cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5464
Views
4
Helpful
5
Replies

AIP-SSM-20 IN ASA 5520 TRIGGERING FAILOVER

sla
Level 1
Level 1

Hi all.  I have 2 Cisco ASA 5520's setup in a Active/Standby failover mode.  Both units have a AIP-SSM-20 module as well.  It seems that when ever I reboot the AIP-SSM module on the primary ASA this causes the ASA's to failover.  Any suggestions as to why this is happening?  Thanks in advance.

5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

You are correct. Reloading the AIP module will also trigger the ASA failover as per the following timeout, ie: for the AIP module it's 2 seconds before the failover is triggered:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1149492

Hope that answers your question.

So are you saying there is no way to avoid triggering failover when an AIP is reset?

You can temporarily remove the Modular Policy Framework configuration that forwards traffic down to the AIP, which will disassociate the AIP's availability from the failover mechanism. However, failovers are not a bad thing fundamentally. Are you trying to avoid triggering an alarm or alert that you or your team has configured when a failover occurs? If that is the case, altering the MPF may be the best solution for you.

Thank you,

Blayne Dreier

Cisco TAC Escalation Team

**Please check out our Podcasts**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

TAC IPS Media Series: https://supportforums.cisco.com/docs/DOC-12758

Thanks!  So there's a choice to be made between disabling IPS functions for a short time, and taking the performance hit of enabling failover replication for HTTP traffic, assuming long-lived HTTP sessions (Citrix comes to mind). 

What happens if the Secondary SSM module fails as well ? Will the module FAIL - OPEN, meaning permit the traffic to flow to the ASA or drop the traffic ? The logic says all the traffic will be dropped as the appliance will consider this as a hardware failure.

Please advise.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: