topic ASA failover pair: ¿does IDS module´s config get replicated? in Network Security

ASA failover pair: ¿does IDS module´s config get replicated?

rogelioalvez — Tue, 12 Mar 2019 00:43:29 GMT

hello team, I am seeking for help in regards to an unanswered question that I posted in the IDS thread.

Question: let´s suppose that I execute a basic setup (admin username/password, IP address, mask, gateway, NTP), on the IPS module of the active ASA firewall. ¿Will this configuration be replicated to the IPS module of the secondary unit?

Your kind answer will be greatly appreciated.

Best regards...

ASA failover pair: ¿does IDS module´s config get replicated?

Jouni Forss — Sat, 05 Jan 2013 12:12:14 GMT

Hi,

To my understanding in an ASA failover setup the configurations are only replicated between the ASA configurations and no module configurations are replicated and need to be manually configured to match on both units.

Here is one Cisco document quote regarding ASA module configuration replication

If you have two ASAs in a failover configuration and each has an AIP-SSM, you must manually replicate the configuration of the AIP-SSMs. Only the configuration of the ASA is replicated by the failover mechanism.

- Jouni

Re:ASA failover pair: ¿does IDS module´s config get replicated

mdreelan — Sat, 05 Jan 2013 16:36:03 GMT

It does not replicate. Use IME or CSM to manage multiple IPS modules

Sent from Cisco Technical Support Android App

ASA failover pair: ¿does IDS module´s config get replicated?

Karsten Iwen — Sat, 05 Jan 2013 17:15:26 GMT

It's not only that the config is not replicated, the IPS-modules are "ships in the night". They don't know anything about the other. The second module also doesn't know what the first has already inspected. But that will normally not cause any trouble as the normalizer is not running on the IPS-module.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

ASA failover pair: ¿does IDS module´s config get replicated?

rogelioalvez — Sat, 05 Jan 2013 22:20:16 GMT

So the recommended practice should point to identify each IPS module with its own hostname and management IP address.

Thank you everyone for your kind answers.

Rogelio

ASA failover pair: ¿does IDS module´s config get replicated?

Karsten Iwen — Sun, 06 Jan 2013 00:36:10 GMT

So the recommended practice should point to identify each IPS module with its own hostname and management IP address.

The hostname is only locally significant, but for clearity they should be different. But each module needs a unique management-adress to reach the GUI and the remote-CLI.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

ASA failover pair: ¿does IDS module´s config get replicated?

grahamt — Mon, 07 Jan 2013 23:04:30 GMT

Yeah, you have to behave as if these are two totally independent devices and configure and manage them seperately. There are a few settings that you can push out to both with IME but I'm not sure it's worth the trouble as there is still a _lot_ that you will have to duplicate on both manually. We're still working on how to reconcile reporting from these things. Also, if one of them crashes for no reason (it happens), the ASA pair will fail over to the one with the functioning IPS.