Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Cisco FirePOWER Services within the ASA platform

So back in the old days when IDS/IPS was a module for the ASA it had its own Ethernet port for management. How is management done now with the new platforms and Fire Source? I heard something about the ASA management interfaces are used for some kind of heartbeat mechanism for the IDS/IPS service in a failover scenario? Find this hard to believe since Cisco wants you to use mgmt. ports for out of band management.

8 REPLIES
Hall of Fame Super Silver

Management of FirePOWER

Management of FirePOWER modules on an ASA (or in an HA pair of ASAs or on an ASA cluster) is done via the physical ASA management interface on all the 5500-X models except the 5585-X (which has a separate management interface for the hardware module). In both cases, the FirePOWER management has its own unique IP address (even when the ASA M0/0 is active and configured - in which case the FirePOWER module's interface needs to be on the same subnet for routing off-net to work).

Just like on a legacy Sourcefire appliance, it's the FireSIGHT Management Center (former Sourcefire Defense Center (appliance or VM) that actually manages the policy (or policies) on the sensor(s).

As far as the base ASA, it knows of the status of the module via internal bus communications (see "show module" output). If there's a service policy actively directing traffic to the FirePOWER module, a healthy module is a prerequisite for an HA member to be active (or Standby ready)

Community Member

Anything tracked via link

Anything tracked via link status for failover on a management interface is not good in my opinion. The failure of a management interface should mean my units failover.

Hall of Fame Super Silver

I'm not sure I follow your

I'm not sure I follow your concern.

A FirePOWER module (hardware or software) does not track via link status on its management interface.

Failover follows the parent ASA in an HA configuration and an ASA only marks a unit as ready if both the ASA itself is healthy (hardware, system software, monitored interfaces (which are user-configurable and may include the management interface but don't usually) and any modules including the FirePOWER module).

Community Member

Ok makes sense, so as long as

Ok makes sense, so as long as I am not using the mgmt0 interface to track heartbeats between the ASA's then mgmt0 interface can be down and units will not failover.

Hall of Fame Super Silver

You're correct it will not

You're correct it will not cause failover (assuming it's not a monitored interface per the failover setup).

Keep in mind though the the FireSIGHT Management Center is your only real view into the policies and traffic monitoring of the FirePOWER module. So, you may get threat protection if the management interface is down but you'll have to take Cisco's word on it. :)

 

Community Member

I know the issue. If I reboot

I know the issue. If I reboot the IPS module within the ASA the entire unit fails over cause the IPS module is something being monitored in HA.

 


ASA01# show fail
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet0/7 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 516 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 23:09:02 CDT Oct 29 2014
        This host: Primary - Active
                Active time: 103544 (sec)
                slot 0: ASA5555 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
                  Interface management (172.20.33.10): Normal (Not-Monitored)
                  Interface NAS2Network (172.20.32.1): Normal (Monitored)
                  Interface NAS2Server (172.20.36.1): Link Down (Not-Monitored)
                  Interface NAS2CoreCard (172.20.38.1): Link Down (Not-Monitored)
                  Interface NAS2Workstation (172.20.40.1): Link Down (Not-Monitored)
                  Interface NAS2CCStage (172.20.42.1): Link Down (Not-Monitored)
                  Interface NAS2CCQA (172.20.44.1): Link Down (Not-Monitored)
                  Interface LOU2Replicate (172.20.63.1): Link Down (Not-Monitored)
                  Interface MigVlan (100.100.100.1): Normal (Monitored)
                slot 1: IPS5555 hw/sw rev (N/A/7.1(4)E4) status (Up/Up)
                  IPS, 7.1(4)E4, Up

Hall of Fame Super Silver

Yes - when a service module

Yes - when a service module (IPS or otherwise) is referenced in an ASA service-policy, that module must be UP for the ASA to be considered Ready for failover purposes.

Hall of Fame Super Silver

Also - note that as of ASA 9

Also - note that as of ASA 9.3 you have the following option:

By default, the ASA monitors the health of an installed hardware module such as the ASA FirePOWER module. If you do not want a hardware module failure to trigger failover, you can disable module monitoring.

We modified the following command: monitor-interface service-module

3815
Views
0
Helpful
8
Replies
CreatePlease to create content