topic Thanks for your reply! I was in Network Security

ASA 5516-x With Firepower services and active/active failover

ictbeheer01 — Tue, 12 Mar 2019 12:58:07 GMT

Hello everyone,

I have two ASA 5516-X setup in an active/active failover. I have also installed and succesfully bootstrapped the firesight management center with the two sfr modules added and licensed.

And, at this moment I am reading through the firesight management guide, and to my full suprise there is no information in it whatsoever on active/active failover in combination with sourcefire. There is a full chapter dedicated to active/standby failover, though.

guide here: http://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601.html

My question is: is there anyone that has an active/active setup running with sourcefire modules and working correctly? and if yes, could you link me to some useful information on setting this up with the sourcefire modules? Or, is his an unsupported setup and should I go on and revert to active/passive failover?

thanks and regards,

Sjoerd

Hi

yogdhanu — Fri, 08 Apr 2016 12:17:47 GMT

So from firesight point of view , it doesn't know about the failover. Firesight would still treat both the modules as individual devices. Though same policies can be applied to both of them , keeping them in same config.

So you can use either active /active or active/passive (ASA) and don't really need to do anything special on firesight.

Thanks

Yogesh

Thanks for your reply! I was

ictbeheer01 — Fri, 08 Apr 2016 12:38:50 GMT

Thanks for your reply! I was in doubt because there is nothing mentioned on active/active failover in the guides for firesight >.<

I just did a deployment this

Marvin Rhoads — Fri, 08 Apr 2016 15:56:19 GMT

I just did a deployment this week with ASA 5555-X multiple context mode firewalls in Active-Active failover.

Each physical ASA has its own FirePOWER module and those modules are managed by FirePOWER manager. I am using a single policy deployed to both modules. It's working fine and reporting on traffic from both contexts.

It's kind of nice that as a side benefit of the standard health policy is that you will see an alert highlighted on your manager that the data plane interface is not receiving traffic in the event that all contexts are active on a single ASA (vs. the normal operating mode of having at least one context active on each ASA).

You can't easily make distinct policies for the different contexts. Another thread suggested using zones to accomplish that; but that may make an already complex setup even more so.

Hello Marvin,

Ronaldo da Silva — Mon, 10 Apr 2017 19:13:53 GMT

Hello Marvin,

Is there any news in version 6.2? I ask because in the coming days I will migrate 2 ASA5585-SSP-IPS40 in HA, that have 2 Virtual Sensor: vs0 associated with the context x and vs1 associated with the context y, for 2 ASA-SSP-SFR40-K9=.

Will I have to apply the same SFR policies for the 2 contexts?

Tks;

Ronaldo

@Ronaldo da Silva ,

Marvin Rhoads — Tue, 11 Apr 2017 02:16:25 GMT

ronaldotecnologia ,

A given sfr module only has a single policy set (1 each access control + intrusion + file etc.). That single set applies to all contexts in a muilti-context mode ASA for which you are inspecting traffic. As of 6.2, you cannot differentiate sfr policies among contexts.

Even when Cisco introduces multiple context in a later release, it will be for the FTD image which will never be supported on the 5585-X. that is because the 5585-X with FirePOWER module has recently been announced as end of sales.

Thank you Marvin!

Ronaldo da Silva — Tue, 11 Apr 2017 02:25:01 GMT

Thank you Marvin!

Finally, what is the command

Ronaldo da Silva — Tue, 11 Apr 2017 02:29:30 GMT

Finally, what is the command to allocate the SFR module to the context:

(Config) # context x
(Config-ctx) # ???

You're welcome.

Marvin Rhoads — Tue, 11 Apr 2017 02:55:07 GMT

You're welcome.

You don't need to allocate the module resource in the system context setup. You simply call it out in the class map etc. of the individual context(s).

Something like this suffices for a basic setup:

access-list sfr extended permit ip any4 any4 
!
class-map sfr_class
 match access-list sfr
!
policy-map global_policy
 class sfr_class
  sfr fail-open

Perfect Marvin. Now I

Ronaldo da Silva — Tue, 11 Apr 2017 02:55:08 GMT

Perfect Marvin. Now I understood why I searched so much and did not find it. 🙂

Hi Marvin,

Ronaldo da Silva — Mon, 17 Apr 2017 21:53:03 GMT

Hi Marvin,

I received the 2 modules: ASA-SSP-SFR40-K9 = and inside their box, came the PAK: ASA5585-40CTRL-LIC.

The problem is that the numbers are the same. And when generating the license, released only the quantity: 1.

How can I add / manage the 2 modules in FMC?

Tks;

Ronaldo

The order may have

Marvin Rhoads — Tue, 18 Apr 2017 02:43:36 GMT

The order may have incorrectly specified only one Control license. Two modules requires two licenses.

You need to have your reseller order another "ASA5585-40CTRL-LIC"