04-26-2013 04:28 AM - edited 03-11-2019 06:35 PM
I have 2 * ASA5515-IPS-K9 that were purchased last year and were configured as 2 separate firewalls and IPS modules. Although there were some initial teething problems with the IPS's being able to communicate the Internet for signature updates, this was resolved with assistance from TAC's.
The ASA's have recently been reconfigured to work in a Active/Standby failover configuration, with everything working and functioning correctly. But it now seems like there are some serious issues with the IPS modules. The IPS in the 'Active' unit is 'not connected' and i am unable to reconnect to it via IME (7.2.1). The second module is connected but states that the signature definitions are out-of-date although the automatic signature download say's that it's work correctly!
The units are installed in a remote data centre, but i have got full remote acces to them.
My questions are:
What happens to the IPS module in the 'Standby' unit, does it stay live or should it shutdown into standby?
What is the correct configuration for the IPS modules in this scenario?
How can i restore correect functionallity to these units?
04-30-2013 08:54 PM
On the ASA for which IPS is not accessible, please check the output of show module 1 detail. It should tell if the module is down.
Find answers inline:
What happens to the IPS module in the 'Standby' unit, does it stay live or should it shutdown into standby?
-it should stay live
What is the correct configuration for the IPS modules in this scenario?
-There is no recommended config, the normal config using the setup command such that IPS is accessible from the network
How can i restore correect functionallity to these units?
-you can use the following command from the ASA cli:
hw module 1 reload
If problem persists, please open a TAC case.
-
HTH
AJ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide