Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
447
Views
0
Helpful
2
Replies

IPS failover with ASA5520

Go to solution
rmaxson2
Level 1
Level 1

‎01-30-2008 12:46 PM - edited ‎03-10-2019 03:57 AM

We have a pair of 5520s set as active/standby both have a AIP-SSM.

Both AIP's are set to auto update the sig files so thats not an issue but what about the active detection? The primary IPS will have seen a lot of traffic that the failover IPS has not how will the active rule sets be effected when the ASA fails over to the standby unit? Will I have "holes" in my security from missing rule sets?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrew.burns
Level 7
Level 7

‎02-06-2008 01:06 AM

Hi,

The IPS units are completely independant and won't synchronise anything without extra help (e.g. by using Security Manager or suchlike).

Having them auto-update is good, but you also need to make sure all the config is replicated, so when you make a change on one you have to remember to make the same change on the other.

In the normal situation the active IPS is forwarding traffic (and the standby sees nothing) but when they failover the standby IPS is suddenly in the active ASA - it doesn't know that the other IPS is out of action, it just sees traffic which it will inspect according to it's configuration.

HTH

Andrew.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
sadbulali
Level 4
Level 4

‎02-05-2008 01:42 PM

Check the available memory by using the show memory command to make sure that the Cisco ASA has free memory in the system. If no memory is available, add more memory.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_71/conf_gd/index.htm

0 Helpful

Go to solution
andrew.burns
Level 7
Level 7

‎02-06-2008 01:06 AM

Hi,

The IPS units are completely independant and won't synchronise anything without extra help (e.g. by using Security Manager or suchlike).

Having them auto-update is good, but you also need to make sure all the config is replicated, so when you make a change on one you have to remember to make the same change on the other.

In the normal situation the active IPS is forwarding traffic (and the standby sees nothing) but when they failover the standby IPS is suddenly in the active ASA - it doesn't know that the other IPS is out of action, it just sees traffic which it will inspect according to it's configuration.

HTH

Andrew.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card