05-29-2006 01:39 AM - edited 03-10-2019 03:02 AM
Hi
The two ASA with IPS modules are in active/standby mode. When I try to add both the two IP (active/standby) into the MARS, the MARS will complain duplicated hostnames.
How to setup MARS to monitor ASA with IPS with active standby topology?
Thanks!
Solved! Go to Solution.
05-31-2006 02:22 AM
Hi,
The fundamental problem with this scenario is that you have non-failover capable modules in a failover chassis - think of the ASA failover pair as one device and the IPS modules as two completely separate devices.
Then, as already mentioned, add only the primary ASA. (The secondary will never be passing traffic in standby mode so it's not actually needed in MARS) Then, with the first IPS module you can add it as a module of the ASA or as a standalone device (MARS doesn't care). With the second IPS module the only option is to add it as a separate device anyway.
In a failover scenario the ASA's swap IP's but the IPS's don't so whereas you'll only ever get messages from the active ASA you'll get messages from both IPS IP's depending on which one happens to be in the active ASA at the time.
Don't forget that you have to manually replicate all IPS configuration every time you make a change.
HTH
Andrew.
05-30-2006 03:30 AM
Hi ...I don't think you can add them both. As you have a failover configuration then only one IP ( the active ) is the one you need to bring reports from. I suggest you to configure the Management IP address for the ASAs and add the active one only. Using the discovery option you should be able to add the IPS module as well once the ASA has been added.
05-30-2006 05:15 AM
you must add the asa with the primary ip address and then add both ips modules (with different ip addr. and different hostnames).
05-30-2006 06:25 AM
Hi
You mean both the two IPS as the modules to the same ASA IP?
Thanks!
05-30-2006 06:55 AM
Hi,
Refer to my post http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddb520e
You can only add the active IP, not both active & standby.
Rgds,
AK
05-31-2006 02:22 AM
Hi,
The fundamental problem with this scenario is that you have non-failover capable modules in a failover chassis - think of the ASA failover pair as one device and the IPS modules as two completely separate devices.
Then, as already mentioned, add only the primary ASA. (The secondary will never be passing traffic in standby mode so it's not actually needed in MARS) Then, with the first IPS module you can add it as a module of the ASA or as a standalone device (MARS doesn't care). With the second IPS module the only option is to add it as a separate device anyway.
In a failover scenario the ASA's swap IP's but the IPS's don't so whereas you'll only ever get messages from the active ASA you'll get messages from both IPS IP's depending on which one happens to be in the active ASA at the time.
Don't forget that you have to manually replicate all IPS configuration every time you make a change.
HTH
Andrew.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide