topic If your IPS is inline and set in Network Security

ASA-SSM-20/40 IPS Software upgrade quesiton

N3t W0rK3r — Sun, 10 Mar 2019 13:36:35 GMT

I am looking at upgrading the IPS modules (ASA-SSM-20 and ASA-SSM-40) on two different ASA's to ver 7.1(11)E4 as per this field notice:

http://www.cisco.com/c/en/us/support/docs/field-notices/640/fn64080.html

My question is around whether traffic flowing through the firewall will be impacted during this update and the subsequent reboot of the IPS module.

On the respective ASAs, a service policy is in place that will allow traffic to pass in the case where the IPS module becomes unavailable. Question is, will this in fact happen during the update??

Suggestions and comments are welcomed.

Thanks in advance.

John

If your IPS is inline and set

Marvin Rhoads — Tue, 03 May 2016 18:05:22 GMT

If your IPS is inline and set to fail open then the traffic through the ASA (assuming a standalone ASA and not part of an HA pair) will not be affected when the IPS service module reloads.

If an ASA is in an HA pair and a service module (ips, cxsc or sfr) fails it will by default trigger a failover event. (ASA 9.5 introduced the option to change that behavior.) The result is the same - zero downtime (although TCP connections may need to re-establish if you don't have stateful failover configured).

Thanks for your reply Marvin.

N3t W0rK3r — Tue, 03 May 2016 18:17:05 GMT

Thanks for your reply Marvin.

The SSM-20 modules are in fact a part of an ASA-5520 HA pair... thanks for mentioning this.

The SSM-40 is in a standalone ASA-5540.

Both IPS modules are configured inline.

Now regarding the HA pair... I guess I need to manually update each SSM-20 module, is that right? Should I update the secondary ASA/IPS first and then the primary? Or what do you recommend?

Thanks again.

John

You're welcome.

Marvin Rhoads — Tue, 03 May 2016 18:23:51 GMT

You're welcome.

In an HA pair you do need to update each module separately. The service modules operate mostly independently of the parent ASA and have no concept of the HA configuration.

I would update the secondary first. That will prove to procedure and you can observe it at leisure on the Secondary-Standby unit.

Once you're happy that it comes back up fine and shows as Ready state you can then force a failover and repeat the upgrade on the unit that's now Primary-Standby.