Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Should reboot of ASM-SSM-10 cause ASA failover?

I have two ASA 5520's with SSM-10 modules configured in active/standby failover mode running 7.2(1).

The IPS policy on the ASA is configured for IPS inline and permit traffic if the module fails. The ASA Criteia tab has the number of interfaces the triggers failover set to 2. The SSM Bypass mode is configured for Auto.

If I execute a reboot of the sensor from the gui (where is states is safely shuts down and reboots the sensor), should it cause the ASA to failover to the secondary?

Thanks.

5 REPLIES
Silver

Re: Should reboot of ASM-SSM-10 cause ASA failover?

Reboot of SSM module will trigger failover to secondary ASA. When this happens, following debug message is logged if debugs are enabled-

fover_health_monitoring_thread: Primary: Switching to FAILED for reason Detect service card failure.

Regards,

Vibhor.

New Member

Re: Should reboot of ASM-SSM-10 cause ASA failover?

That is correct. I have 2 sets of ASAs with AIP SSMs and even adding a new Sig update will cause the ASAs to failover. The ASA reads the reload of the SSM card as a failure and fails from primary to secondary.

New Member

Re: Should reboot of ASM-SSM-10 cause ASA failover?

Hello,

I wish i could help but i have very little knowledge of IPS.

I also have a pair of asa-5520 that i was told is configured for IPS. But I can't find anything matching/describing an ips configuration in the 'show run' from the cli. Can anyone tell me how to get there to view the ips config that is apparently incomplete (no signature update, notification etc are also missing). what command do I need to issue to view IPS config details. can this be done from cli?

Thanks in advance.

Oumar

Bronze

Re: Should reboot of ASM-SSM-10 cause ASA failover?

I don't know if this posting has been closed but you can access the module through the CLI:

firewall# session 1

this will take you to the module. once there just do a show conf to see the configuration.

New Member

Re: Should reboot of ASM-SSM-10 cause ASA failover?

Originally, Cisco called this a bug.. I don't know if it's being considered a feature now, or if it's still a bug, and if so when it might be fixed; this is a real pain because a number of signature updates reload at the end, which triggers a failover...

My .02....

2641
Views
15
Helpful
5
Replies
CreatePlease to create content