Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ASA-SSM-10 and ASA55x0 failover

We have two ASA5520's running in Active/Standby failover configuration. Both ASA's have ASA-SSM-10 IPS modules. The ASA's are running 7.0(2).

My question is how does the IPS module affect failover? When upgrading the IPS modules to 5.1, the ASA's failed over. Although there is nothing in the failover config regarding how to handle the IPS module being down.

Does anyone know how the ASA's handle failover when an IPS module is down? Thanks.

5 REPLIES

Re: ASA-SSM-10 and ASA55x0 failover

Hi .. well depends as to whether you IPS has been configured on in-line mode and for which interfaces, in which case the IPS receives traffic from the ASA, traffic gets inspected and then forwarded back to the ASA to go out its respective interface. In this situation if the IPS fails or it has been reloaded which I believe it is the case when performing a major upgrade, then traffic will not pass throw (unless fail-open has been configured on the IPS) and hence the ASA failover will occur.

I hope it helps .. please rate it if it does !!!

Re: ASA-SSM-10 and ASA55x0 failover

Hi,

In Active/Standby mode, traffic will flow through active Firewall (ASA). This includes traffic that need to flow through IPS (SSM), which is defined in your policy (class-map &ACL).

What is the config for your SSM? Promiscuous mode will not affect traversing traffic directly. Inline mode will virtually put SSM in the traffic path. Additionally, you can set whether to bypass SSM if service is unavailable.

If your inline-mode SSM does not allow bypass (fail-close/fail-open) when SSM service is unavailable (due to upgrade processes), my bet that this could be the reason why failover occured, as no traffic flows between ASA interfaces. You probably need to enable fail-open on the SSM config.

Like you said, no is no specific doc on this scenario.

Hope this helps.

Rgds,

AK

Community Member

Re: ASA-SSM-10 and ASA55x0 failover

The SSM is configured for inline mode with fail-open enabled. And it still failed the ASA over.

I sure wish Cisco would document how failover works with the AIP-SSM's.

Has it been anyone's experience that simply removing the IPS config from the service-policy is enough for the ASA to function without failing over during an IPS upgrade / reboot / etc?

Thanks.

Community Member

Re: ASA-SSM-10 and ASA55x0 failover

We're running 5540s in active/active on 7.1, SSMs are running inline mode with bypass enabled.

Anything that 'disturbs' the SSM (reload, image update, even signature update) causes the context with IDS enabled to failover briefly.

This isn't the behavior I would have expected, but it would appear that the ASA's detection of the interruption of the SSM path is more sensitive than the SSM's "failover bypass", at least initially.

Re: ASA-SSM-10 and ASA55x0 failover

Hi,

My experience has been as follows if you have a failover pair in active/standby configuration:

First thing to realise is that rebooting an SSM will tag your ASA as failed regardless of whether it's configured for fail-open or fail-closed. So if you upgrade the software on the primary SSM and the upgrade reboots the SSM then you have a failover scenario.

The only way to avoid this that I've found is to powerdown the SSM in the standby ASA, which marks the standby ASA as failed and then you upgrade the primary SSM. If the SSM reboots then although the primary is marked failed the ASA won't fail-over because the secondary is also failed.

Make sure you have fail-open configured when you do this if you want traffic to continue to flow while the SSM reboots.

Once the primary recovers you can then simply powerup the standby SSM unit to get back to normal. Upgrading the software in the standby SSM can be done before or after the primary as it won't affect failover.

The downside is that you have a small window of opportunity for attacks to be undetected while the SSM reboots - you need to decide if this is acceptable.

This is obviously not in the manual but works for me - it may or may not work for you!

HTH

Andrew.

235
Views
13
Helpful
5
Replies
CreatePlease to create content