02-07-2012 03:24 PM - edited 03-11-2019 03:25 PM
All, I am looking to add the IPS module to my ASA 5510's. I am contemplating only purchasing one module and placing it in the active ASA. I am willing to accept that in a failure scenario I will loose the IPS functionality until the primary ASA is recovered. I have not had a chance to talk to my SE to see if this is even possible. Has anyone attempted a deployment such as this? Will it work and is it supported?
Sent from Cisco Technical Support iPad App
02-07-2012 03:31 PM
Hello,
Unfortunately to run failover on a pair of ASA, the hardware needs to be exactly the same on both. Otherwise, failover will not even work.
Here is one link that will help you regarding the requirements for a succesfull HA cluster.
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/ha_overview.html#wp1077521
Regards,
Julio
Do rate all helpful posts!!
02-07-2012 07:22 PM
Thanks for the response, I thought that was the case, but it never hurts to ask. What about the contract. Do you have to carry the smarter contract on both modules?
Sent from Cisco Technical Support iPad App
02-07-2012 08:53 PM
Both IPS modules will need Smartnet IF you want to keep active signature files on them both.
Regards,
Julio
Rate helpful posts!!
11-22-2013 10:01 AM
So you need to have a physcial IPS module in each the active and standby ASA, but you can only pay for one license of updates if you are willing to accept that your standby ASA will not have up-to-date signature files?
In a scenario when you have failover and failback, does this cause issues or will everything work fine?
11-22-2013 10:53 AM
No it does not but I don´t believe that it would be a good idea, the intention of purchasing a device is for it to be fully functional not partially.
Value our effort and rate the assistance!
11-22-2013 10:58 AM
I just found out that the VPN licensing on active/standby configurations only requires 1 license with versions 8.3 and above. So for SSL VPN, we only need one license for the active unit and during failover the standby unit would inherit it and vice-versa. Is this the same with IPS then and we'd only need one license for the two appliances? We are on 8.4.
11-25-2013 08:20 AM
Hello Jon,
No it is not the same, IPS license has nothing to do with failover setup and it does not replicate over, if you want you can license one or both but again the idea of purchasing a device is for it to be fully functional.
Value our effort and rate the assistance!
11-25-2013 08:50 AM
Ok, that is what I needed to know. The purpose of us having an active/standby ASA is to keep the business up and going for the very rare times there could be an active ASA failure. The purpose for the IPS would be to help protect and inspect traffic and is not necessary to keep the business running. If we implement IPS I am not worried at all if during the times when the primary ASA is down (hasn't been down for over three years now) we lose the IPS funcationality. This is not worth the $1000 extra per year to us.
Thanks for the responses though. That answers my questions.
11-25-2013 09:26 AM
Value our effort and rate the assistance!
11-25-2013 02:59 PM
You can establish a failover pair with one unit having the IPS module and the other one not having it.
I know the docs say you need the same SSMs but I have seen it work firsthand.
11-26-2013 09:12 PM
Please mark the discussion as answered
Value our effort and rate the assistance!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide