IPS modules in Cisco ASA 5510 Active/Standby pair.

dschuckman1 · ‎02-07-2012

All, I am looking to add the IPS module to my ASA 5510's. I am contemplating only purchasing one module and placing it in the active ASA. I am willing to accept that in a failure scenario I will loose the IPS functionality until the primary ASA is recovered. I have not had a chance to talk to my SE to see if this is even possible. Has anyone attempted a deployment such as this? Will it work and is it supported?

Sent from Cisco Technical Support iPad App

Julio Carvajal · ‎02-07-2012

Hello,

Unfortunately to run failover on a pair of ASA, the hardware needs to be exactly the same on both. Otherwise, failover will not even work.

Here is one link that will help you regarding the requirements for a succesfull HA cluster.

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/ha_overview.html#wp1077521

Regards,

Julio

Do rate all helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

dschuckman1 · ‎02-07-2012

Thanks for the response, I thought that was the case, but it never hurts to ask. What about the contract. Do you have to carry the smarter contract on both modules?

Sent from Cisco Technical Support iPad App

Julio Carvajal · ‎02-07-2012

Both IPS modules will need Smartnet IF you want to keep active signature files on them both.

Regards,

Julio

Rate helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jon Pletcher · ‎11-22-2013

So you need to have a physcial IPS module in each the active and standby ASA, but you can only pay for one license of updates if you are willing to accept that your standby ASA will not have up-to-date signature files?

In a scenario when you have failover and failback, does this cause issues or will everything work fine?

jumora · ‎11-22-2013

No it does not but I don´t believe that it would be a good idea, the intention of purchasing a device is for it to be fully functional not partially.

Value our effort and rate the assistance!

Jon Pletcher · ‎11-22-2013

I just found out that the VPN licensing on active/standby configurations only requires 1 license with versions 8.3 and above. So for SSL VPN, we only need one license for the active unit and during failover the standby unit would inherit it and vice-versa. Is this the same with IPS then and we'd only need one license for the two appliances? We are on 8.4.

jumora · ‎11-25-2013

Hello Jon,

No it is not the same, IPS license has nothing to do with failover setup and it does not replicate over, if you want you can license one or both but again the idea of purchasing a device is for it to be fully functional.

Value our effort and rate the assistance!

Jon Pletcher · ‎11-25-2013

Ok, that is what I needed to know. The purpose of us having an active/standby ASA is to keep the business up and going for the very rare times there could be an active ASA failure. The purpose for the IPS would be to help protect and inspect traffic and is not necessary to keep the business running. If we implement IPS I am not worried at all if during the times when the primary ASA is down (hasn't been down for over three years now) we lose the IPS funcationality. This is not worth the $1000 extra per year to us.

Thanks for the responses though. That answers my questions.

jumora · ‎11-25-2013

Value our effort and rate the assistance!

Marvin Rhoads · ‎11-25-2013

You can establish a failover pair with one unit having the IPS module and the other one not having it.

I know the docs say you need the same SSMs but I have seen it work firsthand.

jumora · ‎11-26-2013

Please mark the discussion as answered

Value our effort and rate the assistance!