11-04-2014 06:29 AM - edited 03-10-2019 06:16 AM
I have my pair of cisco asa 5515-x's in an active/standby failover mode. My question is, I have both units with IPS software, how are these configured for failover? I can't console into the secondary ASA so I cant run the setup on the secondary IPS unit? I did on the initial one and gave it an IP address and also updated the image so now they are out of sync.
Last Failover at: 12:27:28 CST Nov 3 2014
This host: Primary - Active
Active time: 71896 (sec)
slot 0: ASA5515 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface outside (1.1.1.1): Normal (Monitored)
Interface inside (172.20.16.30): Normal (Monitored)
Interface Mgmt (172.20.17.10): Normal (Monitored)
slot 1: IPS5515 hw/sw rev (N/A/7.1(4)E4) status (Up/Up)
IPS, 7.1(4)E4, Up
Other host: Secondary - Bulk Sync
Active time: 2386 (sec)
slot 0: ASA5515 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface outside (1.1.1.2): Normal (Monitored)
Interface inside (172.20.16.31): Normal (Monitored)
Interface Mgmt (172.20.17.11): Normal (Monitored)
slot 1: IPS5515 hw/sw rev (N/A/7.1(9)E4) status (Up/Up)
IPS, 7.1(9)E4, Up
11-04-2014 07:04 PM
It looks like you have the classic IPS module, not the CX.
Why can't you console into the second ASA? It has unique standby addresses you could use as well.
11-05-2014 07:58 AM
I thought the classic one was the actual physical module that slid into the old 5500 series devices and the CX was the software version for the X series devices?
I was able to finally log into the standby, but was thrown off when it had the hostname of the active unit. So I configured the prompt command to show active or standby within the hostname prompt.
11-06-2014 08:15 AM
On the older "non-X" platform, yes IPS was on an SSM Security Services Module (hardware).
On the next generation firewall 5500-X series we use software modules that can be imaged as:
1, IPS (classic style - very similar to the old hardware module),
2. CX (for WSE, AVC and.or next-generation IPS services), or
3. Firepower (IPS, URL Filtering and/or AMP Advanced Malware Protection) modules.
#1 is very near end-of-life and would not generally be recommended for new deployments. #2 was Cisco's thrust prior to the Sourcefire acquisition in 2013 and still a quite viable solution. #3 is generally recommended for new deployments, especially if the focus is on IPS capabilities.
11-06-2014 08:20 AM
We purchased new ones with sourcefire for a new deployment, but these have been sitting for about a year and now just being deployed. Is there a way to update the IPS? Different sku to purchase and can just slide in a new hard drive?
11-06-2014 09:34 AM
The physical SSD is the same on all the models 5512-X through 5555-X.
The 5585-X uses an SSP hardware blade in the /10, 20, 40 or 60 variant depending on required throughput.)
To switch from classic IPS to FirePOWER (or CX) software module you need to update your licensing, replacing the IPS subscription service with Firepower.
All Cisco ASA with FirePOWER Services appliances ship with a base license for AVC (also known as Apps). Optional subscriptions for IPS, AMP, and URL and content filtering can be added to the base appliance configuration for advanced functionality
The Cisco ASA with FirePOWER Services base configuration includes the Application Visibility and Control (AVC) function by default. This feature provides application identification and control of more than 3,000 applications, detected and classified by risk and business relevance. Customers require a Cisco SMARTnet support contract with each appliance to download application signature updates.
See the graphic attached below for more on that.
The licenses are actually loaded onto the controlling FirePOWER System Manager (FSM) which is an external VM or appliance. With that in hand you would then get the ASA to the prerequisite software level, re-image the software module and use first the bootstrap and then the system software to make the Firepower module up and ready. You run through a small setup script and then do all other operations from the FSM.
Hope this helps. Please mark your question as answered when it has been and rate helpful replies.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide