01-05-2013 03:45 AM - edited 03-11-2019 05:43 PM
hello team, I am seeking for help in regards to an unanswered question that I posted in the IDS thread.
Question: let´s suppose that I execute a basic setup (admin username/password, IP address, mask, gateway, NTP), on the IPS module of the active ASA firewall. ¿Will this configuration be replicated to the IPS module of the secondary unit?
Your kind answer will be greatly appreciated.
Best regards...
Solved! Go to Solution.
01-05-2013 04:12 AM
Hi,
To my understanding in an ASA failover setup the configurations are only replicated between the ASA configurations and no module configurations are replicated and need to be manually configured to match on both units.
Here is one Cisco document quote regarding ASA module configuration replication
If you have two ASAs in a failover configuration and each has an AIP-SSM, you must manually replicate the configuration of the AIP-SSMs. Only the configuration of the ASA is replicated by the failover mechanism.
- Jouni
01-05-2013 08:36 AM
It does not replicate. Use IME or CSM to manage multiple IPS modules
Sent from Cisco Technical Support Android App
01-05-2013 04:12 AM
Hi,
To my understanding in an ASA failover setup the configurations are only replicated between the ASA configurations and no module configurations are replicated and need to be manually configured to match on both units.
Here is one Cisco document quote regarding ASA module configuration replication
If you have two ASAs in a failover configuration and each has an AIP-SSM, you must manually replicate the configuration of the AIP-SSMs. Only the configuration of the ASA is replicated by the failover mechanism.
- Jouni
01-05-2013 08:36 AM
It does not replicate. Use IME or CSM to manage multiple IPS modules
Sent from Cisco Technical Support Android App
01-05-2013 09:15 AM
It's not only that the config is not replicated, the IPS-modules are "ships in the night". They don't know anything about the other. The second module also doesn't know what the first has already inspected. But that will normally not cause any trouble as the normalizer is not running on the IPS-module.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-05-2013 02:20 PM
So the recommended practice should point to identify each IPS module with its own hostname and management IP address.
Thank you everyone for your kind answers.
Rogelio
01-05-2013 04:36 PM
So the recommended practice should point to identify each IPS module with its own hostname and management IP address.
The hostname is only locally significant, but for clearity they should be different. But each module needs a unique management-adress to reach the GUI and the remote-CLI.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-07-2013 03:04 PM
Yeah, you have to behave as if these are two totally independent devices and configure and manage them seperately. There are a few settings that you can push out to both with IME but I'm not sure it's worth the trouble as there is still a _lot_ that you will have to duplicate on both manually. We're still working on how to reconcile reporting from these things. Also, if one of them crashes for no reason (it happens), the ASA pair will fail over to the one with the functioning IPS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide