Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
529
Views
5
Helpful
5
Replies

How do I use Cisco MARS to monitor two ASA (active/stby) with IPS modules?

Go to solution
zhichao
Level 1
Level 1

‎05-29-2006 01:39 AM - edited ‎03-10-2019 03:02 AM

Hi

The two ASA with IPS modules are in active/standby mode. When I try to add both the two IP (active/standby) into the MARS, the MARS will complain duplicated hostnames.

How to setup MARS to monitor ASA with IPS with active standby topology?

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrew.burns
Level 7
Level 7

‎05-31-2006 02:22 AM

Hi,

The fundamental problem with this scenario is that you have non-failover capable modules in a failover chassis - think of the ASA failover pair as one device and the IPS modules as two completely separate devices.

Then, as already mentioned, add only the primary ASA. (The secondary will never be passing traffic in standby mode so it's not actually needed in MARS) Then, with the first IPS module you can add it as a module of the ASA or as a standalone device (MARS doesn't care). With the second IPS module the only option is to add it as a separate device anyway.

In a failover scenario the ASA's swap IP's but the IPS's don't so whereas you'll only ever get messages from the active ASA you'll get messages from both IPS IP's depending on which one happens to be in the active ASA at the time.

Don't forget that you have to manually replicate all IPS configuration every time you make a change.

HTH

Andrew.

View solution in original post

5 Replies 5

Go to solution
Fernando_Meza
Level 7
Level 7

‎05-30-2006 03:30 AM

Hi ...I don't think you can add them both. As you have a failover configuration then only one IP ( the active ) is the one you need to bring reports from. I suggest you to configure the Management IP address for the ASAs and add the active one only. Using the discovery option you should be able to add the IPS module as well once the ASA has been added.

0 Helpful

Go to solution
rfladischer
Level 1
Level 1

‎05-30-2006 05:15 AM

you must add the asa with the primary ip address and then add both ips modules (with different ip addr. and different hostnames).

0 Helpful

Go to solution
zhichao
Level 1
Level 1
In response to rfladischer

‎05-30-2006 06:25 AM

Hi

You mean both the two IPS as the modules to the same ASA IP?

Thanks!

0 Helpful

Go to solution
a.kiprawih
Level 7
Level 7

‎05-30-2006 06:55 AM

Hi,

Refer to my post http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddb520e

You can only add the active IP, not both active & standby.

Rgds,

AK

0 Helpful

Go to solution
andrew.burns
Level 7
Level 7

‎05-31-2006 02:22 AM

Hi,

The fundamental problem with this scenario is that you have non-failover capable modules in a failover chassis - think of the ASA failover pair as one device and the IPS modules as two completely separate devices.

Then, as already mentioned, add only the primary ASA. (The secondary will never be passing traffic in standby mode so it's not actually needed in MARS) Then, with the first IPS module you can add it as a module of the ASA or as a standalone device (MARS doesn't care). With the second IPS module the only option is to add it as a separate device anyway.

In a failover scenario the ASA's swap IP's but the IPS's don't so whereas you'll only ever get messages from the active ASA you'll get messages from both IPS IP's depending on which one happens to be in the active ASA at the time.

Don't forget that you have to manually replicate all IPS configuration every time you make a change.

HTH

Andrew.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card