Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA IPS module failover

I have a customer with asa in failover mode; each ASA has an IPS module. My question is how do I configure the IPS in the secondary ASA? or do I?


Re: ASA IPS module failover


The failover is only applicable to the ASA. For the IPS the configuration has to be replicated manually. IPS is always active. If traffic flows through it it will do the inspection. you could do the FTP part for the configuration. If you manage through CSM or VMS. You could possibly push same configuration to the IPS device and also tune signatures on both without having to do them seperately. omething to keep in mind. The 2 SSMs each need their own independant names and ip addresses. If you are using blocking/shunning then only one of the 2 SSMs can block/shun on the firewall.

The rest of the configuration can be the same between the 2 sensors.Automatically copying the configuration on the secondary IPS is planned for the future according to Cisco.


Community Member

Re: ASA IPS module failover


Thanks, I think you have told me that this is not worth doing because then I have to modify Mars to accept from what it thinks is a different IPS.

Cisco Employee

Re: ASA IPS module failover

MARS has to be configured to talk to the IPS SSMs in each of the 2 ASAs independantly. MARS needs to treat them as 2 separate sensors.

The ASAs are capable of active/active configurations when using multiple contexts.

For context A the ASA on the left can be active and the ASA on the right in standby.

For context B, however, the ASA on the left can be in standby, and the ASA on the right be active.

So traffic can be actively flowing through each ASA.

So the SSM in the left ASA would be monitoring traffic in context A.

And the SSM in the right ASA would be monitoring traffic in context B.

(NOTE: During an ASA failure, both contexts would be made active in the other running ASA, and both contexts monitored by the SSM in the running ASA.)

Because both SSMs are actively monitoring, each SSM needs its own ip address and MARS needs to connect to and monitor both SSMs.

Unlike the ASA where the ASA has an ip address unique to each context (and passed between ASAs during a failover). The SSMs do NOT have ip addresses unique to the contexts. The SSM has just it's single IP address regardless of the number of contexts or failover configuration of the ASA.

In the future the plan is to have the 2 SSMs be able to sync their sensing configuration settings, but even then they will still each need their own unique ip address and name, because in an active/active ASA configuration both of the SSMs will be actively monitoring different traffic.

So MARS will always need to connect to each SSM's ip address uniquely.

Community Member

Re: ASA IPS module failover


CreatePlease to create content