https://community.cisco.com/t5/network-security/asa-5540-failover/m-p/1378843#M731834 <HTML><HEAD></HEAD><BODY><P>I checked the ASA 5540 specs and the firewall throughput is 650Mbps and the firewall and IPS thoughput is 500Mbps with AIP-SSM20.</P><P>So I am not clear which thoughput is applied to firewall:</P><P>1. Without AIP-SSM card firewall thoughput is 650M?</P><P>2. With AIP-SSM card firewall thoughput is 500M?</P><P>If item 2 is true then my firewall thoughput is 500M instead of 650M?</P><P></P><P>The configuration for the SSM to ASA is inline mode.&nbsp; Trace back to the history and approximately 10 to 15 minutes before the failover</P><P>took place, the Unix admin experience slowness on his servers to internet users accessing the webpage/webcontain.&nbsp; When the failover</P><P>happened approximately 2 minutes after everything is back to normal.&nbsp; Web traffice before the failover is around 350Mbps.</P></BODY></HTML> Tue, 19 Jan 2010 14:16:19 GMT ttran 2010-01-19T14:16:19Z https://community.cisco.com/t5/network-security/asa-5540-failover/m-p/1378837#M731828 <P>Last night my firewall failover to secondary suddenly and I am still trying to find the root cause.&nbsp; Looking at the log and history, I saw the reason of failover because the "Service card in other unit has failed".&nbsp; Further investigating and the card is SSM according to Cisco web page.&nbsp; So I think it is the AIP-SSM card.&nbsp; Still do not know why the card was failed that trigger the failover.&nbsp; ASA running code 8.0.4.&nbsp; Right now the secondary is still the active ASA.&nbsp; We have the Netscaler in the DMZ doing web hosting.&nbsp; Could it be to much traffic for the ASA and/or AIP-SSM to handle? Anyone has any idea is appreciated.</P> Mon, 11 Mar 2019 16:58:05 GMT https://community.cisco.com/t5/network-security/asa-5540-failover/m-p/1378837#M731828 ttran 2019-03-11T16:58:05Z https://community.cisco.com/t5/network-security/asa-5540-failover/m-p/1378838#M731829 <HTML><HEAD></HEAD><BODY><P>There could be multiple reasons a card could fail.</P><P>Software defect, hardware issue in the backplane, just a glitch, overload of the card, these are some.</P><P></P><P>You need to investigate if the card keeps failing or if it was an one off event.</P><P>to reset the card do "hw module 1 reset" on the ASA.</P><P></P><P>I hope it helps.</P><P></P><P>PK</P></BODY></HTML> Fri, 15 Jan 2010 22:47:12 GMT https://community.cisco.com/t5/network-security/asa-5540-failover/m-p/1378838#M731829 Panos Kampanakis 2010-01-15T22:47:12Z https://community.cisco.com/t5/network-security/asa-5540-failover/m-p/1378839#M731830 <HTML><HEAD></HEAD><BODY><P>What output does you get from the module when you do the `show module` command?</P></BODY></HTML> Sat, 16 Jan 2010 10:14:44 GMT https://community.cisco.com/t5/network-security/asa-5540-failover/m-p/1378839#M731830 Kent Heide 2010-01-16T10:14:44Z https://community.cisco.com/t5/network-security/asa-5540-failover/m-p/1378840#M731831 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>You might want to swap the AIP SSM module in the ASA with a spare KNOWN GOOD module and monitor the performance of card.</P><P></P><P></P><P>Thanks</P><P></P><P>Vijaya</P></BODY></HTML> Mon, 18 Jan 2010 01:24:50 GMT https://community.cisco.com/t5/network-security/asa-5540-failover/m-p/1378840#M731831 vilaxmi 2010-01-18T01:24:50Z https://community.cisco.com/t5/network-security/asa-5540-failover/m-p/1378841#M731832 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>You might want to try swapping the AIP SSM module on your ASA with a KNOWN GOOD CARD, and then monitor the performance, as this could be a hardware fault.</P><P></P><P>Thanks,</P><P></P><P>Vijaya</P></BODY></HTML> Mon, 18 Jan 2010 01:29:01 GMT https://community.cisco.com/t5/network-security/asa-5540-failover/m-p/1378841#M731832 vilaxmi 2010-01-18T01:29:01Z https://community.cisco.com/t5/network-security/asa-5540-failover/m-p/1378842#M731833 <HTML><HEAD></HEAD><BODY><P>Thank you everyone answer this question.&nbsp; The AIP-SSM20 card is still functioning after the failover.</P><P>I was able to ssh to the card and show version to make sure the apps and engine is running.</P><P>Show module indicated the card is up state.&nbsp; This is still in mystery.</P><P>This was the first time it happened so not sure what cause it.</P></BODY></HTML> Mon, 18 Jan 2010 17:26:52 GMT https://community.cisco.com/t5/network-security/asa-5540-failover/m-p/1378842#M731833 ttran 2010-01-18T17:26:52Z https://community.cisco.com/t5/network-security/asa-5540-failover/m-p/1378843#M731834 <HTML><HEAD></HEAD><BODY><P>I checked the ASA 5540 specs and the firewall throughput is 650Mbps and the firewall and IPS thoughput is 500Mbps with AIP-SSM20.</P><P>So I am not clear which thoughput is applied to firewall:</P><P>1. Without AIP-SSM card firewall thoughput is 650M?</P><P>2. With AIP-SSM card firewall thoughput is 500M?</P><P>If item 2 is true then my firewall thoughput is 500M instead of 650M?</P><P></P><P>The configuration for the SSM to ASA is inline mode.&nbsp; Trace back to the history and approximately 10 to 15 minutes before the failover</P><P>took place, the Unix admin experience slowness on his servers to internet users accessing the webpage/webcontain.&nbsp; When the failover</P><P>happened approximately 2 minutes after everything is back to normal.&nbsp; Web traffice before the failover is around 350Mbps.</P></BODY></HTML> Tue, 19 Jan 2010 14:16:19 GMT https://community.cisco.com/t5/network-security/asa-5540-failover/m-p/1378843#M731834 ttran 2010-01-19T14:16:19Z https://community.cisco.com/t5/network-security/asa-5540-failover/m-p/1378844#M731835 <HTML><HEAD></HEAD><BODY><P>Throughput depends upon how traffic redirected to AIP module(using class map ), if all then there will be a bottleneck.</P><P></P><P>What about the IPS alerts, it will definitely give some answer that caused the issue.</P><P></P><P></P><P>Dileep</P></BODY></HTML> Wed, 20 Jan 2010 05:40:55 GMT https://community.cisco.com/t5/network-security/asa-5540-failover/m-p/1378844#M731835 Dileep Sivadas Padmini 2010-01-20T05:40:55Z https://community.cisco.com/t5/network-security/asa-5540-failover/m-p/1378845#M731836 <HTML><HEAD></HEAD><BODY><P>Thanks Dileep.&nbsp; My thought is the same since SSM in line will cause some problem with thoughput.</P><P>I tried to check the logs on the IPS but did not see anything out of ordinary (I think) since I am not able to show</P><P>any actual events back on January 14 just in general of tcp traffic and there is no idication of the attack.&nbsp; For sure</P><P>I was able to see the ASA CPU hits around 75% as normal between 40% to 45% when traffic around 350M.&nbsp; When</P><P>failover happened, there were few spike around 530M and the Secondary is working fine.</P><P></P><P>I am planning to remove the inspect http from the global policy inspection.&nbsp; Any idea how the ASA behave when</P><P>the inspection http is removed.&nbsp; Is it a good idea?</P><P></P><P>PK,</P><P>Thank you for answer from the other question and I know you did mention will causing some problem if inspection http is removed, is it going to be a big problem because http will not be inspect by the IPS.</P></BODY></HTML> Wed, 20 Jan 2010 15:40:36 GMT https://community.cisco.com/t5/network-security/asa-5540-failover/m-p/1378845#M731836 ttran 2010-01-20T15:40:36Z