Is this a lab or production?

fborelli07 · ‎09-24-2015

Estimates, how are you?

I'm having trouble with my pair of ASA5510. At the moment everything is working fine. They are configured with Failover and this one is working fine as well.

The issue begins when I install the IPS modules in each device.

First question: which would be the proper steps to install the module for the first time? taking into account that there is a Failover configured.

I've tried installing the module in the stand by unit and then in the active one. But it seems that the failover goes down. And nothing works (looks like the traffic is being forwarded through both devices).

Then I tried shutting both devices down, install the modules in each, and power up again. Same as before. Nothing works..

Could it be the IPS? And here's my second question: when installing a new Cisco SSM-10 in your device.. if you doesn't make any configuration, by default the traffic keeps going like if the module wasn't installed?? am I wrong or not??

Thanks!!

Marvin Rhoads · ‎09-25-2015

Is this a lab or production? I ask because both the 5510 and the IPS modules are end of sales. You cannot purchase a new support contract to get updates on the classic IPS any more.

In any case, you should install the module in the standby unit first. Shut it down, bring it up and verify the module is healthy.

Verify failover is working still. Until you create a service policy redirecting traffic into the module, you should be able to have a working HA pair even with mismatched modules.

Then failover to make that Standby unit Active. Repeat the procedure on the Primary unit while it is in Standby mode. Failover once more to have a working HA pair with identical IPS modules.

Update your modules to thee latest available IPS software and signatures (as best you can with these end of sales units).Then create the service-policy to redirect traffic for inspection,

ASA Fails when installing IPS module (SSM-10)