Solved: Re: ASA active/active failover and IPS failure

durale1789 · ‎03-31-2011

Hi,

I have 2 asa 5520 firewalls including and 1 AIP-SSM-10 module in each of them. the configuration is set using active/active failover and context mode.

Both of them run individualy the IPS module. The IPS is configured using inline mode and fail-open option. However when one of the module fails and the state is changing from up to init or anything else making the IPS to fail then failover is detected and ASA consider it as failover and bounce context to the other unit.

IPS soft is 6.0(4) and ASA soft is 8.0(3)

I have checked cisco doc and it is confusing to me. it says: "The AIP-SSM does not participate in stateful failover if stateful failover is configured on the ASA failover pair." but it really does participate. Running is not really an option because of production network impact matter....

Has one of you had the experience of such issue or confusing behavior;

regards

alex

sean_evershed · ‎03-31-2011

Hi,

This thread will answer your question: Yes, what you are seeing is expected behaviour: https://supportforums.cisco.com/thread/224795

See below, if the IPS fails then this causes a failover of the ASA

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1149492

Please remember to rate all posts that are helpful.

View solution in original post

sean_evershed · ‎03-31-2011

Hi,

This thread will answer your question: Yes, what you are seeing is expected behaviour: https://supportforums.cisco.com/thread/224795

See below, if the IPS fails then this causes a failover of the ASA

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1149492

Please remember to rate all posts that are helpful.

durale1789 · ‎03-31-2011

Hi,

Thank you very much it is the information i was looking for so long ...

Is there any way to disable ot change this behavior or the default timer ?

regards