topic Re: Urgent. need to do on firday night.. IPS shutdown please rea in Network Security

Urgent. need to do on firday night.. IPS shutdown please read n comment

Tarjeet Singh — Sun, 10 Mar 2019 12:53:16 GMT

My client has active (ASA1)/passive (ASA2) firewalls 5520 both firewalls have IPS ASA-SSM-20… On Active (ASA1) Firewall IPS module failed and failover method found ASA1 is unhealthy because IPS is failed and Failover switched over to Standby ASA2.

Yes we need to replace ASA1 IPS to bring back failover to ASA1.. But my client doesn’t want to buy new one.. So he requested me to take out secondary ASA2 IPS. So ASA2 will switch back to ASA1 once Failover will find out that there is no more IPS

Please help me, How I can remove IPS from ASA2 which is Active now. So failover switch back to ASA1 Active.

Should I just shut down IPS on both routers so failover method will not check for IPS

hw-module module 1 shutdown

Urgent. need to do on firday night.. IPS shutdown please read n

Tarjeet Singh — Thu, 31 Jan 2013 23:24:18 GMT

I just read that you can remove the Modular Policy Framework configuration that forwards traffic down to the AIP, which will disassociate the AIP's availability from the failover mechanism.

So when i will remove Modular Policy Framework configuration from ASA1 and ASA2 then i just have to reset ASA1 and failover will ignore IPS and consider ASA1 as healthy and ASA1 will be active again. then i wont be using IPS.

Please advise..

Urgent. need to do on firday night.. IPS shutdown please read n

Julio Carvajal — Sat, 02 Feb 2013 23:34:46 GMT

Hello Tarjeet,

At the end whether you are using the AIP-SSM module or not they are required hardware for failover to work.

That means that if you take the AIP-SSM module of one and try to work with that it will not run as the hardware will not match.

Now I will recommend you first of all taking the policy-action of sending the traffic to the AIP-SSM on both devices ( Active/standby)

Then shut it down and remove it from active ( the one that is already failed) then turn it down on the secondary and remove it.

Afterwards with both ASA's with no AIP-SSM their status will change to UP as they do not see any internal/external hardware failure

Regards

Re: Urgent. need to do on firday night.. IPS shutdown please rea

Tarjeet Singh — Sun, 03 Feb 2013 00:31:17 GMT

Hi Jcarvaja,

Thank you very much for replying. I have rescheduled this work for today 9:00 PST. I was actually planning to just remove module policy work config from both ASA 1 & 2, I thought failover will work after that. But now I understand that we do need to remove AIP module from both ASA 1 & 2 because hardware will not match.

On my ASA1 AIP is in unresponsive mode. I can’t shutdown or reset. So I will just remove policy config and remove AIP physically from ASA1.

On ASA2 I will shut down AIP module then after that i will remove AIP physically from ASA2. then failover should be fine after that. Please advice.

===========

Also I was thinking, if just shutdown AIP on ASA2 and remove policy config from both ASA then failover should work because AIP will be still physically present in ASA. But problem is one AIP is unresponsive and one will be shutdown. Do you think, it will be fine?

PLEASE ADVISE I HAVE 4 HOURS LEFT...

Re: Urgent. need to do on firday night.. IPS shutdown please rea

Julio Carvajal — Sun, 03 Feb 2013 07:17:21 GMT

Hello Sr,

I guess I am late ( More than 4 hours )

If you do that, it will still do not work because it will determine that one is failed and the other one is just shut-down ( manually)

So the way to go is the one you said previously:

On my ASA1 AIP is in unresponsive mode. I can’t shutdown or reset. So I will just remove policy config and remove AIP physically from ASA1.

On ASA2 I will shut down AIP module then after that i will remove AIP physically from ASA2. then failover should be fine after that. Please advice.

Please share with us the result and some kudos lol

Re: Urgent. need to do on firday night.. IPS shutdown please rea

Tarjeet Singh — Mon, 04 Feb 2013 18:24:39 GMT

Hi Jcarvaja,

Yea i finished my work that day. on ASA 1 IPS module was unresponsive and couldn’t shut it down. then i powered off IPS and removed card on ASA2 shut down the IPS module and then physically removed card then failover start working again,. Thanks...

Client wanted to test failover. I removed WAN cable from ASA1 then traffic moved to ASA2 after around 8 packet drops. but when i plugged back WAN cable on ASA1 traffic didn’t move back to ASA1 from ASA2. Then i removed cable from ASA2 WAN and traffic moved to ASA1.

i thought it should reverse back to primary device once primary device is in stable and healthy state. it mean we have to do manual failover from secondary to primary.

Urgent. need to do on firday night.. IPS shutdown please read n

Julio Carvajal — Fri, 08 Feb 2013 02:44:35 GMT

Hello Tarjeet,

Glad to know that I could help ( Please remember to rate all of the posts, so we can know that we indeed help)

Now regarding the last question you are talking about preemption and on the ASA that is only supported for active/active failover, that means that on active/standby failover a automatic failover because of the detection of the primary unit will not happen unless the secondary fails..

Hope that I could help with all of my explanations,

Please remember to rate all of the helpful posts,

Julio Carvajal

Security Trainer