Solved: ASA failover pair: ¿does IDS module´s config get replicated?

rogelioalvez · ‎01-05-2013

hello team, I am seeking for help in regards to an unanswered question that I posted in the IDS thread.

Question: let´s suppose that I execute a basic setup (admin username/password, IP address, mask, gateway, NTP), on the IPS module of the active ASA firewall. ¿Will this configuration be replicated to the IPS module of the secondary unit?

Your kind answer will be greatly appreciated.

Best regards...

Jouni Forss · ‎01-05-2013

Hi,

To my understanding in an ASA failover setup the configurations are only replicated between the ASA configurations and no module configurations are replicated and need to be manually configured to match on both units.

Here is one Cisco document quote regarding ASA module configuration replication

If you have two ASAs in a failover configuration and each has an AIP-SSM, you must manually replicate the configuration of the AIP-SSMs. Only the configuration of the ASA is replicated by the failover mechanism.

- Jouni

View solution in original post

mdreelan · ‎01-05-2013

It does not replicate. Use IME or CSM to manage multiple IPS modules

Sent from Cisco Technical Support Android App

View solution in original post

Jouni Forss · ‎01-05-2013

Hi,

To my understanding in an ASA failover setup the configurations are only replicated between the ASA configurations and no module configurations are replicated and need to be manually configured to match on both units.

Here is one Cisco document quote regarding ASA module configuration replication

If you have two ASAs in a failover configuration and each has an AIP-SSM, you must manually replicate the configuration of the AIP-SSMs. Only the configuration of the ASA is replicated by the failover mechanism.

- Jouni

mdreelan · ‎01-05-2013

It does not replicate. Use IME or CSM to manage multiple IPS modules

Sent from Cisco Technical Support Android App

Karsten Iwen · ‎01-05-2013

It's not only that the config is not replicated, the IPS-modules are "ships in the night". They don't know anything about the other. The second module also doesn't know what the first has already inspected. But that will normally not cause any trouble as the normalizer is not running on the IPS-module.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

rogelioalvez · ‎01-05-2013

So the recommended practice should point to identify each IPS module with its own hostname and management IP address.

Thank you everyone for your kind answers.

Rogelio

Karsten Iwen · ‎01-05-2013

So the recommended practice should point to identify each IPS module with its own hostname and management IP address.

The hostname is only locally significant, but for clearity they should be different. But each module needs a unique management-adress to reach the GUI and the remote-CLI.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

grahamt · ‎01-07-2013

Yeah, you have to behave as if these are two totally independent devices and configure and manage them seperately. There are a few settings that you can push out to both with IME but I'm not sure it's worth the trouble as there is still a _lot_ that you will have to duplicate on both manually. We're still working on how to reconcile reporting from these things. Also, if one of them crashes for no reason (it happens), the ASA pair will fail over to the one with the functioning IPS.