my understanding the CX configurations have to be kept identical manually. From what I understand there is no Failover replication of configurations between the ASA CX in the Failover. Just the ASA configurations

Here is a quote from a Cisco ASA CX Documentations Guidelines and Limitations section

Failover Guidelines

Does not support failover directly; when the ASA fails over, any  existing ASA CX flows are transferred to the new ASA, but the traffic is  allowed through the ASA without being inspected by the ASA CX.

Source:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/modules_cx.html#wp1266392

The above though refers only to the fact that the when Failover happens only the new connections incoming to the now Active ASA CX will be forwarded to it while other existing connections during the Failover will pass the now Active devices ASA CX.

If I am not completely mistaken I think you will need to use the management software on a separate server to be able to keep the configurations synchronized. I dont think the ASAs / ASA-CXs can do that themselves automatically.

Here is another quote:

Step 3   To ensure configuration and policy synchronization,  make both devices members of the same PRSM device group.

You  can either create a new device group and assign the Active/Standby pair  to it, or you can simply assign the secondary device to the primary  device group. See Assigning Devices to Device Groups for more information.

Source:

http://www.cisco.com/en/US/docs/security/asacx/9.1/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_1_chapter_0100.html#task_F61A932F60754FCBA559D24DA57E8335

- Jouni

2 REPLIES
Super Bronze

ASA CX Redundancy

Hi,

To my understanding the CX configurations have to be kept identical manually. From what I understand there is no Failover replication of configurations between the ASA CX in the Failover. Just the ASA configurations

Here is a quote from a Cisco ASA CX Documentations Guidelines and Limitations section

Failover Guidelines

Does not support failover directly; when the ASA fails over, any  existing ASA CX flows are transferred to the new ASA, but the traffic is  allowed through the ASA without being inspected by the ASA CX.

Source:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/modules_cx.html#wp1266392

The above though refers only to the fact that the when Failover happens only the new connections incoming to the now Active ASA CX will be forwarded to it while other existing connections during the Failover will pass the now Active devices ASA CX.

If I am not completely mistaken I think you will need to use the management software on a separate server to be able to keep the configurations synchronized. I dont think the ASAs / ASA-CXs can do that themselves automatically.

Here is another quote:

Step 3   To ensure configuration and policy synchronization,  make both devices members of the same PRSM device group.

You  can either create a new device group and assign the Active/Standby pair  to it, or you can simply assign the secondary device to the primary  device group. See Assigning Devices to Device Groups for more information.

Source:

http://www.cisco.com/en/US/docs/security/asacx/9.1/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_1_chapter_0100.html#task_F61A932F60754FCBA559D24DA57E8335

- Jouni

Hall of Fame Super Silver

ASA CX Redundancy

Jouni is correct.

Normal ASA HA replication does not include the CX moudule - only the policy maps and service policies the ASAs use to redirect the traffic to the PRSM modules.

If you are configuring your CX using on-box PRSM, you need to make any configurations by doing the same steps on each CX manually.

If you use the off-box PRSM running on an external server, then the procedure linked above will keep the configuraitns synchronized.

488
Views
0
Helpful
2
Replies