The fundamental problem with this scenario is that you have non-failover capable modules in a failover chassis - think of the ASA failover pair as one device and the IPS modules as two completely separate devices. (In a failover scenario the ASA's swap IP's but the IPS's don't.)
Don't forget that you have to manually replicate all IPS configuration every time you make a change - they don't communicate in any way.
The IPS module will monitor whatever traffic is passing through the ASA in which it is located.
So if traffic fails from the primary ASA to the secondary ASA.
Then the SSM in the secondary ASA will start monitoring the traffic as soon as it starts flowing through that secondary ASA.
No extra configuration is needed to make that happen, it happens as part of the standard ASA failover.
The IPS configuration, on the other hand, is Not sync'd between the 2 IPS modules. You will need to configure each IPS module independantly.
There is no state sharing between the 2 IPS modules. So when traffic fails from the primary ASA to the secondary ASA, the IPS inthe secondary will just begin to monitor those connections as if they were new connections.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...