Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASA failover pair doesn't replicate: AIP-SSM module config from Active to Stanby device.

 

Problem:

Scenario 1:

When the ASAs with AIP-SSM modules are configured as failover pair the AIP-SSM configuration from the Active ASA does not get replicated to the Standby ASA when the failover takes place. Why this happens and how can we solve this issue?

 

Scenario 2:

User needs to get few clarification on  ASA active/standby failover, involving CSC SSM module. Current status there is production firewall running in ASA8.3.1, along with CSC module 6.3. Recently purchased another identical unit of firewall, so these will do in Active/Standby failover mode.

Question 1
The new purchase ASA unit CSC module license was not acitviate and installed yet (customer misplace the PAK paper license). User questions that is it possible to set up the failover in the condition of one CSC SSM in operation mode, whilst another CSC status down because no license install on it?

Question 2
New firewall will the standby unit, beside configure on the failover, do he need to load AnyConnect image to the new firewall as well?

Question 3:
Can he just update the ASA version of the production firewall from 8.3.1 to 8.4.2? Would this cause any syntax error?

Resolution:

Scenario 1:

If you have two ASAs in a failover configuration and each has an AIP-SSM, you must manually replicate the configuration of the AIP-SSMs. Only the configuration of the ASA is replicated by the failover mechanism. The AIP-SSM is not included in the failover.

 

First, the AIP-SSM operates independently of the ASA in terms of failover. For failover, all that is needed from an ASA perspective is that the  AIP modules be of the same hardware type. Beyond that, as with any other portion of failover, the configuration of the ASA between the active and standby must be in sync.

 

As for the set up of the AIPs, they are effectively independent sensors. There is no failover between the two, and they have no awareness of each other. They can run independent versions of code. That is, they do not have to match, and the ASA does not care about the version of code on the AIP with respect to failover.

 

Scenario 2:

  • As long as the hardware is exactly the same you should be able to HA pair them however I'd strong suggest licensing both CSC modules.
  • Yes, you need to have the same versions of the AnyConnect image on both units since the version is listed in the  running config under the webvpn section.
  •  Going from 8.3.1 to 8.4.2 will be fine, the syntax is similar.

 

Source:https://supportforums.cisco.com/message/3820678#3820678

Version history
Revision #:
2 of 2
Last update:
‎08-28-2017 02:12 AM
Updated by:
 
Labels (1)
Contributors