Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

AIP-SSM in cluster

Hello,

we have a fail-over ASA cluster, with 2 AIP-SSM IPS, each one in one ASA. There is a way to config IPS module in cluster mode like ASA, or have a configuration mirroring between them ?

Thank you really much.
Best regards Antonello.

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: AIP-SSM in cluster

Antonello;

  Configuration mirroring between AIP-SSMs is not currently available.  You can mimic this process by copying the current-configuration from the active AIP-SSM to a FTP server, edit the configuration to remove the host specific details (IP address, etc) and then copy that configuration to the stand-by AIP-SSM.

  Another option would be to invest in Cisco Security Manager (CSM) and create a shared policy that is applied to both AIP-SSM.

Scott

5 REPLIES
Cisco Employee

Re: AIP-SSM in cluster

Antonello;

  Configuration mirroring between AIP-SSMs is not currently available.  You can mimic this process by copying the current-configuration from the active AIP-SSM to a FTP server, edit the configuration to remove the host specific details (IP address, etc) and then copy that configuration to the stand-by AIP-SSM.

  Another option would be to invest in Cisco Security Manager (CSM) and create a shared policy that is applied to both AIP-SSM.

Scott

Community Member

Re: AIP-SSM in cluster

Scott, you are my best friend :).

We already have a CSM, for me is new product so I didn´t think to use it in this issue. I think we are going to explore this possibility.

Thank you again!

Cisco Employee

Re: AIP-SSM in cluster

Antonello;

  It is certainly a pleasure to be able to provide guidance on ways to accomplish your needs. Don't hesitate to come back with any other questions you may have, and we in the community will work to assist you.

  CSM an be a bit tricky to get started with, but once you understand its potential, it can make configuration (policy) management of multiple/various Cisco security devices much easier to maintain.

Scott

Community Member

Re: AIP-SSM in cluster

Scott, I need your help again.

Look, I tried to follow your tip about adding IPS in CSM, but I found this problem:

Our CSM is integrated with ACS, but IPS 6.1 doesn´t support AAA. When I try to add it, CSM tell me I need to add it before in ACS. I tried to add a dummy entry in ACS, but it doesn´t work.

I found this post, I haven´t tried yet, because I would like to find a less trick solution.
https://supportforums.cisco.com/message/959153

Do you know a procedure or a link in documentation where I can find the solution, I was searching for almost all day yesterday but I couldn´t find anything.

Thank you again.
Best regards Antonello.

Community Member

Re: AIP-SSM in cluster

Scott, never mind I resolve it.

I forgot the first lemma in information technology: be patient.

I forgot CWS can take long time  before to it can see a allowed device from ACS. To accelerate the process I just restart CMS daemon manager.

If you need here are the steeps:

1. Add a dummy entry of IPS in ACS. For dummy entry I mean just add IPS without any config in the device.

2. (Optional) Add the device in CSM ciscoworks backend.

3. Restart CSM daemon manager.

4. (Optional) If you previous add IPS in CSM ciscoworks backend, remove it

5. Add IPS through CSM client.

6. enjoy.

Thank you anyway to read :).

Cheers Antonello.

649
Views
0
Helpful
5
Replies
CreatePlease to create content