cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

3012
Views
0
Helpful
5
Replies
Highlighted
Beginner

ASA failover with non-matching hardware, IPS module

We are looking at getting a pair of ASA firewalls (probably 5510s) with IPS modules.  I plan to configure them in active/standby as our throughput needs don't exceed the capacity of a single 5510.  Currently we are running a pair of PIX515(non-E) in active/standby and use about 50-60% of the CPU there.  Our bandwidth is around 30Mbps on the high side, 10-15Mbps average.  Concurrent connections has peaked at 7000 but averages 3000.

My question is can I get a single IPS module for the active ASA and run on that, use the Smartnet contract to get signature updates on that and have an ASA5510(w/sec plus) as the standby with NO IPS module installed?  I haven't used the IPS module before, so I don't have the experience for this question.  My experience with the firewalls is that the hardware must match for HA to work, or even be enabled.  Is the IPS module transparent enough to the ASA operating system that it's not part of the equation here?  Or is this not possible and I need to get an IPS module for the second ASA and an expensive Smartnet contract to keep the IPS up to date and probably never ever use it.  In my experience, the ASA or PIX never fails... Our current uptime is about 18 months on the 515 and the downtime before that was for a ram upgrade.  If the primary ASA goes down, and takes the IPS with it, we can live without that for a day or two while the replacement ships.  These things never die and I'd hate to waste the money on a support contract for a firewall that never gets put into production, because the primary never dies.  Has anyone done this setup before?

Basically, can I do this..

1x ASA5510-AIP10SP-K9

1x ASA5510-SEC-BUN-K9

Instead of this...

2x ASA5510-AIP10SP-K9

Thanks everyone!

5 REPLIES 5
Highlighted
Cisco Employee

Re: ASA failover with non-matching hardware, IPS module

Yes, unfortunately to run failover on a pair of ASA, the hardware needs to be exactly the same on both. Otherwise, failover will not even work.

Here is the URL on hardware, software and license requirements for ASA in failover mode, version 8.3 and above:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/ha_overview.html#wp1077521

Hope that answers your question (sorry, maybe not something you would like to hear).

Highlighted
Beginner

Re: ASA failover with non-matching hardware, IPS module

Thanks for the quick reply.

In the scenerio that I have two matching ASA with IPS modules, do both firewalls call home and get IPS updates?  Or does the primary pull the update and sync it to the secondary?

...Do I need smartnet on the second device?  If the first devices goes down, I wouldn't be able to get a new update on the secondary device without the smartnet calling home, but I can live with that until the primary is replaced.

Highlighted
Rising star

Re: ASA failover with non-matching hardware, IPS module

Hi

Both IPS modules are independant, and will both need signature files updating (there is no sync of signature files, or config for that matter between primary and secondary).

Both IPS modules will need Smartnet IF you want to keep active signature files on them both.

One thing to bear in mind, it is quite possible that the ASAs will fail over and you won't realise it (unless you go and manually check it) - just because you have configured the primary as "primary" doesn't mean to say that it always will be the active unit. I've lost count of the number of times I've logged into an ASA to find that the active firewall is the secondary.

Reason I mention this: If you decide not to bother with Smartnet on the IPS of the secondary firewall, you won't get signature updates. If you firewalls do role swap and you don't realise, then you may find you're not as protected as you thought you were.

Just my twopenceworth.

Hope this helps.

Barry

Highlighted
Beginner

Re: ASA failover with non-matching hardware, IPS module

Very good points there, thanks!

I just wanted to make sure I covered all my bases, none of the salesmen I spoke with could answer these kind of questions.  I think this is one scenerio that you just have to bite the bullet and get everything.  I like the old model of a PIX with UR and one with FAILOVER for a cheaper price...  Oh well.

Thanks everyone!

Highlighted
Rising star

Re: ASA failover with non-matching hardware, IPS module

Ah.. never trust a salesman anyway :-)

No worries - post back here if you have any more questions.

To be fair to Cisco one thing they have sorted out in ASA 8.3 is the licensing. Historically the licenses installed on a pair of (say) 5510s had to be identical as well as the hardware. So if you'd bought SSL VPN licenses for one box, you had to purchase the same license for the standby unit. As only one of the units would *ever* be active, this was somewhat unfair. 8.3 supports license pooling and you only need to purchase the licenses you use.

None of this however effects the IPS module I'm afraid. These are very much stand alone modules, and need to be managed independently of the ASA (although there is a link in the ASDM management tool to get to them). IME (if they still do that) is much better than the inbuilt manager IMHO, and it's free.

Barry