ā05-03-2016 09:39 AM - edited ā03-10-2019 06:36 AM
I am looking at upgrading the IPS modules (ASA-SSM-20 and ASA-SSM-40) on two different ASA's to ver 7.1(11)E4 as per this field notice:
http://www.cisco.com/c/en/us/support/docs/field-notices/640/fn64080.html
My question is around whether traffic flowing through the firewall will be impacted during this update and the subsequent reboot of the IPS module.
On the respective ASAs, a service policy is in place that will allow traffic to pass in the case where the IPS module becomes unavailable. Question is, will this in fact happen during the update??
Suggestions and comments are welcomed.
Thanks in advance.
John
Solved! Go to Solution.
ā05-03-2016 11:05 AM
If your IPS is inline and set to fail open then the traffic through the ASA (assuming a standalone ASA and not part of an HA pair) will not be affected when the IPS service module reloads.
If an ASA is in an HA pair and a service module (ips, cxsc or sfr) fails it will by default trigger a failover event. (ASA 9.5 introduced the option to change that behavior.) The result is the same - zero downtime (although TCP connections may need to re-establish if you don't have stateful failover configured).
ā05-03-2016 11:23 AM
You're welcome.
In an HA pair you do need to update each module separately. The service modules operate mostly independently of the parent ASA and have no concept of the HA configuration.
I would update the secondary first. That will prove to procedure and you can observe it at leisure on the Secondary-Standby unit.
Once you're happy that it comes back up fine and shows as Ready state you can then force a failover and repeat the upgrade on the unit that's now Primary-Standby.
ā05-03-2016 11:05 AM
If your IPS is inline and set to fail open then the traffic through the ASA (assuming a standalone ASA and not part of an HA pair) will not be affected when the IPS service module reloads.
If an ASA is in an HA pair and a service module (ips, cxsc or sfr) fails it will by default trigger a failover event. (ASA 9.5 introduced the option to change that behavior.) The result is the same - zero downtime (although TCP connections may need to re-establish if you don't have stateful failover configured).
ā05-03-2016 11:17 AM
Thanks for your reply Marvin.
The SSM-20 modules are in fact a part of an ASA-5520 HA pair... thanks for mentioning this.
The SSM-40 is in a standalone ASA-5540.
Both IPS modules are configured inline.
Now regarding the HA pair... I guess I need to manually update each SSM-20 module, is that right? Should I update the secondary ASA/IPS first and then the primary? Or what do you recommend?
Thanks again.
John
ā05-03-2016 11:23 AM
You're welcome.
In an HA pair you do need to update each module separately. The service modules operate mostly independently of the parent ASA and have no concept of the HA configuration.
I would update the secondary first. That will prove to procedure and you can observe it at leisure on the Secondary-Standby unit.
Once you're happy that it comes back up fine and shows as Ready state you can then force a failover and repeat the upgrade on the unit that's now Primary-Standby.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide