05-18-2012 04:56 AM - edited 03-11-2019 04:08 PM
Hi,
I have a pair of ASA5520, each has a CSC-SSM module, all specs and licences match and the ASA failover between active and passive firewalls works as expected. However, I am unable to get the two content modules to sync. ASA are running 8.4... and attach diagram show cabling. Each CSC-SSM uses it's connected port as a gateway, although I've tried using both primary and standby IP.
When I try to sync the devices as per the Trend Micro instructions I get the error:
"InterScan for CSC SSM could not establish a connection with the failover peer device. Please verify network connectivity with the peer and that the peer is functioning properly, then try again."
All interfaces are up/up. I cannot see the other CSC-SSM in either ASA's arp table. Neither CSC-SSM can ping the other, and none of the guides I've found so far details the pre sync config of the CSC-SSMs. Any help will be greatly appreciated!
05-19-2012 01:00 AM
Hello,
Can you check the configuration related to the log you are getting on the following document,
http://www.cisco.com/en/US/docs/security/csc/csc60/administration/guide/csc6.html
Afterwards let me know if you have any question.,
Regards,
Do rate all the helpful posts
Julio
Cisco Security Engineer
05-19-2012 01:01 AM
Hello,
Can you check the configuration related to the log you are getting on the following document,
http://www.cisco.com/en/US/docs/security/csc/csc60/administration/guide/csc6.html
Afterwards let me know if you have any question.,
Regards,
Do rate all the helpful posts
Julio
Cisco Security Engineer
05-20-2012 05:29 AM
Hi
Thank you for responding. This was the manual I followed, however it doesn't outline the cabling between the ASA and CSC-SSM's, or the IP addressing. So I've configured each device as I would for a stand alone ASA & module, the problem being that the two CSC-SSM have no path to talk to each other, there is no layer 2 or 3 path between them. I have considered introducing a switch between them to allow a layer 2 path, but I would have thought that if this were part of the product design from Cisco it would have been mentioned in the documentation?
Thanks again.
05-20-2012 03:28 PM
Hello,
The CSC module got to be on the same subnet than the ASA ( THE CSC will use the ASA as the default gateway)
Can you confirm if you have it like that?
Regards,
Julio
05-21-2012 01:07 AM
Yes, I can confirm that, as detailed in the diagram I attached to the origonal post.
05-21-2012 10:36 AM
Hello,
From the CSC..Can you ping 4.2.2.2? On both CSC's
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide