Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1961
Views
0
Helpful
0
Comments

ASA failover pair doesn't replicate: AIP-SSM module config from Active to Stanby device.

Prabhu Nagarajan
Level 1
Level 1

‎01-28-2013 09:59 PM - edited ‎03-08-2019 06:48 PM

 

Problem:

Scenario 1:

When the ASAs with AIP-SSM modules are configured as failover pair the AIP-SSM configuration from the Active ASA does not get replicated to the Standby ASA when the failover takes place. Why this happens and how can we solve this issue?

 

Scenario 2:

User needs to get few clarification on  ASA active/standby failover, involving CSC SSM module. Current status there is production firewall running in ASA8.3.1, along with CSC module 6.3. Recently purchased another identical unit of firewall, so these will do in Active/Standby failover mode.

Question 1
The new purchase ASA unit CSC module license was not acitviate and installed yet (customer misplace the PAK paper license). User questions that is it possible to set up the failover in the condition of one CSC SSM in operation mode, whilst another CSC status down because no license install on it?

Question 2
New firewall will the standby unit, beside configure on the failover, do he need to load AnyConnect image to the new firewall as well?

Question 3:
Can he just update the ASA version of the production firewall from 8.3.1 to 8.4.2? Would this cause any syntax error?

Resolution:

Scenario 1:

If you have two ASAs in a failover configuration and each has an AIP-SSM, you must manually replicate the configuration of the AIP-SSMs. Only the configuration of the ASA is replicated by the failover mechanism. The AIP-SSM is not included in the failover.

 

First, the AIP-SSM operates independently of the ASA in terms of failover. For failover, all that is needed from an ASA perspective is that the  AIP modules be of the same hardware type. Beyond that, as with any other portion of failover, the configuration of the ASA between the active and standby must be in sync.

 

As for the set up of the AIPs, they are effectively independent sensors. There is no failover between the two, and they have no awareness of each other. They can run independent versions of code. That is, they do not have to match, and the ASA does not care about the version of code on the AIP with respect to failover.

 

Scenario 2:

  • As long as the hardware is exactly the same you should be able to HA pair them however I'd strong suggest licensing both CSC modules.
  • Yes, you need to have the same versions of the AnyConnect image on both units since the version is listed in the  running config under the webvpn section.
  •  Going from 8.3.1 to 8.4.2 will be fine, the syntax is similar.

 

Source:https://supportforums.cisco.com/message/3820678#3820678

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents