cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1737
Views
10
Helpful
6
Replies

ASA w/ Firepower HA & management ports

CSCO10662744_2
Level 1
Level 1

When an ASA node is in standby mode, all of its interfaces are dormant/inactive. Is it the same way w/ the management interface?

We're deploying two ASA5555's w/ Firepower module.
Since the FP modules rely on the management interfaces to communicate to FireSight MC, I assume the management interface on standby ASA is still active, so that the FP module can be managed?

Also, config guide says state info is not sync'd between active/standby ASA's Firepower modules.
Has anyone done failover testing in production?
Was there any noticeable disruption?

TIA

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

The management interface is active on a standby unit in an ASA HA cluster. This applies both for the ASA software as well as for the FirePOWER (sfr) module.

Indeed state information is not shared between the sfr modules. I seldom see state synchronization even between the ASAs in the small to medium enterprises I work with. Generally the higher layer protocols will recover gracefully without the end users ever noticing. your situation may vary but that's just my experience.

View solution in original post

6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

The management interface is active on a standby unit in an ASA HA cluster. This applies both for the ASA software as well as for the FirePOWER (sfr) module.

Indeed state information is not shared between the sfr modules. I seldom see state synchronization even between the ASAs in the small to medium enterprises I work with. Generally the higher layer protocols will recover gracefully without the end users ever noticing. your situation may vary but that's just my experience.

Thanks Marvin.

Our prior failover experiences were w/ the traditional ASA (No Firepower), where users didn't notice a thing.

Was just wondering if it's the same w/ the Firepower module riding on top.

In FMC if the sensor is not getting data from the ASA the FMC console alerts on it.

In the case of the standby ASA which wouldn't be receiving data, I assume FMC is going to throw an error due to no data. 

Is there a way to turn this off?

I recommend starting a new thread next time because people tend to read/reply to posts that haven't been answered.

Anyway, I ran into the same scenario that you're describing - idle FirePower sensor on standby ASA generating annoying alerts.

You need to to to:

System / Health / Policy / Interface Status

Turn off the option. (Monitors if the interfaces are receiving traffic )

That's what I was looking for.  Thanks :)

Jetsy Mathew
Cisco Employee
Cisco Employee

Hello ,

In active standby setup, the ASA will share the state , but the firepower module wont do it.  From the FMC point of view, the firepower modules are independent. 

Thus when a failover happens in ASA ,  any existing ASA FirePOWER flows are transferred to the new ASA. The ASA FirePOWER module in the new ASA begins inspecting the traffic from that point forward; old inspection states are not transferred.The policies also wont sync automatically inbetween the modules.

You are responsible for maintaining consistent policies on the ASA FirePOWER modules in the high-availability ASA pair (using FireSIGHT Management Center) to ensure consistent failover behavior.

ASA Clustering Guidelines

Does not support clustering directly, but you can use these modules in a cluster. You are responsible for maintaining consistent policies on the ASA FirePOWER modules in the cluster using FireSIGHT Management Center. Do not use different ASA-interface-based zone definitions for devices in the cluster.

 Please Note the wording "maintaining consistent policies" --- You cannot maintain the same policy if you do not have the same license.

Let me know if you have any questions.

Rate if this answer helps you.

Regards

Jetsy 

Review Cisco Networking for a $25 gift card