Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
sla
New Member

AIP-SSM-20 IN ASA 5520 TRIGGERING FAILOVER

Hi all.  I have 2 Cisco ASA 5520's setup in a Active/Standby failover mode.  Both units have a AIP-SSM-20 module as well.  It seems that when ever I reboot the AIP-SSM module on the primary ASA this causes the ASA's to failover.  Any suggestions as to why this is happening?  Thanks in advance.

Everyone's tags (3)
5 REPLIES
Cisco Employee

Re: AIP-SSM-20 IN ASA 5520 TRIGGERING FAILOVER

You are correct. Reloading the AIP module will also trigger the ASA failover as per the following timeout, ie: for the AIP module it's 2 seconds before the failover is triggered:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1149492

Hope that answers your question.

New Member

Re: AIP-SSM-20 IN ASA 5520 TRIGGERING FAILOVER

So are you saying there is no way to avoid triggering failover when an AIP is reset?

Re: AIP-SSM-20 IN ASA 5520 TRIGGERING FAILOVER

You can temporarily remove the Modular Policy Framework configuration that forwards traffic down to the AIP, which will disassociate the AIP's availability from the failover mechanism. However, failovers are not a bad thing fundamentally. Are you trying to avoid triggering an alarm or alert that you or your team has configured when a failover occurs? If that is the case, altering the MPF may be the best solution for you.

Thank you,

Blayne Dreier

Cisco TAC Escalation Team

**Please check out our Podcasts**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

TAC IPS Media Series: https://supportforums.cisco.com/docs/DOC-12758

New Member

Re: AIP-SSM-20 IN ASA 5520 TRIGGERING FAILOVER

Thanks!  So there's a choice to be made between disabling IPS functions for a short time, and taking the performance hit of enabling failover replication for HTTP traffic, assuming long-lived HTTP sessions (Citrix comes to mind). 

Re: AIP-SSM-20 IN ASA 5520 TRIGGERING FAILOVER

What happens if the Secondary SSM module fails as well ? Will the module FAIL - OPEN, meaning permit the traffic to flow to the ASA or drop the traffic ? The logic says all the traffic will be dropped as the appliance will consider this as a hardware failure.

Please advise.

4118
Views
4
Helpful
5
Replies
CreatePlease to create content