What happens to the IPS in a ASA 5515-x in an A/S failover configuration

simoncutting · ‎04-26-2013

I have 2 * ASA5515-IPS-K9 that were purchased last year and were configured as 2 separate firewalls and IPS modules. Although there were some initial teething problems with the IPS's being able to communicate the Internet for signature updates, this was resolved with assistance from TAC's.

The ASA's have recently been reconfigured to work in a Active/Standby failover configuration, with everything working and functioning correctly. But it now seems like there are some serious issues with the IPS modules. The IPS in the 'Active' unit is 'not connected' and i am unable to reconnect to it via IME (7.2.1). The second module is connected but states that the signature definitions are out-of-date although the automatic signature download say's that it's work correctly!

The units are installed in a remote data centre, but i have got full remote acces to them.

My questions are:

What happens to the IPS module in the 'Standby' unit, does it stay live or should it shutdown into standby?

What is the correct configuration for the IPS modules in this scenario?

How can i restore correect functionallity to these units?

Ajay Saini · ‎04-30-2013

On the ASA for which IPS is not accessible, please check the output of show module 1 detail. It should tell if the module is down.

Find answers inline:

What happens to the IPS module in the 'Standby' unit, does it stay live or should it shutdown into standby?

-it should stay live

What is the correct configuration for the IPS modules in this scenario?

-There is no recommended config, the normal config using the setup command such that IPS is accessible from the network

How can i restore correect functionallity to these units?

-you can use the following command from the ASA cli:

hw module 1 reload

If problem persists, please open a TAC case.

-

HTH

AJ