Solved: Do I need two AIP-SSM modules if I am configuring failover?

petescisco1 · ‎12-26-2012

Is it possible to use a single AIP-SSM module in two ASA's that are configured in Active/Standby mode?

I would like to configure the module in the first ASA with the fail-open setting. Then, if the first ASA fails, I could then physically remove the AIP-SSM module and place it in the second ASA.

Would there be any problems configuring it this way?

Would the active/standby ASA's complain that there is only one AIP-SSM module?

Thanks in advance.

Julio Carvajal · ‎12-27-2012

Hello,

You must have an AIP-SSM on both ASA's in order to be able to run failover, without it failover will not come up ( due to hardware mismatch)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎12-27-2012

Hello,

You must have an AIP-SSM on both ASA's in order to be able to run failover, without it failover will not come up ( due to hardware mismatch)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

petescisco1 · ‎12-27-2012

Hi Julio,

Many thanks for clarifying that.

Have a nice day.

Cheers

Peter

rogelioalvez · ‎01-04-2013

Hello Julio. My name is Rogelio, and I would appreciate your answer on a related matter, because I will have to execute the initial configuration of a failover pair, each one with its own IPS module.

Question: let´s suppose that I execute a basic setup (admin username/password, IP address, mask, gateway), on the IPS module of the active ASA firewall. ¿Will this configuration be replicated to the IPS module of the secondary unit?

Your kind answer will be greatly appreciated.

Best regards...

rogelioalvez · ‎01-05-2013

Hello Julio:

I was confirmed that each IPS module is independent of each other. So I will need to individually configure them.

Thanks! rogelio