Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1532
Views
0
Helpful
3
Replies

Security Intelligence DNS Monitor/Block only works on one ASA in a HA pair

evan.chadwick1
Level 1
Level 1

‎11-04-2019 04:43 PM - edited ‎02-21-2020 09:39 AM

Hi All

About a year ago, DNS security via the Security Intelligence section stopped working  when the Secondary HA ASA becomes the active firewall (which happens frequently due to module monitoring at the Asa level and weekly deployments resulting in frequent sub second module restarts ). The client is not pushing the DNS layer protection, so I can't spend time on a lengthy Cisco Case. (i did open a case but upgrading was the next step).

I have since upgraded a couple of times and it has never fixed it. Just wondering if anyone else has come across this?

I've unloaded the Dns policy and reapplied it as another step with no change in the situation.

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-04-2019 08:28 PM

Are both the primary and secondary ASA's Firepower service modules registered and licensed in your FMC?

0 Helpful

evan.chadwick1
Level 1
Level 1
In response to Marvin Rhoads

‎07-21-2020 02:45 PM

Yes.

When the Secondary is Active all other functions work the same. Just not DNS Policy

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to evan.chadwick1

‎07-21-2020 07:06 PM

I've deployed numerous ASAs with Firepower service modules in HA pairs and never had this happen. Something is most likely be setup differently on your standby ASA's Firepower service module.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card