Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2444
Views
0
Helpful
4
Replies

IPS 4240 fail open

Go to solution
pratik_193
Level 1
Level 1

‎02-13-2011 11:40 PM - edited ‎03-10-2019 05:16 AM

Hi All,

I have a single unit of IPS 4240. I want to know if my sensor or the unit itself fails/shutdowns, is there any option where in my traffic will be passed so that there is no downtime.

Thanks

Pratik

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎02-13-2011 11:55 PM

You can configure the sensor when it's inline mode with inline-bypass mode "auto" so when the unit fails, it will just pass through the traffic without inspecting it, however, if the sensor is completely shutdown, then no, traffic will be dropped when it's in inline mode.

Here is more information on inline bypass mode:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_interfaces.html#wp1047079

However, if it's in promiscious mode, then you don't have to worry about it as the packet is not inline and will not cause interruption.

Hope that helps.

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to pratik_193

‎02-14-2011 12:39 AM

If the unit is dead, the answer is NO, you can't pass traffic. However, if the unit fails due to its inspection engine not working, then yes, you can pass traffic

like passing traffic through wire (via the IPS).

View solution in original post

0 Helpful

Go to solution
rhermes
Level 7
Level 7
In response to Jennifer Halim

‎02-14-2011 11:51 AM

The sensor has to partially fail in order for it's failopen to work (it has to be sane enough to realize the sensor app has crashed then inact the failopen routine). To protect yourself form the inevitable sensor crash, hardware failure, reboot after update I would suggest you obtain an external FailOpen switch, or make one from an existing switch you have.
STP can be use to fail around a downed sensor nicely.

- Bob

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎02-13-2011 11:55 PM

You can configure the sensor when it's inline mode with inline-bypass mode "auto" so when the unit fails, it will just pass through the traffic without inspecting it, however, if the sensor is completely shutdown, then no, traffic will be dropped when it's in inline mode.

Here is more information on inline bypass mode:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_interfaces.html#wp1047079

However, if it's in promiscious mode, then you don't have to worry about it as the packet is not inline and will not cause interruption.

Hope that helps.

0 Helpful

Go to solution
pratik_193
Level 1
Level 1
In response to Jennifer Halim

‎02-14-2011 12:33 AM

Hi Jeniffer,

Thanks for your prompt response. Do you mean to say that if i put the IPS in inline mode & having a single unit, i do have a option of passing traffic if the unit itself goes down?

Thanks

Pratik

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to pratik_193

‎02-14-2011 12:39 AM

If the unit is dead, the answer is NO, you can't pass traffic. However, if the unit fails due to its inspection engine not working, then yes, you can pass traffic

like passing traffic through wire (via the IPS).

0 Helpful

Go to solution
rhermes
Level 7
Level 7
In response to Jennifer Halim

‎02-14-2011 11:51 AM

The sensor has to partially fail in order for it's failopen to work (it has to be sane enough to realize the sensor app has crashed then inact the failopen routine). To protect yourself form the inevitable sensor crash, hardware failure, reboot after update I would suggest you obtain an external FailOpen switch, or make one from an existing switch you have.
STP can be use to fail around a downed sensor nicely.

- Bob

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card