The fail-open and fail-closed options on the ASA have no hand in the sensor's bypass mechanism. These configuration arguments only determine what the ASA will do if the AIP is not at all available via software (ie. it is in the Reset or Shutdown state). If the AIP-SSM is available, but sensorApp is down, the fail-open and fail-closed ASA configuration arguments are ignored and the sensor's own bypass configuration determines traffic flow.
There are several conditions that could result in wanting to enable/disable bypass on the sensor itself, but none of them include altering the configuration to bypass the sensor for testing purposes. For testing, it would be more efficient to remove/add the traffic flows to the service-policy on the ASA.
Failure types and configuration choices
If you want the traffic to always be dropped when the sensorApp fails, set bypass to off. If you want the traffic to always be passed when sensorApp fails, leave bypass set to auto. If you want the traffic to bypass the sensor inspection, alter the policy-map rather than set bypass to on.
SSM going into shutdown or reset state:
If you want the traffic to always be dropped when the SSM goes into shutdown or reset state, configure the ASA to fail-closed. If you want the traffic to always be passed when the SSM goes into shutdown or reset state, configure the ASA to fail-open.
hi, I am trying to install "anyconnect-win-4.10.01075-core-vpn-webdeploy-k9.msi", but it keeps failing with:"There is a problem with this Windows Installer package..." I was not able to find any solutions that works. I can see many errors in win...
Hello everyone, I have a query, I need to know if it is possible to block an AD user from accessing some devices but continue accessing all the others. The user is in an AD group that we could not remove it because it should continue accessing the other d...
I'm new here, I have a question because I don't have support from cisco because my account there isn't permission yet to open a case using my corporate e-mail. Was sent me a license from FirePower UTM to do activation, I've never done that So I'm trying t...
Hi Everyone, Please forgive me if this is not a good section to ask this question. Last Friday i was making multiple changes to an ASA 5508, and had trouble with what i believe was a NAT issue. However, i had made several routing and interfaces chang...
Community! Currently building a dashboards for Splunk so that my security team can start auditing important events. I have been tasked to start on the Networking side until our team can finish Linux/Windows dashboards. While I am somewhat...