Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA CX Module failover

Hi

I've not deployed a CX module before. We are about to deploy 2xASA5585-X firewalls with CX modules, (for AVC and WSE).

I'm pretty sure I know the answer to this (I've deployed plenty of old OLD ASA's with CSC modules in them, and I'm guessing the CX module behaves the same).

1. Will the failure of the CX module trigger a fail-over event (active standby fail-over)? My guess is no?

2. If not and the service policy is set to 'fail-closed' this means the client will need to perform a manual fail-over to the secondary/standby to restore web access, is this correct?

 

Pete

www.petenetlive.com

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions

 Hi Pete ,1. Will the failure

 

Hi Pete ,

1. Will the failure of the CX module trigger a fail-over event (active standby fail-over)? My guess is no?. 

Yes it wont failover your ASA , depends upon configuration either it will permit or close the traffic 

In the If ASA CX Card Fails area, click Permit traffic or Close traffic. The Close traffic option sets the ASA to block all traffic if the ASA CX module is unavailable. The Permit traffic option sets the ASA to allow all traffic through, uninspected, if the ASA CX module is unavailable.

2. If not and the service policy is set to 'fail-closed' this means the client will need to perform a manual fail-over to the secondary/standby to restore web access, is this correct? .when configure to permit traffic during CX failure , there is no need for manually failover your ASA firewalls  between HA 

 

 

Step 8 Check the Enable ASA CX for this traffic flow check box.

http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/cx/cx_qsg.html#wp49530

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/modules_cx.pdf

1 REPLY

 Hi Pete ,1. Will the failure

 

Hi Pete ,

1. Will the failure of the CX module trigger a fail-over event (active standby fail-over)? My guess is no?. 

Yes it wont failover your ASA , depends upon configuration either it will permit or close the traffic 

In the If ASA CX Card Fails area, click Permit traffic or Close traffic. The Close traffic option sets the ASA to block all traffic if the ASA CX module is unavailable. The Permit traffic option sets the ASA to allow all traffic through, uninspected, if the ASA CX module is unavailable.

2. If not and the service policy is set to 'fail-closed' this means the client will need to perform a manual fail-over to the secondary/standby to restore web access, is this correct? .when configure to permit traffic during CX failure , there is no need for manually failover your ASA firewalls  between HA 

 

 

Step 8 Check the Enable ASA CX for this traffic flow check box.

http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/cx/cx_qsg.html#wp49530

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/modules_cx.pdf

116
Views
0
Helpful
1
Replies