https://community.cisco.com/t5/network-security/ips-advice/m-p/2333484#M53544 <HTML><HEAD></HEAD><BODY><P>We manage several customers that have IPS running on ASA's configured in active/standby mode. The active IPS unit is always in the active ASA so when there is a failover the active IPS be the sensor running on the new active ASA. A failure in the IPS modue of the active ASA will cause a failover event to trigger.</P><P></P><P>As jp.senior noted there have been somewhat recent issues with signatures causing the IPS units to crash and in light of that we have a policy to update the active unit to the most recent signature ASAP and only upgrade the standby IPS after the signature proves stable for 5 days. This way we always have an IPS sensor that is capable of running stable in the event of a problem signature.</P><P></P><P>So, if it is critical for your organization to not have a failover during business hours then you may want to go with a standalone unit. The standalone units cost a ton more than they used so you'll have to take that into account in your decision.</P><P></P><P>Jon.</P></BODY></HTML> Wed, 31 Jul 2013 14:39:35 GMT JonPBerbee 2013-07-31T14:39:35Z https://community.cisco.com/t5/network-security/ips-advice/m-p/2333482#M53539 <P>Our company is looking at an IPS solution and I've heard pros and cons about using IPS modules for the ASAs versus standalone units.&nbsp; Our basic physical topology is a 5515 pair in active/standby w/ a L2L vpn to another fw pair at a colo.&nbsp; </P><P>I had worked with them years ago and remember some issue about the modules not knowing if the ASA changed from active to standby or back.&nbsp; I can't remember exactly what the issue was, but it seemed to be a real pain.</P><P></P><P>For those with plenty of experience with both solutions, would you recommend the ASA modules or the standalone units?</P> Sun, 10 Mar 2019 13:01:15 GMT https://community.cisco.com/t5/network-security/ips-advice/m-p/2333482#M53539 tbrendle 2019-03-10T13:01:15Z https://community.cisco.com/t5/network-security/ips-advice/m-p/2333483#M53542 <HTML><HEAD></HEAD><BODY><P>The built in units cause too many failovers of production environments based on all of bugs Cisco has - when the IPS engine stops responding or becomes busy, the module is marked as 'failed' by the firewall.&nbsp; This causes a failover event on the device, regardless of failopen/failclosed settings.&nbsp; Cisco's recent instability on the IPS module would have me encourage you to look at an alternative topology - external IPS are a better bet.</P></BODY></HTML> Wed, 31 Jul 2013 02:43:57 GMT https://community.cisco.com/t5/network-security/ips-advice/m-p/2333483#M53542 jp.senior 2013-07-31T02:43:57Z https://community.cisco.com/t5/network-security/ips-advice/m-p/2333484#M53544 <HTML><HEAD></HEAD><BODY><P>We manage several customers that have IPS running on ASA's configured in active/standby mode. The active IPS unit is always in the active ASA so when there is a failover the active IPS be the sensor running on the new active ASA. A failure in the IPS modue of the active ASA will cause a failover event to trigger.</P><P></P><P>As jp.senior noted there have been somewhat recent issues with signatures causing the IPS units to crash and in light of that we have a policy to update the active unit to the most recent signature ASAP and only upgrade the standby IPS after the signature proves stable for 5 days. This way we always have an IPS sensor that is capable of running stable in the event of a problem signature.</P><P></P><P>So, if it is critical for your organization to not have a failover during business hours then you may want to go with a standalone unit. The standalone units cost a ton more than they used so you'll have to take that into account in your decision.</P><P></P><P>Jon.</P></BODY></HTML> Wed, 31 Jul 2013 14:39:35 GMT https://community.cisco.com/t5/network-security/ips-advice/m-p/2333484#M53544 JonPBerbee 2013-07-31T14:39:35Z