Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4614
Views
0
Helpful
8
Replies

Cisco FirePOWER Services within the ASA platform

Steven Williams
Level 4
Level 4

‎10-06-2014 01:50 PM - edited ‎03-10-2019 06:15 AM

So back in the old days when IDS/IPS was a module for the ASA it had its own Ethernet port for management. How is management done now with the new platforms and Fire Source? I heard something about the ASA management interfaces are used for some kind of heartbeat mechanism for the IDS/IPS service in a failover scenario? Find this hard to believe since Cisco wants you to use mgmt. ports for out of band management.

Labels:
0 Helpful
8 Replies 8

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-06-2014 02:11 PM

Management of FirePOWER modules on an ASA (or in an HA pair of ASAs or on an ASA cluster) is done via the physical ASA management interface on all the 5500-X models except the 5585-X (which has a separate management interface for the hardware module). In both cases, the FirePOWER management has its own unique IP address (even when the ASA M0/0 is active and configured - in which case the FirePOWER module's interface needs to be on the same subnet for routing off-net to work).

Just like on a legacy Sourcefire appliance, it's the FireSIGHT Management Center (former Sourcefire Defense Center (appliance or VM) that actually manages the policy (or policies) on the sensor(s).

As far as the base ASA, it knows of the status of the module via internal bus communications (see "show module" output). If there's a service policy actively directing traffic to the FirePOWER module, a healthy module is a prerequisite for an HA member to be active (or Standby ready)

0 Helpful

Steven Williams
Level 4
Level 4
In response to Marvin Rhoads

‎10-06-2014 04:34 PM

Anything tracked via link status for failover on a management interface is not good in my opinion. The failure of a management interface should mean my units failover.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Steven Williams

‎10-06-2014 07:23 PM

I'm not sure I follow your concern.

A FirePOWER module (hardware or software) does not track via link status on its management interface.

Failover follows the parent ASA in an HA configuration and an ASA only marks a unit as ready if both the ASA itself is healthy (hardware, system software, monitored interfaces (which are user-configurable and may include the management interface but don't usually) and any modules including the FirePOWER module).

0 Helpful

Steven Williams
Level 4
Level 4
In response to Marvin Rhoads

‎10-07-2014 09:06 AM

Ok makes sense, so as long as I am not using the mgmt0 interface to track heartbeats between the ASA's then mgmt0 interface can be down and units will not failover.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Steven Williams

‎10-07-2014 04:42 PM

You're correct it will not cause failover (assuming it's not a monitored interface per the failover setup).

Keep in mind though the the FireSIGHT Management Center is your only real view into the policies and traffic monitoring of the FirePOWER module. So, you may get threat protection if the management interface is down but you'll have to take Cisco's word on it. :)

 

0 Helpful

Steven Williams
Level 4
Level 4
In response to Marvin Rhoads

‎10-31-2014 08:59 AM

I know the issue. If I reboot the IPS module within the ASA the entire unit fails over cause the IPS module is something being monitored in HA.

 


ASA01# show fail
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet0/7 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 516 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 23:09:02 CDT Oct 29 2014
        This host: Primary - Active
                Active time: 103544 (sec)
                slot 0: ASA5555 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
                  Interface management (172.20.33.10): Normal (Not-Monitored)
                  Interface NAS2Network (172.20.32.1): Normal (Monitored)
                  Interface NAS2Server (172.20.36.1): Link Down (Not-Monitored)
                  Interface NAS2CoreCard (172.20.38.1): Link Down (Not-Monitored)
                  Interface NAS2Workstation (172.20.40.1): Link Down (Not-Monitored)
                  Interface NAS2CCStage (172.20.42.1): Link Down (Not-Monitored)
                  Interface NAS2CCQA (172.20.44.1): Link Down (Not-Monitored)
                  Interface LOU2Replicate (172.20.63.1): Link Down (Not-Monitored)
                  Interface MigVlan (100.100.100.1): Normal (Monitored)
                slot 1: IPS5555 hw/sw rev (N/A/7.1(4)E4) status (Up/Up)
                  IPS, 7.1(4)E4, Up

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Steven Williams

‎10-31-2014 11:40 AM

Yes - when a service module (IPS or otherwise) is referenced in an ASA service-policy, that module must be UP for the ASA to be considered Ready for failover purposes.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Steven Williams

‎11-02-2014 06:09 AM

Also - note that as of ASA 9.3 you have the following option:

By default, the ASA monitors the health of an installed hardware module such as the ASA FirePOWER module. If you do not want a hardware module failure to trigger failover, you can disable module monitoring.

We modified the following command: monitor-interface service-module

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card