Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
475
Views
0
Helpful
1
Replies

ASA CX Module failover

Go to solution
Peter Long
Level 1
Level 1

‎05-09-2014 02:05 AM - edited ‎02-21-2020 05:10 AM

Hi

I've not deployed a CX module before. We are about to deploy 2xASA5585-X firewalls with CX modules, (for AVC and WSE).

I'm pretty sure I know the answer to this (I've deployed plenty of old OLD ASA's with CSC modules in them, and I'm guessing the CX module behaves the same).

1. Will the failure of the CX module trigger a fail-over event (active standby fail-over)? My guess is no?

2. If not and the service policy is set to 'fail-closed' this means the client will need to perform a manual fail-over to the secondary/standby to restore web access, is this correct?

 

Pete

www.petenetlive.com

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
SANTHOSHKUMAR SARAVANAN
Level 4
Level 4

‎05-09-2014 04:38 AM

 

Hi Pete ,

1. Will the failure of the CX module trigger a fail-over event (active standby fail-over)? My guess is no?. 

Yes it wont failover your ASA , depends upon configuration either it will permit or close the traffic 

In the If ASA CX Card Fails area, click Permit traffic or Close traffic. The Close traffic option sets the ASA to block all traffic if the ASA CX module is unavailable. The Permit traffic option sets the ASA to allow all traffic through, uninspected, if the ASA CX module is unavailable.

2. If not and the service policy is set to 'fail-closed' this means the client will need to perform a manual fail-over to the secondary/standby to restore web access, is this correct? .when configure to permit traffic during CX failure , there is no need for manually failover your ASA firewalls  between HA 

 

 

Step 8 Check the Enable ASA CX for this traffic flow check box.

http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/cx/cx_qsg.html#wp49530

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/modules_cx.pdf

View solution in original post

0 Helpful
1 Reply 1

Go to solution
SANTHOSHKUMAR SARAVANAN
Level 4
Level 4

‎05-09-2014 04:38 AM

 

Hi Pete ,

1. Will the failure of the CX module trigger a fail-over event (active standby fail-over)? My guess is no?. 

Yes it wont failover your ASA , depends upon configuration either it will permit or close the traffic 

In the If ASA CX Card Fails area, click Permit traffic or Close traffic. The Close traffic option sets the ASA to block all traffic if the ASA CX module is unavailable. The Permit traffic option sets the ASA to allow all traffic through, uninspected, if the ASA CX module is unavailable.

2. If not and the service policy is set to 'fail-closed' this means the client will need to perform a manual fail-over to the secondary/standby to restore web access, is this correct? .when configure to permit traffic during CX failure , there is no need for manually failover your ASA firewalls  between HA 

 

 

Step 8 Check the Enable ASA CX for this traffic flow check box.

http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/cx/cx_qsg.html#wp49530

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/modules_cx.pdf

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card