Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Installing aip ssc-5 in a failover pair

Hi,

I have a pair of aip ssc-5's that needs to be installed in a pair of failover pair of 5505's. I wonder what the right process is, minimizing downtime. Will there be problems if I take the passive node down, install the aip ssc-5 and boot it up, because they are not identical hardware wise?

I also wonder if the configuration of the modules will be replicated, or if it will have to be manually configured identical.

Thanks in advance for any insight

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Installing aip ssc-5 in a failover pair

Will there be problems if I take the passive node down, install the aip  ssc-5 and boot it up, because they are not identical hardware wise?

Yes, this understanding is correct.

We need to arrange some downtime to be able to carry out this activity. Steps that can be followed are as follows:

1] Shut down the standby unit. Insert the module inside it & let it be down.

2] Shut down the active unit. Insert the module inside it and power it back on. (the time it will take to carry out this task will be the net downtime)

3] Once the active unit comes back on. Power on the standby unit.

4] Configure policy to redirect traffic to the aip module on the active unit. This policy will get replicated over to the standby as well.

5] Configure IPS modules separately on both ASA's as config on the modules wont get replicated.

Hope it helps.

4 REPLIES
Hall of Fame Super Silver

Installing aip ssc-5 in a failover pair

I think the failover pair will not reestablish correctly when you install the SSC-5 in the standby unit as the hardware will no  longer be identical. (Though I've never tried it with AIP modules per se.)

Re configuration, only the firewall service policy rules directing traffic to the module is replicated. Any configuration of the IPS itself must be done separately on each module.

Cisco Employee

Installing aip ssc-5 in a failover pair

Will there be problems if I take the passive node down, install the aip  ssc-5 and boot it up, because they are not identical hardware wise?

Yes, this understanding is correct.

We need to arrange some downtime to be able to carry out this activity. Steps that can be followed are as follows:

1] Shut down the standby unit. Insert the module inside it & let it be down.

2] Shut down the active unit. Insert the module inside it and power it back on. (the time it will take to carry out this task will be the net downtime)

3] Once the active unit comes back on. Power on the standby unit.

4] Configure policy to redirect traffic to the aip module on the active unit. This policy will get replicated over to the standby as well.

5] Configure IPS modules separately on both ASA's as config on the modules wont get replicated.

Hope it helps.

Hall of Fame Super Silver

Installing aip ssc-5 in a failover pair

Amitaaga,

That matches my understanding exactly.

Endorsed.

Cisco Employee

Installing aip ssc-5 in a failover pair

Thanks Marvin

137
Views
0
Helpful
4
Replies