Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPS Advice...

Our company is looking at an IPS solution and I've heard pros and cons about using IPS modules for the ASAs versus standalone units.  Our basic physical topology is a 5515 pair in active/standby w/ a L2L vpn to another fw pair at a colo. 

I had worked with them years ago and remember some issue about the modules not knowing if the ASA changed from active to standby or back.  I can't remember exactly what the issue was, but it seemed to be a real pain.

For those with plenty of experience with both solutions, would you recommend the ASA modules or the standalone units?

New Member

IPS Advice...

The built in units cause too many failovers of production environments based on all of bugs Cisco has - when the IPS engine stops responding or becomes busy, the module is marked as 'failed' by the firewall.  This causes a failover event on the device, regardless of failopen/failclosed settings.  Cisco's recent instability on the IPS module would have me encourage you to look at an alternative topology - external IPS are a better bet.

New Member

IPS Advice...

We manage several customers that have IPS running on ASA's configured in active/standby mode. The active IPS unit is always in the active ASA so when there is a failover the active IPS be the sensor running on the new active ASA. A failure in the IPS modue of the active ASA will cause a failover event to trigger.

As jp.senior noted there have been somewhat recent issues with signatures causing the IPS units to crash and in light of that we have a policy to update the active unit to the most recent signature ASAP and only upgrade the standby IPS after the signature proves stable for 5 days. This way we always have an IPS sensor that is capable of running stable in the event of a problem signature.

So, if it is critical for your organization to not have a failover during business hours then you may want to go with a standalone unit. The standalone units cost a ton more than they used so you'll have to take that into account in your decision.


CreatePlease login to create content