The ASA 5510 itself supports high availablity which includes both keeping the configuration of the 2 ASA's in sync, and failing over traffic to the other ASA.
The SSM-10 does not technically support high availability itself, but will function just fine in ASA's that support high availability.
The SSM-10s will not sync their configuration so each SSM-10 needs it's own ip address and must be independantly configured. (Some users use CSM to manage the IPS configuration so they can make a single change and apply that config change to both of the SSM-10s).
The SSM-10s will not share monitoring information, but will not stop a session that fails over from one ASA to the other.
The SSM-10 relies on the ASA to track session state and validate that the packet is legitimate. So if a session is being monitored by one SSM-10 and that ASA fails, then the session fails over to the second ASA, and the SSM-10 in the second ASA starts seeing the packets for that session. That second SSM-10 will assume that the ASA has validated that the session should be allowed, so the SSM-10 simply starts monitoring that connection from the point in which it failed over to the second ASA.
It does not stop the connection (unless it sees an attack in the connection).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...