Showing results for 
Search instead for 
Did you mean: 

Security Intelligence DNS Monitor/Block only works on one ASA in a HA pair

Level 1
Level 1

Hi All

About a year ago, DNS security via the Security Intelligence section stopped working  when the Secondary HA ASA becomes the active firewall (which happens frequently due to module monitoring at the Asa level and weekly deployments resulting in frequent sub second module restarts ). The client is not pushing the DNS layer protection, so I can't spend time on a lengthy Cisco Case. (i did open a case but upgrading was the next step).

I have since upgraded a couple of times and it has never fixed it. Just wondering if anyone else has come across this?

I've unloaded the Dns policy and reapplied it as another step with no change in the situation.

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

Are both the primary and secondary ASA's Firepower service modules registered and licensed in your FMC?


When the Secondary is Active all other functions work the same. Just not DNS Policy

I've deployed numerous ASAs with Firepower service modules in HA pairs and never had this happen. Something is most likely be setup differently on your standby ASA's Firepower service module.

Review Cisco Networking for a $25 gift card