topic Re: Malcom Gladwell would say in Network Security

sfr fail-open: will it failover over to secondary if SFR fails on primary?

cpaquet — Tue, 12 Mar 2019 13:06:52 GMT

Pair of 5515-x with SFR , in Active/Standby failover.

Policy-map is configured for: sfr fail-open

If SFR fails on primary/active device, is:

1. primary device stays active since it's configured for sfr fail-open?

2. failover occurs and secondary becomes active since primary is no longer healthy?

I think the answer is 2, but I would like a confirmation.

Thanks.

Cath.

Cath,

Marvin Rhoads — Sat, 27 Aug 2016 19:27:20 GMT

Cath,

Service module health is by default checked as part of the failover criteria in an ASA HA pair (or cluster). If the service module fails, that will trigger a failover event (assuming the Standby unit is in ready state).

As of ASA software 9.5(1) there is an option to change this default behavior with the command "no health-check monitor-interface service-module".

Thanks Marvin. That is what

cpaquet — Sat, 27 Aug 2016 21:19:12 GMT

Thanks Marvin. That is what I thought. I was aware also of the new features in 9.5 to not have the module considered for failover.

Marvin, your replies are always clear, concise and precise. Your continuous contribution to the support forum is greatly appreciated.

Regards,

Cath.

You're welcome Cath.

Marvin Rhoads — Sat, 27 Aug 2016 21:49:37 GMT

You're welcome Cath.

Thank you for the kind words of encouragement. I've been at it here in the Cisco community forums for just over 15 years (CSC's predecessor Netpro started in 2000 the year before I joined); so I've pretty much got it figured out.

I read somewhere that an expert is somebody who's already made most of the mistakes (at least once). I might have a few more left to make; but I've had my fair share. 🙂

Malcom Gladwell would say

cpaquet — Sat, 27 Aug 2016 21:54:30 GMT

Malcom Gladwell would say that an expert is someone who has put 10,000 hours practicing their skills. I'm sure you are well over that time threshold. Thanks again for your contribution. Cath.

Re: Malcom Gladwell would say

subrun.jamil — Wed, 16 May 2018 03:03:37 GMT

I have my Any Connect VPN and Site to Site VPN Traffic redirected to SFR module while configuring almost similar to below rule. Difference is in my box I have configured the traffic here what I mentioned as XXXX.

ciscoasa(config)# access-list sfr_redirect extended permit ip XXXX XXXX
ciscoasa(config)# class-map sfr
ciscoasa(config-cmap)# match access-list sfr_redirect
ciscoasa(config-pmap-c)# sfr fail-open monitor-only

Now I need to configure this as an Inline Mode to start Inspecting the traffic. What are the steps I need to do to accomplish this other than configuring below command

ciscoasa(config-pmap-c)# sfr fail-open

Re: Malcom Gladwell would say

salman abid — Wed, 06 Jun 2018 07:31:14 GMT

Hi Malcom,

If your sfr is already working in ''monitor mode'' and now you want to go with inline mode then apart from just typing ''sfr fail-open'' under class map

You need go through logs that generated by firepower when it was in monitor mode bcz there is an option it will tell ''what if i would be in INLINE mode''
you may need to spend time to see those logs bcz based on your policy configuration it may block some legitimate traffic of your network or may allow some malicious traffic to/from your network.