05-09-2014 02:05 AM - edited 02-21-2020 05:10 AM
Hi
I've not deployed a CX module before. We are about to deploy 2xASA5585-X firewalls with CX modules, (for AVC and WSE).
I'm pretty sure I know the answer to this (I've deployed plenty of old OLD ASA's with CSC modules in them, and I'm guessing the CX module behaves the same).
1. Will the failure of the CX module trigger a fail-over event (active standby fail-over)? My guess is no?
2. If not and the service policy is set to 'fail-closed' this means the client will need to perform a manual fail-over to the secondary/standby to restore web access, is this correct?
Pete
Solved! Go to Solution.
05-09-2014 04:38 AM
Hi Pete ,
1. Will the failure of the CX module trigger a fail-over event (active standby fail-over)? My guess is no?.
Yes it wont failover your ASA , depends upon configuration either it will permit or close the traffic
In the If ASA CX Card Fails area, click Permit traffic or Close traffic. The Close traffic option sets the ASA to block all traffic if the ASA CX module is unavailable. The Permit traffic option sets the ASA to allow all traffic through, uninspected, if the ASA CX module is unavailable.
2. If not and the service policy is set to 'fail-closed' this means the client will need to perform a manual fail-over to the secondary/standby to restore web access, is this correct? .when configure to permit traffic during CX failure , there is no need for manually failover your ASA firewalls between HA
Step 8 Check the Enable ASA CX for this traffic flow check box.
http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/cx/cx_qsg.html#wp49530
05-09-2014 04:38 AM
Hi Pete ,
1. Will the failure of the CX module trigger a fail-over event (active standby fail-over)? My guess is no?.
Yes it wont failover your ASA , depends upon configuration either it will permit or close the traffic
In the If ASA CX Card Fails area, click Permit traffic or Close traffic. The Close traffic option sets the ASA to block all traffic if the ASA CX module is unavailable. The Permit traffic option sets the ASA to allow all traffic through, uninspected, if the ASA CX module is unavailable.
2. If not and the service policy is set to 'fail-closed' this means the client will need to perform a manual fail-over to the secondary/standby to restore web access, is this correct? .when configure to permit traffic during CX failure , there is no need for manually failover your ASA firewalls between HA
Step 8 Check the Enable ASA CX for this traffic flow check box.
http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/cx/cx_qsg.html#wp49530
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide