Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IPS modules in Cisco ASA 5510 Active/Standby pair.

All, I am looking to add the IPS module to my ASA 5510's. I am contemplating only purchasing one module and placing it in the active ASA. I am willing to accept that in a failure scenario I will loose the IPS functionality until the primary ASA is recovered. I have not had a chance to talk to my SE to see if this is even possible. Has anyone attempted a deployment such as this? Will it work and is it supported?

Sent from Cisco Technical Support iPad App

11 REPLIES

IPS modules in Cisco ASA 5510 Active/Standby pair.

Hello,

Unfortunately to run failover on a pair of ASA, the hardware needs to be  exactly the same on both. Otherwise, failover will not even work.

Here is one link that will help you regarding the requirements for a succesfull HA cluster.

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/ha_overview.html#wp1077521

Regards,

Julio

Do rate all helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Re: IPS modules in Cisco ASA 5510 Active/Standby pair.

Thanks for the response, I thought that was the case, but it never hurts to ask. What about the contract. Do you have to carry the smarter contract on both modules?

Sent from Cisco Technical Support iPad App

Re: IPS modules in Cisco ASA 5510 Active/Standby pair.

Both IPS modules will need Smartnet IF you want to keep active signature files on them both.

Regards,

Julio

Rate helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

IPS modules in Cisco ASA 5510 Active/Standby pair.

So you need to have a physcial IPS module in each the active and standby ASA, but you can only pay for one license of updates if you are willing to accept that your standby ASA will not have up-to-date signature files?

In a scenario when you have failover and failback, does this cause issues or will everything work fine?

Silver

IPS modules in Cisco ASA 5510 Active/Standby pair.


No it does not but I don´t believe that it would be a good idea, the intention of purchasing a device is for it to be fully functional not partially.

Value our effort and rate the assistance!

Value our effort and rate the assistance!
Community Member

IPS modules in Cisco ASA 5510 Active/Standby pair.

I just found out that the VPN licensing on active/standby configurations only requires 1 license with versions 8.3 and above.  So for SSL VPN, we only need one license for the active unit and during failover the standby unit would inherit it and vice-versa.  Is this the same with IPS then and we'd only need one license for the two appliances?  We are on 8.4.

Silver

IPS modules in Cisco ASA 5510 Active/Standby pair.

Hello Jon,

No it is not the same, IPS license has nothing to do with failover setup and it does not replicate over, if you want you can license one or both but again the idea of purchasing a device is for it to be fully functional.

Value our effort and rate the assistance!

Value our effort and rate the assistance!
Community Member

IPS modules in Cisco ASA 5510 Active/Standby pair.

Ok, that is what I needed to know.  The purpose of us having an active/standby ASA is to keep the business up and going for the very rare times there could be an active ASA failure.  The purpose for the IPS would be to help protect and inspect traffic and is not necessary to keep the business running.  If we implement IPS I am not worried at all if during the times when the primary ASA is down (hasn't been down for over three years now) we lose the IPS funcationality.  This is not worth the $1000 extra per year to us.

Thanks for the responses though.  That answers my questions.

Silver

IPS modules in Cisco ASA 5510 Active/Standby pair.

Value our effort and rate the assistance!

Value our effort and rate the assistance!
Hall of Fame Super Silver

IPS modules in Cisco ASA 5510 Active/Standby pair.

You can establish a failover pair with one unit having the IPS module and the other one not having it.

I know the docs say you need the same SSMs but I have seen it work firsthand.

Silver

IPS modules in Cisco ASA 5510 Active/Standby pair.

Please mark the discussion as answered

Value our effort and rate the assistance!

Value our effort and rate the assistance!
1238
Views
8
Helpful
11
Replies
CreatePlease to create content