Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
643
Views
3
Helpful
6
Replies

ASA Active Standby and IPS Configure

prashantrecon
Level 1
Level 1

‎03-04-2013 02:20 AM - edited ‎03-11-2019 06:09 PM

Hi All,

I have two ASA 5520 version 8.2 in active Standay Mode.

What is a good practice to setup IPS AIM ssm-20 for this setup.

Is IPS should be in Fail-Open or Fail-Close mode ?

Is Mangement ip for both IPS module should be same or diffrent. ?

Labels:
0 Helpful
6 Replies 6

jocamare
Level 4
Level 4

‎03-04-2013 05:25 AM

You might find this useful:

http://www.cisco.com/en/US/docs/security/asa/quick_start/ips/ips_qsg.html

Answering your questions:

Is IPS should be in Fail-Open or Fail-Close mode ?

Depends, most setups have it on fail-open mode, so in case the module fails or goes down the traffic will still flow across the ASA.

When working on a fail-close mode, it might be because you don't want any traffic to go out of your network without inspection since this might represent a secuirty threat to your or other users.

Is Mangement ip for both IPS module should be same or diffrent. ?

The modules are separate and software independent modules, which means they need their own IP address for management. Each module should have its own IP address.

0 Helpful

prashantrecon
Level 1
Level 1
In response to jocamare

‎03-04-2013 06:24 AM

Thanks for the answer.

We have configured failover in active standby mode.

so if primary aip card fails(say it is rebooted)  than secoundary firewall will become active right .

I have configured for lan as well as state failover

So in this case failopen is of no use.?

If i keep it in failclose state close if the card fails in primary than secoundary will become active.

so atleast in this case the traffic will get inspected?

0 Helpful

jocamare
Level 4
Level 4
In response to prashantrecon

‎03-04-2013 06:42 AM

If the module on the active unit goes down, failover it's not going to trigger.

The feature doesn't monitor the status of the modules.

Now, fail-open/close has nothing to do with failover.

It's a local feature that allow the traffic to pass or be denied depending on the status of the locally installed IPS module.

0 Helpful

prashantrecon
Level 1
Level 1
In response to jocamare

‎03-04-2013 07:12 AM

Hi,

Thanks for reply

but if  iam restarting the primary firewall ips modules my failover is triggering...

My primary firewall become standby in this condtion and Standby become active 

why this is happning....?

0 Helpful

jocamare
Level 4
Level 4
In response to prashantrecon

‎03-04-2013 07:54 AM

Last time i checked on my lab [a couple a months ago] the status of the modules had nothing to do with the status of the unit on failover.

The following link describes the possible triggers for A/S failover:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_active_standby.html#wp1079547

It doesn't mention anything about the modules.

I'm not sure why this is happening though, there have been several cases with the same exact behavior, so this seems to be something normal but it's not properly dodcumented.

prashantrecon
Level 1
Level 1
In response to jocamare

‎03-04-2013 08:01 PM

Thanks for reply

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card