We have two ASA5520's running in Active/Standby failover configuration. Both ASA's have ASA-SSM-10 IPS modules. The ASA's are running 7.0(2).
My question is how does the IPS module affect failover? When upgrading the IPS modules to 5.1, the ASA's failed over. Although there is nothing in the failover config regarding how to handle the IPS module being down.
Does anyone know how the ASA's handle failover when an IPS module is down? Thanks.
Hi .. well depends as to whether you IPS has been configured on in-line mode and for which interfaces, in which case the IPS receives traffic from the ASA, traffic gets inspected and then forwarded back to the ASA to go out its respective interface. In this situation if the IPS fails or it has been reloaded which I believe it is the case when performing a major upgrade, then traffic will not pass throw (unless fail-open has been configured on the IPS) and hence the ASA failover will occur.
In Active/Standby mode, traffic will flow through active Firewall (ASA). This includes traffic that need to flow through IPS (SSM), which is defined in your policy (class-map &ACL).
What is the config for your SSM? Promiscuous mode will not affect traversing traffic directly. Inline mode will virtually put SSM in the traffic path. Additionally, you can set whether to bypass SSM if service is unavailable.
If your inline-mode SSM does not allow bypass (fail-close/fail-open) when SSM service is unavailable (due to upgrade processes), my bet that this could be the reason why failover occured, as no traffic flows between ASA interfaces. You probably need to enable fail-open on the SSM config.
Like you said, no is no specific doc on this scenario.
My experience has been as follows if you have a failover pair in active/standby configuration:
First thing to realise is that rebooting an SSM will tag your ASA as failed regardless of whether it's configured for fail-open or fail-closed. So if you upgrade the software on the primary SSM and the upgrade reboots the SSM then you have a failover scenario.
The only way to avoid this that I've found is to powerdown the SSM in the standby ASA, which marks the standby ASA as failed and then you upgrade the primary SSM. If the SSM reboots then although the primary is marked failed the ASA won't fail-over because the secondary is also failed.
Make sure you have fail-open configured when you do this if you want traffic to continue to flow while the SSM reboots.
Once the primary recovers you can then simply powerup the standby SSM unit to get back to normal. Upgrading the software in the standby SSM can be done before or after the primary as it won't affect failover.
The downside is that you have a small window of opportunity for attacks to be undetected while the SSM reboots - you need to decide if this is acceptable.
This is obviously not in the manual but works for me - it may or may not work for you!
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...