Solved: IPS Modules in Active/Passive failover ASA config

graham.fleming · ‎09-23-2009

Hey guys,

We have two ASA's in an active/passive failover situation each with an AIP-SSM-20 IPS module.

Are these modules meant to synchronize their configs like the ASA's do? Or are they each a separate entity and each need to be configured separately?

Thanks for any help!

marcabal · ‎09-23-2009

Each will need their own IP, and each will need to be separately configured.

They will not communicate with each other and will not share configuration.

You will need to ensure config changes in one are made on the other.

You monitoring station will need to pull events from both sensors.

The SSMs rely on the ASA for tracking TCP state so they will work fine within an ASA failover design.

View solution in original post

marcabal · ‎09-23-2009

Each will need their own IP, and each will need to be separately configured.

They will not communicate with each other and will not share configuration.

You will need to ensure config changes in one are made on the other.

You monitoring station will need to pull events from both sensors.

The SSMs rely on the ASA for tracking TCP state so they will work fine within an ASA failover design.

graham.fleming · ‎09-23-2009

Thanks a lot for the information! By the way, is that made availalbe on Cisco's website anywhere? I looked through a lot of documentation and couldn't find it anywhere.