Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 IPS Edition Bundle high availability


we intend to use asa5510 ips edition as firewall and ips ,anybody know if asa 5510 ips edition support high availability also ?


Cisco Employee

Re: ASA 5510 IPS Edition Bundle high availability

The ASA 5510 itself supports high availablity which includes both keeping the configuration of the 2 ASA's in sync, and failing over traffic to the other ASA.

The SSM-10 does not technically support high availability itself, but will function just fine in ASA's that support high availability.

The SSM-10s will not sync their configuration so each SSM-10 needs it's own ip address and must be independantly configured. (Some users use CSM to manage the IPS configuration so they can make a single change and apply that config change to both of the SSM-10s).

The SSM-10s will not share monitoring information, but will not stop a session that fails over from one ASA to the other.

The SSM-10 relies on the ASA to track session state and validate that the packet is legitimate. So if a session is being monitored by one SSM-10 and that ASA fails, then the session fails over to the second ASA, and the SSM-10 in the second ASA starts seeing the packets for that session. That second SSM-10 will assume that the ASA has validated that the session should be allowed, so the SSM-10 simply starts monitoring that connection from the point in which it failed over to the second ASA.

It does not stop the connection (unless it sees an attack in the connection).

New Member

Re: ASA 5510 IPS Edition Bundle high availability

So if we order ASA5510-AIP10-K9 then does it has needed license for high availability also ?