cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
710
Views
14
Helpful
3
Replies

ASA Failover with IPS module

lmslattery
Level 1
Level 1

Hi,

Are there any issues in configuring failover between an ASA with an IPS module and an ASA without?

As the status of the module is reported on during failover monitoring my guess is that it can't be done.

Has anyone tried this ?

Leon

3 Replies 3

Todd Pula
Level 7
Level 7

In an active/standby scenario, the failover process will shut down automatically because the hardware is not the same on both ASAs. You will either need to add another AIP-SSM or pull the existing one for the failover to function.

I have a related question about this scenario, so I figured I'd reply here rather than create a new topic.

I have an ASA 5505 (with security plus license) with the AIP Intrusion prevention module.

I just purchased another ASA 5505 (with security plus license).

From the post above, I have gathered that in order to have failover function at all, I must also get the AIP card for the second ASA.

I am wondering if there are any other restrictions as far as what must be the same on the second ASA. Is it enough that both ASAs have Sec-plus licenses or is there something else that I'm missing? I saw something mentioned elsewhere that an "unrestricted" license is needed for the primary... what exactly does this mean?

Thanks,
Paul

Hi,

Here's the details of what all need to match for failover :

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#req

The "unrestricted" license thing is onlny for PIXs and not for ASAs and hence you do not need to bother about it. Also, youa re right about needing to purchase another IPS card for the other ASA. Hope that clears things out.

Cheers,

Prapanch

Review Cisco Networking for a $25 gift card