Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IPS failover with ASA5520

We have a pair of 5520s set as active/standby both have a AIP-SSM.

Both AIP's are set to auto update the sig files so thats not an issue but what about the active detection? The primary IPS will have seen a lot of traffic that the failover IPS has not how will the active rule sets be effected when the ASA fails over to the standby unit? Will I have "holes" in my security from missing rule sets?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: IPS failover with ASA5520

Hi,

The IPS units are completely independant and won't synchronise anything without extra help (e.g. by using Security Manager or suchlike).

Having them auto-update is good, but you also need to make sure all the config is replicated, so when you make a change on one you have to remember to make the same change on the other.

In the normal situation the active IPS is forwarding traffic (and the standby sees nothing) but when they failover the standby IPS is suddenly in the active ASA - it doesn't know that the other IPS is out of action, it just sees traffic which it will inspect according to it's configuration.

HTH

Andrew.

2 REPLIES
Community Member

Re: IPS failover with ASA5520

Check the available memory by using the show memory command to make sure that the Cisco ASA has free memory in the system. If no memory is available, add more memory.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_71/conf_gd/index.htm

Re: IPS failover with ASA5520

Hi,

The IPS units are completely independant and won't synchronise anything without extra help (e.g. by using Security Manager or suchlike).

Having them auto-update is good, but you also need to make sure all the config is replicated, so when you make a change on one you have to remember to make the same change on the other.

In the normal situation the active IPS is forwarding traffic (and the standby sees nothing) but when they failover the standby IPS is suddenly in the active ASA - it doesn't know that the other IPS is out of action, it just sees traffic which it will inspect according to it's configuration.

HTH

Andrew.

152
Views
0
Helpful
2
Replies
CreatePlease to create content