When the ASAs with AIP-SSM modules are configured as failover pair the AIP-SSM configuration from the Active ASA does not get replicated to the Standby ASA when the failover takes place. Why this happens and how can we solve this issue?
User needs to get few clarification on ASA active/standby failover, involving CSC SSM module. Current status there is production firewall running in ASA8.3.1, along with CSC module 6.3. Recently purchased another identical unit of firewall, so these will do in Active/Standby failover mode.
Question 1 The new purchase ASA unit CSC module license was not acitviate and installed yet (customer misplace the PAK paper license). User questions that is it possible to set up the failover in the condition of one CSC SSM in operation mode, whilst another CSC status down because no license install on it?
Question 2 New firewall will the standby unit, beside configure on the failover, do he need to load AnyConnect image to the new firewall as well?
Question 3: Can he just update the ASA version of the production firewall from 8.3.1 to 8.4.2? Would this cause any syntax error?
If you have two ASAs in a failover configuration and each has an AIP-SSM, you must manually replicate the configuration of the AIP-SSMs. Only the configuration of the ASA is replicated by the failover mechanism. The AIP-SSM is not included in the failover.
First, the AIP-SSM operates independently of the ASA in terms of failover. For failover, all that is needed from an ASA perspective is that the AIP modules be of the same hardware type. Beyond that, as with any other portion of failover, the configuration of the ASA between the active and standby must be in sync.
As for the set up of the AIPs, they are effectively independent sensors. There is no failover between the two, and they have no awareness of each other. They can run independent versions of code. That is, they do not have to match, and the ASA does not care about the version of code on the AIP with respect to failover.
As long as the hardware is exactly the same you should be able to HA pair them however I'd strong suggest licensing both CSC modules.
Yes, you need to have the same versions of the AnyConnect image on both units since the version is listed in the running config under the webvpn section.
Going from 8.3.1 to 8.4.2 will be fine, the syntax is similar.
Hello, I would like to protect our ASR router (connected to the ISP and the internal network) from Firewall session table flood attacks by configuring Firewall Session table protection. One of the restrictions I found here is https://conten...
Hi, I am looking for backup solution for FTD instance on Firepower device. we are deploying 2 instance of FTD on Firepower device. We are also deploying FTDv in our environment. We are using FMCv on KVM to manage these FTD devices. FMCv doe...
HiI'm facing issues because the users mostly forget to choose the SBL connection before they log into their windows 10 clients.This gives some issues with connections etc.Is it possible to have SBL to run automatically without the user having to enable th...
Guys,Need some help on ISE Authentication Policy, I have integrated ISE with AD and would like to authenticate UserGroup A with Authentication Server A, while UserGroup B with Authentication Server B , means two separate user groups using two different au...
We have about ~110 Cisco Anyconnect clients and management vpn configured + anyconnect cisco umbrella.Works fine for 99% of them.For some we see the randomly following happening: (especially on newer machines)- user tunnel connected.- user disconnects tun...