ASA failover of SSM module is fail

j.doshi · ‎01-15-2006

Hi

I have one question about SSM Module failure in the ASA.

If SSM module on the primary ASA is failed then failover of the ASA will happen or not ?

If i restart the SSM module on primary ASA, failover of the ASA will happen or not.

Regards,

Jatin

jackko · ‎01-16-2006

i had the same issue with a client and i did chat to the cisco tac:

"Failover occurs when an interface goes down. The SSM is like an interface on the ASA, so if the SSM goes down, FO will occur."

i assume the active/standby failover works as is with v.6.x, if so, then once the secondary unit takes over it will be active until it fails regardless whether the primary unit is backup or not. you may manually force it back but then it is not recommended.

another add-on, both primary and second unit have to have identical hardware and software, so does SSM module.

paulhignutt · ‎01-16-2006

So do the SSM's have to be configured EXACTLY the same? I thought you could have them each have a seperate IP address and hostname?

jackko · ‎01-16-2006

afaik, both units run the same configuration. the primary unit will push the configuration down the the secondary unit.

when configure failover, you need to specify the standby unit ip address. so when failover takes place, whichever unit becomes active will use the primary ip; whereas the standby will use the standby ip.

paulhignutt · ‎01-17-2006

So basically one SSM is active, seeing traffic and reporting. The other SSM (on the standby ASA) is reachable via it's managment port/address, but isn't seeing any traffic because it's ASA isn't passing traffic. Right?

jackko · ‎01-18-2006

i believe the standby unit will not process any packet.

it only sync with the active unit and obtains the traffic states info, such as the existing connections, so that when the failover takes place, most of the connections will still be active.

j.doshi · ‎01-18-2006

Dear Jackko

I am not agree with the configuration replication on the standby SSM.

What i have observed that configuration synch will happen which is defined in the ASA box but the configuration which we have done on the SSM module will not get replicated.

Which means that configurationlike timezone setting, allowed host setting on the SSM module will not get replicated on the second SSM module and we have to do it manually. Even signature configuration setting will also not get replicated.

I have doubt also about the SSM module failover. If my SSM module gets down then how it will sense ? it is connected with the backplane and failover configuration we do on the physical interface is available on the ASA.

I try to findout some document on cisco about this doubt but i am not able to find much detail.

Regards,

Jatin

andrew.burns · ‎02-24-2006

Jatin,

You're correct in that this isn't well documented, but here's how it works:

1) The ASA's DO perform configuration replication.

2) The SSM's DO NOT perform any kind of configuration replication hence you need to manually keep them in sync. I asked Cisco about this and got the following reply: "The best thing to do is use IPS MC (CiscoWorks VMS) or better wait for the version with Cisco Security Manager (end of March) and configure an IDS signature policy."

3) If the SSM module in the primary ASA fails then the ASA WILL failover.

hope that helps,

Andrew.