Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
340
Views
3
Helpful
4
Replies

cisco ASA fail-open with "no monitor-interface service-module"

Go to solution
hamidreza.taghipur
Level 1
Level 1

‎11-01-2023 02:03 AM

Hi

In the ASA with firepower module, can we use fail-open command with "no monitor-interface service-module" ?
Can it still detect fail status of firepower module with "no monitor-interface service-module"

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
AViftrup
Level 1
Level 1

‎11-01-2023 10:42 AM

fail-open - means if module is down, it will forward traffic regardless of configured rules.

no monitor-interface service-module - This is only related to high-availability, executing this command means IF the SFR module is down, it will not failover to standby unit if this is the only condition to trigger.

Both commands can operate along each other, but keep in mind they have different use-cases.

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-01-2023 11:20 AM

In addition to what @AViftrup correctly noted, the ASA will still see the status of the module even with "no monitor-interface service-module", it just won't trigger a failover event when the status changes to "failed". It will generate a syslog message whenever module status changes (assuming you haven't disabled logging).

View solution in original post

4 Replies 4

Go to solution
AViftrup
Level 1
Level 1

‎11-01-2023 10:42 AM

fail-open - means if module is down, it will forward traffic regardless of configured rules.

no monitor-interface service-module - This is only related to high-availability, executing this command means IF the SFR module is down, it will not failover to standby unit if this is the only condition to trigger.

Both commands can operate along each other, but keep in mind they have different use-cases.

Go to solution
hamidreza.taghipur
Level 1
Level 1
In response to AViftrup

‎11-05-2023 12:11 AM

thanks alot for attention .

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-01-2023 11:20 AM

In addition to what @AViftrup correctly noted, the ASA will still see the status of the module even with "no monitor-interface service-module", it just won't trigger a failover event when the status changes to "failed". It will generate a syslog message whenever module status changes (assuming you haven't disabled logging).

Go to solution
hamidreza.taghipur
Level 1
Level 1
In response to Marvin Rhoads

‎11-05-2023 12:11 AM

thanks alot for explanation

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card