05-19-2010 09:42 AM - edited 03-10-2019 05:00 AM
Hi all. I have 2 Cisco ASA 5520's setup in a Active/Standby failover mode. Both units have a AIP-SSM-20 module as well. It seems that when ever I reboot the AIP-SSM module on the primary ASA this causes the ASA's to failover. Any suggestions as to why this is happening? Thanks in advance.
05-19-2010 06:13 PM
You are correct. Reloading the AIP module will also trigger the ASA failover as per the following timeout, ie: for the AIP module it's 2 seconds before the failover is triggered:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1149492
Hope that answers your question.
08-31-2011 06:11 AM
So are you saying there is no way to avoid triggering failover when an AIP is reset?
08-31-2011 08:06 AM
You can temporarily remove the Modular Policy Framework configuration that forwards traffic down to the AIP, which will disassociate the AIP's availability from the failover mechanism. However, failovers are not a bad thing fundamentally. Are you trying to avoid triggering an alarm or alert that you or your team has configured when a failover occurs? If that is the case, altering the MPF may be the best solution for you.
Thank you,
Blayne Dreier
Cisco TAC Escalation Team
**Please check out our Podcasts**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast
TAC IPS Media Series: https://supportforums.cisco.com/docs/DOC-12758
08-31-2011 11:22 AM
Thanks! So there's a choice to be made between disabling IPS functions for a short time, and taking the performance hit of enabling failover replication for HTTP traffic, assuming long-lived HTTP sessions (Citrix comes to mind).
05-24-2012 06:10 AM
What happens if the Secondary SSM module fails as well ? Will the module FAIL - OPEN, meaning permit the traffic to flow to the ASA or drop the traffic ? The logic says all the traffic will be dropped as the appliance will consider this as a hardware failure.
Please advise.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide