Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Bronze

Can the ASA IPS module be setup for configuration replication?

While setting up two ASAs with IPS modules in an Active/Standby configuration, we were configuring the IPS modules and couldn't find any information on setting up the IPS modules in failover between the two ASAs such as configuration replication.

Do we have to duplicate config. changes on both IPS modules?

1 REPLY
Community Member

Re: Can the ASA IPS module be setup for configuration replicatio

You can put the same configs in both IPS modules, but the IPS devices don't share state like the firewalls.

So in a failover condition IPS may lose state of open TCP flows and TCP will need to do a reset to correct the problem. This is generally only a problem if you have a long flow such as a FTP file transfer going on. From a user perspective in most cases, you don't even know that you failed over to the secondary IPS occurred. Engineering is currently looking at sharing stateful information between IPS devices.

200
Views
4
Helpful
1
Replies
CreatePlease to create content