IPS Redundnacy using two ASA5510s with SSM10

spabbi100 · ‎01-12-2007

I have following question on IPS redundancy,

we have purchased two ASA 5510 units , each with built-in ASA-SSM-10 module.

Our main focus is to use the Active/Standby redundancy for the firewall (which is straight forward)

When the Active Firewall fails and the Standby unit takes over - is IPS functionality also fails over automatically ??

if not, what are the available options to achieve that, in case say the Active unit is taken out for maintenance, how to make Standby unit take over for both Firewall/IPS functionality ??

Thanks in advance,

Sanjeev

andrew.burns · ‎01-15-2007

Hi,

The fundamental problem with this scenario is that you have non-failover capable modules in a failover chassis - think of the ASA failover pair as one device and the IPS modules as two completely separate devices. (In a failover scenario the ASA's swap IP's but the IPS's don't.)

Don't forget that you have to manually replicate all IPS configuration every time you make a change - they don't communicate in any way.

HTH - plz rate if useful

Andrew.

marcabal · ‎01-16-2007

The IPS module will monitor whatever traffic is passing through the ASA in which it is located.

So if traffic fails from the primary ASA to the secondary ASA.

Then the SSM in the secondary ASA will start monitoring the traffic as soon as it starts flowing through that secondary ASA.

No extra configuration is needed to make that happen, it happens as part of the standard ASA failover.

The IPS configuration, on the other hand, is Not sync'd between the 2 IPS modules. You will need to configure each IPS module independantly.

There is no state sharing between the 2 IPS modules. So when traffic fails from the primary ASA to the secondary ASA, the IPS inthe secondary will just begin to monitor those connections as if they were new connections.