The fail-open and fail-closed options on the ASA have no hand in the sensor's bypass mechanism. These configuration arguments only determine what the ASA will do if the AIP is not at all available via software (ie. it is in the Reset or Shutdown state). If the AIP-SSM is available, but sensorApp is down, the fail-open and fail-closed ASA configuration arguments are ignored and the sensor's own bypass configuration determines traffic flow.
There are several conditions that could result in wanting to enable/disable bypass on the sensor itself, but none of them include altering the configuration to bypass the sensor for testing purposes. For testing, it would be more efficient to remove/add the traffic flows to the service-policy on the ASA.
Failure types and configuration choices
If you want the traffic to always be dropped when the sensorApp fails, set bypass to off. If you want the traffic to always be passed when sensorApp fails, leave bypass set to auto. If you want the traffic to bypass the sensor inspection, alter the policy-map rather than set bypass to on.
SSM going into shutdown or reset state:
If you want the traffic to always be dropped when the SSM goes into shutdown or reset state, configure the ASA to fail-closed. If you want the traffic to always be passed when the SSM goes into shutdown or reset state, configure the ASA to fail-open.
We have a remote location (3+ hours from the main office) that has an ASA-5508 running 9.8(4). We were troubleshooting a VPN connection, but for whatever reason we lost management access. The site-to-site VPN tunnel is partially up in the sense that some ...
Hello, Added one new machine to the actual Primary and Secondary deployment with only the PSN active role. The SYNC is in progress.But is already in SYNC for about 3h, and does not pass from there. Is there a way i can check what is doing from the CL...
Hi Guys! I'm trying to understand which is the best tool for detecting and fixing security Vulnerabilities in Cisco devices. Please share your opinions and thoughts as well as recommendations as to which tool will be more efficient. T...
Hello, I am looking to upgrade my ASA on Firepower 4110.. Currently i am on version 9.8 While trying to download the image from Cisco i can see 9.12.4 Interim marked as a golden star and listed as Cisco "Suggested"... Does this mean this is the ...