Active-Standby SSM-IPS upgrade question

Similar Messages

• IPS modules in Cisco ASA 5510 Active/Standby pair.

  All, I am looking to add the IPS module to my ASA 5510's. I am contemplating only purchasing one module and placing it in the active ASA. I am willing to accept that in a failure scenario I will loose the IPS functionality until the primary ASA is recovered. I have not had a chance to talk to my SE to see if this is even possible. Has anyone attempted a deployment such as this? Will it work and is it supported?
  Sent from Cisco Technical Support iPad App

  Ok, that is what I needed to know.  The purpose of us having an active/standby ASA is to keep the business up and going for the very rare times there could be an active ASA failure.  The purpose for the IPS would be to help protect and inspect traffic and is not necessary to keep the business running.  If we implement IPS I am not worried at all if during the times when the primary ASA is down (hasn't been down for over three years now) we lose the IPS funcationality.  This is not worth the $1000 extra per year to us.
  Thanks for the responses though.  That answers my questions.

• Step to prep CSC SSM on ASA Active/Standby mode

  Hi all, 
  I am trying to setup Active/Standby HA mode for my site.
  Currently the site was installed with one unit ASA firewall with CSC-SSM module, the second unit is the new unit ready to be setup.
  My question:
  01. My concern is second unit CSC-SSM, what is the proper procedure or step need to prep it?
  Is it need to prep the CSC-SSM before the ASA in HA mode Or it will auto propagate the configuration when both unit in HA mode?
  What else need to concern? am i need to setup different IP for the CSC-SSM management interface?
  Thanks
  Noel

  Hello Yong,
  Configuration related to the CSC or SSM modules will never get propagated so you will basically need to configure it manually.
  Also it's not like if the Config on both modules is different failover will fail but ofcourse you wanna have the same one
  IP addresses for each of the modules will be dedicated ones. Remember that failover will fail if one box has the CSC and the other not.
  Looking for some Networking Assistance? 
  Contact me directly at [email protected]
  I will fix your problem ASAP.
  Cheers,
  Julio Carvajal Segura
  http://laguiadelnetworking.com

• ASA failover with 1 AIP SSM in Active/Standby?

  I have a customer with two ASAs; in Active/Standby. They want to purchase one AIP. Will failover (without the AIP functionality) to the Standby work if the AIP is configured for Promiscuous mode? Thanks, Bob

  The only connection to the SSM that can be done internally through the ASA is a "session". This is an internal telnet to the SSM and can be used to access the SSM's CLI.
  This is very usefull when you manage your SSM directly through the CLI.
  However, most customers prefer to use a graphics based tool like IDM, ASDM, or CSM for managing the configuration of the SSM, and prefer to use a graphics based tool like IEV or CS MARS for monitoring of the alerts from the SSM.
  All of these graphics based tools need network access to the SSM through a web port (https on port 443 by default). Access to this port is not allowed internally through the ASA direct to the SSM.
  All web connections must be made to the External Management interface of the SSM.
  If you are not using all 4 of your ASA interfaces you could choose to wire the External SSM interface directly to one of your ASA interfaces, and create a small subnet for the ASA and IPS IP Addresses. So then all external connections to the SSM would be routed into the ASA, then out of the ASA, and into the external port of the SSM.
  That subnet of just the ASA and SSM could be made using a network reserved for local IPs (like a 10, or 172, or 192 network) and then use NAT/PAT for translation on the other network interfaces of the ASA.
  But it does still require that wire connected to the external port of the SSM.

• Single AIP-SSM in Cisco ASA Failover Active / Standby Mode

  Hi,
  I can add single AIP-SSM on Cisco ASA in failover active / standby mode?

  No, both units need the same hardware, that includes the installed modules.
  Sent from Cisco Technical Support iPad App

• Active/Standby ASA 5520 + SSM-10=Failures

  Greetings,
  We have two ASA5520s, both at 7.2(2) running in active/standby failover. Each of the ASA's have an AIP-SSM-10 in them running 6.0(3)E1. The configuration is in promiscuous mode assign to global policy, all traffic.
  The primary will be running fine until it transitions to the secondary with a message: Module in slot slot experienced a data channel communication failure, data channel is DOWN. When I go to the SSM it will not let us in by ASDM, I can telnet and it will allow us to log in, shows the disclaimer info but never gives a cli prompt. The secondary will be running for a while, then it exhibits the same behavior and its SSM become unresponsive. The ASA transition again regardless if the SSM is back online or not. If it is it operates normally.
  If it were 1 SSM I'd say it was the problem but both of them are doing it which leads me to consider configuration or is there something else I am missing somewhere.
  We want to put these SSM-10's inline but not with there current instability.
  Any suggestion at this point would be most helpfull.
  Jim Collin
  Maui Land and Pineapple Company Inc.
  [email protected]

  I've got the exact same problem. I opened a TAC case and was told too much traffic was being redirected to the AIP module, overflowing a queue, causing the failure. We were using the modules for a couple of months before we began experiencing this issue. It got so bad I had to completely disable redirection to the module. We're not inspecting ESMTP traffic, but I'm going to try disabling protocol inspection entirely and apply the service-policy to see if it could be one of the other defaults that is the culprit. That makes more sense to me than volume because our traffic volume didn't changed considerably. Need approval so it may be awhile.

• Router HSRP Active/Standby question

  Hello,
  Can I use following command to setup HSRP Active/Standby mode for both router ?
  Router A:
  ip address 10.10.228.202 255.255.255.248
  standby 3 ip 10.10.228.201
  standby 3 preempt
  Router B:
  ip address 10.10.228.203 255.255.255.248
  standby 3 ip 10.10.228.201
  standby 3 preempt
  standby 3 track 1 decrement 10
  standby 3 track 2 decrement 10
  Thanks

  Wilson,
  we don't know what objects you're tracking, so it's a little bit difficult to answer the question.
  You use the default priorities on both routers (100), so, as long as track objects 1 and 2 are up, Router B will be the active router, because it has the higher IP address.
  If track object 1 or 2 goes down, Router B's priority will be reduced to 90 (or 80 if both are down at the same time),  so Router A will become active, because preemption is enabled.
  If the track object(s) change to up, Router B will take over again, because it also has preemtion enabled.
  Correction:
  Preemption only comes into play when the local priority is higher than the priority of the current active router. In your examle, the priorities on RA and RB have the same values. The IP addresses serve as a tie breaker only in the initial phase, the preemption feature doesn't consider the IP addresses later on.
  Consequence: Router A continues beeing the active router.
  HTH
  Rolf

• ASA SSM IPS module upgrade won't work

  Hello all,
  I'm trying to upgrade the IPS sig's on an ASA5520 with a SSM IPS module. I'm trying to upgrade the system to 5.1.1 to further upgrade the device with no luck.
  I followed these steps provided by Cisco.com:
  1. Log in to the ASA.
  2. Enter enable mode:
  asa# enable
  3. Configure the recovery settings for ASA-SSM:
  asa (enable)# hw-module module 1 recover configure
  NOTE: If you make an error in the recovery configuration, use the
  hw-module module 1 recover stop command to stop the system reimaging
  and then you can correct the configuration.
  4. Specify the TFTP URL for the system image:
  Image URL [tftp://0.0.0.0/]:
  Example:
  Image URL [tftp://0.0.0.0/]: tftp://10.20.30.40/IPS-SSM-K9-sys-1.1-a-5.1-1.img
  5. Specify the command and control interface of ASA-SSM:
  Port IP Address [0.0.0.0]:
  Example:
  Port IP Address [0.0.0.0]: 11.21.31.41
  6. Leave the VLAN ID at 0.
  VLAN ID [0]:
  7. Specify the default gateway of the ASA-SSM:
  Gateway IP Address [0.0.0.0]:
  Example:
  Gateway IP Address [0.0.0.0]: 11.22.33.44
  8. Execute the recovery:
  asa# hw-module module 1 recover boot
  9. Periodically check the recovery until it is complete.
  NOTE: The status reads "Recovery" during recovery and reads "Up" when
  reimaging is complete.
  AFter #8 it just goes back to the enable prompt. A 'sh module' lists the device as 'recover' and hangs FOREVER.... I tested the TFTP server which the new image resides on, and the TFTP is working fine. I don't see any attempts or downloads from the TFTP server for over an hour.
  I opened a Ciscop TAC on this and not receiving alot of help...
  Please help!!!:)
  Thanks
  Chris Serafin
  [email protected]

  The recovery using this method can takes upwards of 30 minutes, and in some cases even longer.
  How long have you left the SSM in the "recovery" state?
  There may be something wrong in the config you entered. when that happens the SSM can go into a continuous reboot cycle trying to do the recovery.
  Execute "debug module-boot" on the console of the ASA.
  The debug output will show you the ROMMON output of the SSM itself. (The SSM has it's own ROMMON. The recovery boot command sends the settings made during the recover configure command to the SSM's ROMMON).
  If the ROMMON is experiencing a problem in trying to download the tftp image you should now see that ROMMON error message.
  Some typical problems I have seen:
  1) Wrong IP given for the sensor.
  2) Wrong IP given for the gateway (the gateway must exist on the same network as the sensor) this problem usually happens when using a non-standard netmasked network.
  3) Not having the sensor's command and control port plugged into the right network. The external port of the SSM itself is where the IP is being applied. You need to ensure that the extenral port of the SSM is plugged into the right network for that IP.
  4) The tftp server is not reachable from the network where the sensor's command and control port is attached. Some users think that if the ASA itself can reach the tftp server that the SSM will also be able to. This is not always the case. It is best to use a tftp server on the same network as the IP provided to the SSM. Or to test the tftp server from another machine on the same network as the SSM.
  5) The file name is wrong. Check the captialization especially.
  6) The file is not in the default directory on the tftp server. If the file is in a subdirectory you will need to add that subdirectory to the URL:
  tftp://10.20.30.40/subdirectoryname/filename
  7) The tftp is timing out.
  There are 2 things that can cause this:
  a) The tftp server is remote, and it takes too long to download the file. The ROMMON does have limits on the number of retries and per packet timeouts (but they are not user configurable). Try using a tftp server local to the SSM.
  b) The switch that the SSM connects to has spanning-tree running and spanning-tree does not complete before the SSM ROMMON times out for the tftp attempt. The tftp attempt happens immediately upon ROMMON startup and link up. But with a switch the switch port may be in a "Listen" or "Learn" state for 40 seconds before the box can actually talk on the network. In some cases the tftp download attempts started as soon as link up, and may timeout even before the spanning-tree completes. To work around this configure "spanning-tree portfast" on the switchport. Spanning-tree will connect the port into the vlan immediately rather than 40 seconds later.
  If it was a config problem when configuring the recovery settings, then there is a "recover stop" command on the ASA.
  It will stop the reboot cycle from happening.
  Let the module come up with the old image.
  Then correct your "recover configure" settings, and try the "recover boot" again.
  Another alternative:
  Stop the recovery "recover stop"
  Let it boot into the old image.
  If it was a 5.0 version, then you can actually upgrade to 5.1 using the sensor's own CLI "upgrade" command. It is actually the preferred method.
  The "recover" from the ASA will wipe the box clean and load a fresh image.
  The "upgrade" from the sensor will convert your 5.0 config into a 5.1 config while installing 5.1.
  5.1 upgrade file:
  IPS-K9-min-5.1-1g.pkg
  http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
  It can be applied through the sensor's CLI upgrade command, or pushed directly through IDM, or applied by CSM.
  The "recover" should be limited to disaster recovery. When you can't access the SSM at all, or the files on the SSM have been corrupted.
  For normal upgrades you want to use "upgrade" files done through the sensor itelf (CLI, IDM, or CSM).

• 6500 Slide Active Standby Question

  My Active Standby is only displaying 1 event whereas my old 6280 displays more than 1. Is it possible for the 6500 Slide to display more than 1?
  Thanks in advance.

  BUMP

• Active Standby Question

  I have a Nokia E60, which operates using Symbiuan 9.1, series 60 3rd edition. This software lets you put 6 shortcuts on the main screen (active standby). There is an interface to change which shortcuts are used. I want to make a shortcut to the "Installations Directory" so that I will have a fast way to access my installed programs but this directory does not appear on the list of possible shortcuts. Does anyone know if this is possible? If so, how? Thanks,
  Mark

  No can do. Only individual apps seem to work as Active Standby shortcuts, not menu folders.

• Upgrade question on WSC4507R-E

  HI all,
  I have a couple questions about upgrading the IOS on our WS C4507R-E.    We have 3 installed cards:
  2 WS-X45-SUP6L-E supervisor modules running 12.2(54)SG  * running Active/Standby
  1 WSX4606-X2-E 10G card
  ROMMON is currently at  12.2(44r)SG5
  I'm a bit confused by all the available IOS "trees" but I am pretty sure I want to upgrade to: 15.0.2-SG9(MD), at least that is what is recommended when I search for IOS downloads.  I don't think I need to upgrade ROMMON, I believe I'm at the minimum required version for this IOS.  I may upgrade ROMMON after IOS, there was a note about not doing it first on older IOS versions.
  So, my questions are....is the above info correct, regarding ROMMON and the recommended IOS version for my platform?
  If so, how would I do the upgrade on the redundant sup modules?  The instructions I found didn't address redundant sups.
  Anything I need to be aware of that I haven't mentioned?
  Thanks for any assistance you can provide!

  Hi Eric,
  There are 2 ways to upgrade:
  1-Load the IOS version you want to both Sups, change the boot variable, so the switch can load the new IOS after the reboot and finally reboot the chassis.
  2-Use ISSU  see link:
  http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-4500-series-switches/prod_white_paper0900aecd806f0663.html
  As for the ROMMON, you usually don't need to upgrade it often and you can always do that later if you need to.  I think, some of the newer versions of IOS upgrade the ROMOM as well as the main image but I am not sure exactly for what platforms.
  HTH

• ASA 8.2 8.4 9.1 possible with no downtime as we run active/standby?

  Hello,
  We have 2 x ASA 5520s (with 2GB mem) in active/standby mode, they also include the IPS modules.
  The current firmware is 8.2 and I was wondering if it is possible to upgrade these firewalls with no downtimes?  In the past I have upgraded the standby ASA, rebooted it and then made it the active ASA then upgraded the new standby ASA.
  I have have quite a lot of NAT Exempts (No-NATs?) and a few static NATs, how did you approach this during your upgrades?
  I guess I can roll back as the 8.2 firmware will still be on the flash and I will have the config?
  Thanks

  Yeah it's supported:
  Release Notes for the Cisco ASA Series, 9.1(x)
  http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html#wp732442
  This document has the information that you need; it talks about the requirements and zero downtime procedure.
  But you need to take a lot of considerations that you can reference in the document:
  https://supportforums.cisco.com/docs/DOC-12690
  If you don't mind me asking why are you upgrading?
  Because of a fix or feature?

• Can ASA5500 and ASA5500-X be paired as active standby?

  Hi, looking at several migration scenarios at a customer, is it possible to have a 5512-X as primary firewall, with a 5510 as secondary in an active standby cluster (running the same license type)?
  Thanks!

  Hi,
  No, you cannot pair ASA firewall that are of different model
  Hardware Requirements
  The two units in a failover configuration must be the same model, have  the same number and types of interfaces, the same SSMs installed (if  any), and the same RAM installed.
  If you are using units with different flash memory sizes in your  failover configuration, make sure the unit with the smaller flash memory  has enough space to accommodate the software image files and the  configuration files. If it does not, configuration synchronization from  the unit with the larger flash memory to the unit with the smaller flash  memory will fail.
  Source:
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html#wp1132197
  Please do remember to mark the reply as the correct answer if it answered your question.
  Ask more if needed.
  - Jouni

• How do I use Cisco MARS to monitor two ASA (active/stby) with IPS modules?

  Hi
  The two ASA with IPS modules are in active/standby mode. When I try to add both the two IP (active/standby) into the MARS, the MARS will complain duplicated hostnames.
  How to setup MARS to monitor ASA with IPS with active standby topology?
  Thanks!

  Hi,
  The fundamental problem with this scenario is that you have non-failover capable modules in a failover chassis - think of the ASA failover pair as one device and the IPS modules as two completely separate devices.
  Then, as already mentioned, add only the primary ASA. (The secondary will never be passing traffic in standby mode so it's not actually needed in MARS) Then, with the first IPS module you can add it as a module of the ASA or as a standalone device (MARS doesn't care). With the second IPS module the only option is to add it as a separate device anyway.
  In a failover scenario the ASA's swap IP's but the IPS's don't so whereas you'll only ever get messages from the active ASA you'll get messages from both IPS IP's depending on which one happens to be in the active ASA at the time.
  Don't forget that you have to manually replicate all IPS configuration every time you make a change.
  HTH
  Andrew.

• ASA 5520 VPN load balancing with Active/Standby failover on 2 devices only...

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  This topic has been beat to death, but I did not see a real answer. Here is configuration:
  1) 2 x ASA 5520, running 8.2
  2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
  3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
  4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
  This sounds trivial, but I cannot find a clear answer (without testing this); and many people are confusing the issue. Here are some examples of confusion. These do not apply to my scenario.
  Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
  The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
  In any case, any experts out there that can answer question? TIA!

  Wow, some good info posted here (both questions and some answers). I'm in a similar situation with a couple of vpn load-balanced pairs... my goal was to get active-standby failover up and running in each pair- then I ran into this thread and saw the first post about the unique IP addr pools (and obviously we can't have unique pools in an active-standby failover rig where the complete config is replicated). So it would seem that these two features are indeed mutually exclusive. Real nice initial post to call this out.
  Now I'm wondering if the ASA could actually handle a single addr pool in an active-standby fo rig- *if* the code supported the exchange of addr pool status between the fo members (so they each would know what addrs have been farmed out from this single pool)? Can I get some feedback from folks on this? If this is viable, then I suppose we could submit a feature request to Cisco... not that this would necessarily be supported anytime soon, but it might be worth a try. And I'm also assuming we might need a vip on the inside int as well (not just on the outside), to properly flip the traffic on both sides if the failover occurs (note we're not currently doing this).
  Finally, if a member fails in a std load-balanced vpn pair (w/o fo disabled), the remaining member must take over traffic hitting the vip addr (full time)... can someone tell me how this works? And when this pair is working normally (with both members up), do the two systems coordinate who owns the vip at any time to load-balance the traffic? Is this basically how their load-balancing scheme works?
  Anyway, pretty cool thread... would really appreciate it if folks could give some feedback on some of the above.
  Thanks much,
  Mike