https://community.cisco.com/t5/network-security/asa-active-active-failover-and-ips-failure/m-p/1635854#M558823 <P>Hi,</P><P></P><P>I have 2 asa 5520 firewalls including and 1 AIP-SSM-10 module in each of them. the configuration is set using active/active failover and context mode.</P><P></P><P>Both of them run individualy the IPS module. The IPS is configured using inline mode and fail-open option. However when one of the module fails and the state is changing from up to init or anything else making the IPS to fail then failover is detected and ASA consider it as failover and bounce context to the other unit.</P><P></P><P>IPS soft is 6.0(4) and ASA soft is 8.0(3)</P><P></P><P>I have checked cisco doc and it is confusing to me. it says:&nbsp; <SPAN class="content">"The AIP-SSM does not participate in stateful failover if stateful failover is configured on the ASA failover pair." but it really does participate. Running is not really an option because of production network impact matter....</SPAN></P><P></P><P>Has one of you had the experience of such issue or confusing behavior;</P><P></P><P>regards</P><P></P><P>alex</P> Mon, 11 Mar 2019 20:15:09 GMT durale1789 2019-03-11T20:15:09Z https://community.cisco.com/t5/network-security/asa-active-active-failover-and-ips-failure/m-p/1635854#M558823 <P>Hi,</P><P></P><P>I have 2 asa 5520 firewalls including and 1 AIP-SSM-10 module in each of them. the configuration is set using active/active failover and context mode.</P><P></P><P>Both of them run individualy the IPS module. The IPS is configured using inline mode and fail-open option. However when one of the module fails and the state is changing from up to init or anything else making the IPS to fail then failover is detected and ASA consider it as failover and bounce context to the other unit.</P><P></P><P>IPS soft is 6.0(4) and ASA soft is 8.0(3)</P><P></P><P>I have checked cisco doc and it is confusing to me. it says:&nbsp; <SPAN class="content">"The AIP-SSM does not participate in stateful failover if stateful failover is configured on the ASA failover pair." but it really does participate. Running is not really an option because of production network impact matter....</SPAN></P><P></P><P>Has one of you had the experience of such issue or confusing behavior;</P><P></P><P>regards</P><P></P><P>alex</P> Mon, 11 Mar 2019 20:15:09 GMT https://community.cisco.com/t5/network-security/asa-active-active-failover-and-ips-failure/m-p/1635854#M558823 durale1789 2019-03-11T20:15:09Z https://community.cisco.com/t5/network-security/asa-active-active-failover-and-ips-failure/m-p/1635855#M558825 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P><SPAN>This thread will answer your question: Yes, what you are seeing is expected behaviour: </SPAN><A class="jive-link-thread-small" href="https://community.cisco.com/thread/224795">https://supportforums.cisco.com/thread/224795</A></P><P></P><P>See below, if the IPS fails then this causes a failover of the ASA</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1149492">http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1149492</A></P><P></P><P>Please remember to rate all posts that are helpful.</P></BODY></HTML> Thu, 31 Mar 2011 14:21:57 GMT https://community.cisco.com/t5/network-security/asa-active-active-failover-and-ips-failure/m-p/1635855#M558825 sean_evershed 2011-03-31T14:21:57Z https://community.cisco.com/t5/network-security/asa-active-active-failover-and-ips-failure/m-p/1635856#M558827 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thank you very much it is the information i was looking for so long ...</P><P></P><P>Is there any way to disable ot change this behavior or the default timer ?</P><P></P><P>regards</P></BODY></HTML> Thu, 31 Mar 2011 15:33:02 GMT https://community.cisco.com/t5/network-security/asa-active-active-failover-and-ips-failure/m-p/1635856#M558827 durale1789 2011-03-31T15:33:02Z