cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
959
Views
0
Helpful
6
Replies

ASA failover pair: ¿does IDS module´s config get replicated?

rogelioalvez
Level 1
Level 1

hello team, I am seeking for help in regards to an unanswered question that I posted in the IDS thread.

Question: let´s suppose that I execute a basic setup (admin username/password, IP address, mask, gateway, NTP), on the IPS module of the active ASA firewall. ¿Will this configuration be replicated to the IPS module of the secondary unit?

Your kind answer will be greatly appreciated.

Best regards...

2 Accepted Solutions

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

To my understanding in an ASA failover setup the configurations are only replicated between the ASA configurations and no module configurations are replicated and need to be manually configured to match on both units.

Here is one Cisco document quote regarding ASA module configuration replication

If you have two ASAs in a failover configuration and each has an           AIP-SSM, you must manually replicate the configuration of the           AIP-SSMs. Only the configuration of the ASA is replicated by the failover           mechanism.

- Jouni

View solution in original post

mdreelan
Level 1
Level 1

It does not replicate. Use IME or CSM to manage multiple IPS modules


Sent from Cisco Technical Support Android App

View solution in original post

6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

To my understanding in an ASA failover setup the configurations are only replicated between the ASA configurations and no module configurations are replicated and need to be manually configured to match on both units.

Here is one Cisco document quote regarding ASA module configuration replication

If you have two ASAs in a failover configuration and each has an           AIP-SSM, you must manually replicate the configuration of the           AIP-SSMs. Only the configuration of the ASA is replicated by the failover           mechanism.

- Jouni

mdreelan
Level 1
Level 1

It does not replicate. Use IME or CSM to manage multiple IPS modules


Sent from Cisco Technical Support Android App

It's not only that the config is not replicated, the IPS-modules are "ships in the night". They don't know anything about the other. The second module also doesn't know what the first has already inspected. But that will normally not cause any trouble as the normalizer is not running on the IPS-module.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

So the recommended practice should point to identify each IPS module with its own hostname and management IP address.

Thank you everyone for your kind answers.

Rogelio

So the recommended practice should point to identify each IPS module with its own hostname and management IP address.

The hostname is only locally significant, but for clearity they should be different. But each module needs a unique management-adress to reach the GUI and the remote-CLI.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Yeah, you have to behave as if these are two totally independent devices and configure and manage them seperately. There are a few settings that you can push out to both with IME but I'm not sure it's worth the trouble as there is still a _lot_ that you will have to duplicate on both manually. We're still working on how to reconcile reporting from these things. Also, if one of them crashes for no reason (it happens), the ASA pair will fail over to the one with the functioning IPS.

Review Cisco Networking for a $25 gift card