Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
636
Views
0
Helpful
2
Replies

ASA 5525-X IPS Management IP addresses in HA mode

Go to solution
dpuranik
Level 1
Level 1

‎06-12-2014 07:54 AM - edited ‎03-11-2019 09:19 PM

I am going to install ASA5525-X Firewall in HA mode and both have Software IPS modules and I was wondering how the management IP address will be configured in HA mode.

 

Is both IPS will have same management IP address?

I looking for some sample config for IPS management IP address configuration in HA mode.

 

Thanks,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-12-2014 01:15 PM

If you haven't seen it already, please review the ASA IPS Module Quick Start Guide.

The management of software IPS modules uses the physical management interface of the 5525-X with an IP address that is specified in the setup of the IPS module. This is distinct from any management address you may have setup in the base ASA.

Each IPS will have its own unique IP address.

The IPS modules themselves are not HA-aware and are essentially managed as two independent units. This improves if you move to the NGFW IPS and manage the unit via PRSM on an external server. In that scenario, the HA pair of IPS's are managed as a collective entity

The base ASAs of course share the service policy used to redirect traffic for IPS inspection and (when the service-policy calls for IPS module inspection) also verifies the operational state of the IPS modules as one of the checks done to validate failover status.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
nkarthikeyan
Level 7
Level 7

‎06-12-2014 08:44 AM

There should not be any big difference in configuration for management. Even in normal scenario we can have the management access through both the active and stand by IP addresses to the respective devices. All it happens with mac address that uses when it is configured in failover mode.

 

Hope this helps

Regards

Karthik
 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-12-2014 01:15 PM

If you haven't seen it already, please review the ASA IPS Module Quick Start Guide.

The management of software IPS modules uses the physical management interface of the 5525-X with an IP address that is specified in the setup of the IPS module. This is distinct from any management address you may have setup in the base ASA.

Each IPS will have its own unique IP address.

The IPS modules themselves are not HA-aware and are essentially managed as two independent units. This improves if you move to the NGFW IPS and manage the unit via PRSM on an external server. In that scenario, the HA pair of IPS's are managed as a collective entity

The base ASAs of course share the service policy used to redirect traffic for IPS inspection and (when the service-policy calls for IPS module inspection) also verifies the operational state of the IPS modules as one of the checks done to validate failover status.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card