i had the same issue with a client and i did chat to the cisco tac:
"Failover occurs when an interface goes down. The SSM is like an interface on the ASA, so if the SSM goes down, FO will occur."
i assume the active/standby failover works as is with v.6.x, if so, then once the secondary unit takes over it will be active until it fails regardless whether the primary unit is backup or not. you may manually force it back but then it is not recommended.
another add-on, both primary and second unit have to have identical hardware and software, so does SSM module.
afaik, both units run the same configuration. the primary unit will push the configuration down the the secondary unit.
when configure failover, you need to specify the standby unit ip address. so when failover takes place, whichever unit becomes active will use the primary ip; whereas the standby will use the standby ip.
So basically one SSM is active, seeing traffic and reporting. The other SSM (on the standby ASA) is reachable via it's managment port/address, but isn't seeing any traffic because it's ASA isn't passing traffic. Right?
I am not agree with the configuration replication on the standby SSM.
What i have observed that configuration synch will happen which is defined in the ASA box but the configuration which we have done on the SSM module will not get replicated.
Which means that configurationlike timezone setting, allowed host setting on the SSM module will not get replicated on the second SSM module and we have to do it manually. Even signature configuration setting will also not get replicated.
I have doubt also about the SSM module failover. If my SSM module gets down then how it will sense ? it is connected with the backplane and failover configuration we do on the physical interface is available on the ASA.
I try to findout some document on cisco about this doubt but i am not able to find much detail.
You're correct in that this isn't well documented, but here's how it works:
1) The ASA's DO perform configuration replication.
2) The SSM's DO NOT perform any kind of configuration replication hence you need to manually keep them in sync. I asked Cisco about this and got the following reply: "The best thing to do is use IPS MC (CiscoWorks VMS) or better wait for the version with Cisco Security Manager (end of March) and configure an IDS signature policy."
3) If the SSM module in the primary ASA fails then the ASA WILL failover.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :