Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
845
Views
0
Helpful
3
Replies

ASA Active/Active and AIP-SSM Failover

Go to solution
communication.boy
Level 1
Level 1

‎01-04-2011 12:04 AM - edited ‎03-11-2019 12:29 PM

I need to propose a diagram to one of our client which has ASA Active/Active ( multiple context ) failover over about 50 KM. geog. dispersed location connected over 1Gb. fiber where each context will be failover to the other context on the other location . I will also have to put AIP-SSM module on that . I would like to know if AIP SSM failover will work in this Active Active stateless failover scenario .

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to communication.boy

‎01-04-2011 01:27 AM

As long as the latency is less than 10 ms, otherwise, it will keep on failing over between the 2 ASAs when keepalives are missing/retransmitted.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎01-04-2011 12:51 AM

It's not recommended to configure ASA failover in such a long distance, and it needs to be L2 adjacent for the failover link between the 2 ASAs. Also the 1G fiber link between the 2 locations, will it just carry the failover keepalives or also other traffic?

As per the failover recommendation:

"For optimum performance when using long distance  LAN failover, the latency for the failover link should be less than 10  milliseconds and no more than 250 milliseconds. If latency is more  than10 milliseconds, some performance degradation occurs due to  retransmission of failover messages."

Above is quoted from the following:

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1077627

In regards to AIP-SSM module, you can configure all the contexts to have virtualised sensors as per the following:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1088096

For failover purposes, all contexts from both ASA in Active/Active mode needs to be configured on both ASA so when failover happens, it will automatically inpsect the traffic. However, it will be stateless failover for the AIP module.

Hope that helps.

0 Helpful

Go to solution
communication.boy
Level 1
Level 1
In response to Jennifer Halim

‎01-04-2011 01:06 AM

Thanks for the reply . I will be doing stateless failover . the 1 GB fiber link would be shared between data and Failover Hello packets ( stateless failover ) . I will make seperate VLAN for that . Fiber connects to 2xSwitches and the switches connects to ASA .

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to communication.boy

‎01-04-2011 01:27 AM

As long as the latency is less than 10 ms, otherwise, it will keep on failing over between the 2 ASAs when keepalives are missing/retransmitted.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card