Please keep in mind that the Fail Open capability of the Appliance sensors (except for the 4260 and 4270) are SOFTWARE Fail Open.
This means that if an IPS Sensor looses power you do not get put into bypass. If the sensor crashes badly enough you do not get put into bypass, because the sensor needs to realize that is has failed in order to put itself into bypass.
You have a few alternatives:
1) Put your single sensor in promiscious mode. No matter how badly it fails, you will not impact traffic. You will not get in-line IPS dropping of single packet attacks, but you can perform shunning (via and ACL) to a router or firewall.
2) Use an external Fail Open switch. There have been several forum discussions that describe how to use an external switch and STP to bypass a failed sensor. Switches are pretty reliable, more so than Sensors.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...