Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1085
Views
0
Helpful
3
Replies

ASA-SSM-20/40 IPS Software upgrade quesiton

Go to solution
N3t W0rK3r
Level 3
Level 3

‎05-03-2016 09:39 AM - edited ‎03-10-2019 06:36 AM

I am looking at upgrading the IPS modules (ASA-SSM-20 and ASA-SSM-40) on two different ASA's to ver 7.1(11)E4 as per this field notice:

http://www.cisco.com/c/en/us/support/docs/field-notices/640/fn64080.html

My question is around whether traffic flowing through the firewall will be impacted during this update and the subsequent reboot of the IPS module.

On the respective ASAs, a service policy is in place that will allow traffic to pass in the case where the IPS module becomes unavailable.  Question is, will this in fact happen during the update??

Suggestions and comments are welcomed.

Thanks in advance.

John

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-03-2016 11:05 AM

If your IPS is inline and set to fail open then the traffic through the ASA (assuming a standalone ASA and not part of an HA pair) will not be affected when the IPS service module reloads.

If an ASA is in an HA pair and a service module (ips, cxsc or sfr) fails it will by default trigger a failover event. (ASA 9.5 introduced the option to change that behavior.) The result is the same - zero downtime (although TCP connections may need to re-establish if you don't have stateful failover configured).

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to N3t W0rK3r

‎05-03-2016 11:23 AM

You're welcome.

In an HA pair you do need to update each module separately. The service modules operate mostly independently of the parent ASA and have no concept of the HA configuration.

I would update the secondary first. That will prove to procedure and you can observe it at leisure on the Secondary-Standby unit.

Once you're happy that it comes back up fine and shows as Ready state you can then force a failover and repeat the upgrade on the unit that's now Primary-Standby.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-03-2016 11:05 AM

If your IPS is inline and set to fail open then the traffic through the ASA (assuming a standalone ASA and not part of an HA pair) will not be affected when the IPS service module reloads.

If an ASA is in an HA pair and a service module (ips, cxsc or sfr) fails it will by default trigger a failover event. (ASA 9.5 introduced the option to change that behavior.) The result is the same - zero downtime (although TCP connections may need to re-establish if you don't have stateful failover configured).

0 Helpful

Go to solution
N3t W0rK3r
Level 3
Level 3
In response to Marvin Rhoads

‎05-03-2016 11:17 AM

Thanks for your reply Marvin.

The SSM-20 modules are in fact a part of an ASA-5520 HA pair... thanks for mentioning this.

The SSM-40 is in a standalone ASA-5540.

Both IPS modules are configured inline.

Now regarding the HA pair... I guess I need to manually update each SSM-20 module, is that right?  Should I update the secondary ASA/IPS first and then the primary?  Or what do you recommend?


Thanks again.

John

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to N3t W0rK3r

‎05-03-2016 11:23 AM

You're welcome.

In an HA pair you do need to update each module separately. The service modules operate mostly independently of the parent ASA and have no concept of the HA configuration.

I would update the secondary first. That will prove to procedure and you can observe it at leisure on the Secondary-Standby unit.

Once you're happy that it comes back up fine and shows as Ready state you can then force a failover and repeat the upgrade on the unit that's now Primary-Standby.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card