Our company is looking at an IPS solution and I've heard pros and cons about using IPS modules for the ASAs versus standalone units. Our basic physical topology is a 5515 pair in active/standby w/ a L2L vpn to another fw pair at a colo.
I had worked with them years ago and remember some issue about the modules not knowing if the ASA changed from active to standby or back. I can't remember exactly what the issue was, but it seemed to be a real pain.
For those with plenty of experience with both solutions, would you recommend the ASA modules or the standalone units?
The built in units cause too many failovers of production environments based on all of bugs Cisco has - when the IPS engine stops responding or becomes busy, the module is marked as 'failed' by the firewall. This causes a failover event on the device, regardless of failopen/failclosed settings. Cisco's recent instability on the IPS module would have me encourage you to look at an alternative topology - external IPS are a better bet.
We manage several customers that have IPS running on ASA's configured in active/standby mode. The active IPS unit is always in the active ASA so when there is a failover the active IPS be the sensor running on the new active ASA. A failure in the IPS modue of the active ASA will cause a failover event to trigger.
As jp.senior noted there have been somewhat recent issues with signatures causing the IPS units to crash and in light of that we have a policy to update the active unit to the most recent signature ASAP and only upgrade the standby IPS after the signature proves stable for 5 days. This way we always have an IPS sensor that is capable of running stable in the event of a problem signature.
So, if it is critical for your organization to not have a failover during business hours then you may want to go with a standalone unit. The standalone units cost a ton more than they used so you'll have to take that into account in your decision.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :