Hi all. I have 2 Cisco ASA 5520's setup in a Active/Standby failover mode. Both units have a AIP-SSM-20 module as well. It seems that when ever I reboot the AIP-SSM module on the primary ASA this causes the ASA's to failover. Any suggestions as to why this is happening? Thanks in advance.
You are correct. Reloading the AIP module will also trigger the ASA failover as per the following timeout, ie: for the AIP module it's 2 seconds before the failover is triggered:
Hope that answers your question.
You can temporarily remove the Modular Policy Framework configuration that forwards traffic down to the AIP, which will disassociate the AIP's availability from the failover mechanism. However, failovers are not a bad thing fundamentally. Are you trying to avoid triggering an alarm or alert that you or your team has configured when a failover occurs? If that is the case, altering the MPF may be the best solution for you.
Cisco TAC Escalation Team
**Please check out our Podcasts**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast
TAC IPS Media Series: https://supportforums.cisco.com/docs/DOC-12758
Thanks! So there's a choice to be made between disabling IPS functions for a short time, and taking the performance hit of enabling failover replication for HTTP traffic, assuming long-lived HTTP sessions (Citrix comes to mind).
What happens if the Secondary SSM module fails as well ? Will the module FAIL - OPEN, meaning permit the traffic to flow to the ASA or drop the traffic ? The logic says all the traffic will be dropped as the appliance will consider this as a hardware failure.