Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1931
Views
0
Helpful
4
Replies

Two SSM-10 IPS Modules needed for HA-Pair 5520 or can I use one with and one without?

Go to solution
Dean Romanelli
Level 4
Level 4

‎08-09-2018 07:08 AM - edited ‎02-21-2020 08:05 AM

Tried this in the firewall section but no one knew the answer. Figured I'd ask here next.

I have two 5520's. One in production with an IPS SSM-10 installed, and one in storage.  All parameters are identical except I don't have an SSM-10 for the storage 5520.

Can I still HA pair that storage 5520 to the production 5520 if I don't have an IPS module in the standby unit but I do have one in the active unit or will it not work? The IPS's have to be configured manually - meaning that replication to mate does not take care of the IPS so I would think no, but not sure. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎08-09-2018 07:54 AM

Both devices have to be identically. WIth the SSM-10 being EOL and without any signature-updates, I would remove the module from the first ASA and operate both without.

But remember that the ASA 5520 is also EOL and should be replaced soon.

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎08-09-2018 07:54 AM

Both devices have to be identically. WIth the SSM-10 being EOL and without any signature-updates, I would remove the module from the first ASA and operate both without.

But remember that the ASA 5520 is also EOL and should be replaced soon.

 

0 Helpful

Go to solution
Dean Romanelli
Level 4
Level 4
In response to Karsten Iwen

‎08-09-2018 08:08 AM

Thanks Karsten.  So just to confirm:  It's either both with IPS or both without right?

Cannot run one with and one without in HA pair even though config sync doesn't replicate between them like running-conf of the ASA itself does right? 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Dean Romanelli

‎08-09-2018 08:15 AM

At least, it's not a supported configuration. And from an HA-perspective the second unit without the module would always be in a failed state.
0 Helpful

Go to solution
Dean Romanelli
Level 4
Level 4
In response to Karsten Iwen

‎08-09-2018 08:30 AM

Thank you Sir.

 

A follow up question:

My storage 5520 has no config on it or on the IPS. When I console into the 5520 and do "session 1" it says the module in slot 1 did not respond and it's state is "unresponsive."

Do I need to do something before I can session to it with a blank config, connected via console connection or should that work? 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card