04-08-2016 05:08 AM - edited 03-12-2019 05:58 AM
Hello everyone,
I have two ASA 5516-X setup in an active/active failover. I have also installed and succesfully bootstrapped the firesight management center with the two sfr modules added and licensed.
And, at this moment I am reading through the firesight management guide, and to my full suprise there is no information in it whatsoever on active/active failover in combination with sourcefire. There is a full chapter dedicated to active/standby failover, though.
guide here: http://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601.html
My question is: is there anyone that has an active/active setup running with sourcefire modules and working correctly? and if yes, could you link me to some useful information on setting this up with the sourcefire modules? Or, is his an unsupported setup and should I go on and revert to active/passive failover?
thanks and regards,
Sjoerd
Solved! Go to Solution.
04-08-2016 05:17 AM
Hi
So from firesight point of view , it doesn't know about the failover. Firesight would still treat both the modules as individual devices. Though same policies can be applied to both of them , keeping them in same config.
So you can use either active /active or active/passive (ASA) and don't really need to do anything special on firesight.
Thanks
Yogesh
04-08-2016 05:17 AM
Hi
So from firesight point of view , it doesn't know about the failover. Firesight would still treat both the modules as individual devices. Though same policies can be applied to both of them , keeping them in same config.
So you can use either active /active or active/passive (ASA) and don't really need to do anything special on firesight.
Thanks
Yogesh
04-08-2016 05:38 AM
Thanks for your reply! I was in doubt because there is nothing mentioned on active/active failover in the guides for firesight >.<
04-08-2016 08:56 AM
I just did a deployment this week with ASA 5555-X multiple context mode firewalls in Active-Active failover.
Each physical ASA has its own FirePOWER module and those modules are managed by FirePOWER manager. I am using a single policy deployed to both modules. It's working fine and reporting on traffic from both contexts.
It's kind of nice that as a side benefit of the standard health policy is that you will see an alert highlighted on your manager that the data plane interface is not receiving traffic in the event that all contexts are active on a single ASA (vs. the normal operating mode of having at least one context active on each ASA).
You can't easily make distinct policies for the different contexts. Another thread suggested using zones to accomplish that; but that may make an already complex setup even more so.
04-10-2017 12:13 PM
Hello Marvin,
Is there any news in version 6.2? I ask because in the coming days I will migrate 2 ASA5585-SSP-IPS40 in HA, that have 2 Virtual Sensor: vs0 associated with the context x and vs1 associated with the context y, for 2 ASA-SSP-SFR40-K9=.
Will I have to apply the same SFR policies for the 2 contexts?
Tks;
Ronaldo
04-10-2017 07:16 PM
A given sfr module only has a single policy set (1 each access control + intrusion + file etc.). That single set applies to all contexts in a muilti-context mode ASA for which you are inspecting traffic. As of 6.2, you cannot differentiate sfr policies among contexts.
Even when Cisco introduces multiple context in a later release, it will be for the FTD image which will never be supported on the 5585-X. that is because the 5585-X with FirePOWER module has recently been announced as end of sales.
04-10-2017 07:25 PM
Thank you Marvin!
04-10-2017 07:29 PM
Finally, what is the command to allocate the SFR module to the context:
(Config) # context x
(Config-ctx) # ???
04-10-2017 07:55 PM
You're welcome.
You don't need to allocate the module resource in the system context setup. You simply call it out in the class map etc. of the individual context(s).
Something like this suffices for a basic setup:
access-list sfr extended permit ip any4 any4
!
class-map sfr_class
match access-list sfr
!
policy-map global_policy
class sfr_class
sfr fail-open
04-10-2017 07:55 PM
Perfect Marvin. Now I understood why I searched so much and did not find it. :)
04-17-2017 02:53 PM
04-17-2017 07:43 PM
The order may have incorrectly specified only one Control license. Two modules requires two licenses.
You need to have your reseller order another "ASA5585-40CTRL-LIC"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide