So back in the old days when IDS/IPS was a module for the ASA it had its own Ethernet port for management. How is management done now with the new platforms and Fire Source? I heard something about the ASA management interfaces are used for some kind of heartbeat mechanism for the IDS/IPS service in a failover scenario? Find this hard to believe since Cisco wants you to use mgmt. ports for out of band management.
Management of FirePOWER modules on an ASA (or in an HA pair of ASAs or on an ASA cluster) is done via the physical ASA management interface on all the 5500-X models except the 5585-X (which has a separate management interface for the hardware module). In both cases, the FirePOWER management has its own unique IP address (even when the ASA M0/0 is active and configured - in which case the FirePOWER module's interface needs to be on the same subnet for routing off-net to work).
Just like on a legacy Sourcefire appliance, it's the FireSIGHT Management Center (former Sourcefire Defense Center (appliance or VM) that actually manages the policy (or policies) on the sensor(s).
As far as the base ASA, it knows of the status of the module via internal bus communications (see "show module" output). If there's a service policy actively directing traffic to the FirePOWER module, a healthy module is a prerequisite for an HA member to be active (or Standby ready)
A FirePOWER module (hardware or software) does not track via link status on its management interface.
Failover follows the parent ASA in an HA configuration and an ASA only marks a unit as ready if both the ASA itself is healthy (hardware, system software, monitored interfaces (which are user-configurable and may include the management interface but don't usually) and any modules including the FirePOWER module).
You're correct it will not cause failover (assuming it's not a monitored interface per the failover setup).
Keep in mind though the the FireSIGHT Management Center is your only real view into the policies and traffic monitoring of the FirePOWER module. So, you may get threat protection if the management interface is down but you'll have to take Cisco's word on it. :)
I know the issue. If I reboot the IPS module within the ASA the entire unit fails over cause the IPS module is something being monitored in HA.
ASA01# show fail Failover On Failover unit Primary Failover LAN Interface: FAILOVER GigabitEthernet0/7 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 2 of 516 maximum MAC Address Move Notification Interval not set Version: Ours 9.2(2)4, Mate 9.2(2)4 Last Failover at: 23:09:02 CDT Oct 29 2014 This host: Primary - Active Active time: 103544 (sec) slot 0: ASA5555 hw/sw rev (1.0/9.2(2)4) status (Up Sys) Interface management (172.20.33.10): Normal (Not-Monitored) Interface NAS2Network (172.20.32.1): Normal (Monitored) Interface NAS2Server (172.20.36.1): Link Down (Not-Monitored) Interface NAS2CoreCard (172.20.38.1): Link Down (Not-Monitored) Interface NAS2Workstation (172.20.40.1): Link Down (Not-Monitored) Interface NAS2CCStage (172.20.42.1): Link Down (Not-Monitored) Interface NAS2CCQA (172.20.44.1): Link Down (Not-Monitored) Interface LOU2Replicate (172.20.63.1): Link Down (Not-Monitored) Interface MigVlan (100.100.100.1): Normal (Monitored) slot 1: IPS5555 hw/sw rev (N/A/7.1(4)E4) status (Up/Up) IPS, 7.1(4)E4, Up
Also - note that as of ASA 9.3 you have the following option:
By default, the ASA monitors the health of an installed hardware module such as the ASA FirePOWER module. If you do not want a hardware module failure to trigger failover, you can disable module monitoring.
We modified the following command: monitor-interface service-module
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...