Single AIP-SSM in Cisco ASA Failover Active / Standby Mode

Similar Messages

• IPS modules in Cisco ASA 5510 Active/Standby pair.

  All, I am looking to add the IPS module to my ASA 5510's. I am contemplating only purchasing one module and placing it in the active ASA. I am willing to accept that in a failure scenario I will loose the IPS functionality until the primary ASA is recovered. I have not had a chance to talk to my SE to see if this is even possible. Has anyone attempted a deployment such as this? Will it work and is it supported?
  Sent from Cisco Technical Support iPad App

  Ok, that is what I needed to know.  The purpose of us having an active/standby ASA is to keep the business up and going for the very rare times there could be an active ASA failure.  The purpose for the IPS would be to help protect and inspect traffic and is not necessary to keep the business running.  If we implement IPS I am not worried at all if during the times when the primary ASA is down (hasn't been down for over three years now) we lose the IPS funcationality.  This is not worth the $1000 extra per year to us.
  Thanks for the responses though.  That answers my questions.

• ASA Active/Standby mode and Hello messages

  Hi Everyone,
  On ASA  Active/Standby mode  i know thatsay inside or any other interface of active and standby ASA should connect to same switch and vlan.
  When we assign say ip address to inside interface of both ASA like
  ip address 192.168.x.1 255.255.255.0 standby 192.168.x.2 255.255.255.0
  Need to know if these inside interface talk to each other or not?
  Do they send hello messages?
  Thanks
  MAhesh

  Hi Mahesh,
  The ASA Active/Standby Failover pair uses both the dedicated Failover interface and the actual Data interfaces to monitor the "health" of the Failover pair.
  The units send Failover hello messages and wait for a reply to determine if the other unit is alive or not.
  By default all Physical interfaces are automatically monitored. To my understanding Logical interfaces such as Trunk interfaces are NOT monitored by default. You will have to configure monitoring for each subinterface of the Trunk that you want to be monitored.
  You would use the command
  monitor-interface
  Check the Command Reference section for this
  http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/m.html#wp2123112
  I would also suggest reading the following section of the Configuration Guide
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html#wp1079010
  It has information of the Unit and Interface health monitoring of the Failover pair.
  If you want to debug Failover activity you could use the command
  debug fover
  It has multiple additional parameter after that command
  Here is the Command Reference section for the debug command
  http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/d1.html#wp2093011
  You can even attach a computer on the switch between the ASAs and capture the packets between them an you can see the Failover messages etc from the ASAs
  - Jouni

• Failover active/standby

  Hello. There are two Cisco devices: asa5512 and asa5510. Tell me whether it is possible to organize a failover active / standby using these devices. If this is not possible, tell me if there are any other possibilities for automatic backup.

  If by Backup , you mean hardware Redundancy , it would not be possible.
  You can run the same configuration on both the devices and if one fails , you can manually replace it with the other one.
  Thanks and Regards,
  Vibhor Amrodia

• Asr-group feature in active/standby mode

  Hi ,
  I would like to know if anyone had used asr-group freature in active/standby mode. Is it not recommended by cisco for active/standby mode ? The feature works in both environment.
  Thanks in advance
  Tomy

  Hi Tomy,
  The asr-group feature on the ASA is only supported in Active/Active failover:
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_active_active.html#wp1271955
  -Mike

• How to tell if Active/active or Active/Standby mode is configured?

  Folks:
  I am still learning the output of my running config, but how do I tell if my firewall is set to Actve/Active or Active/Standby mode?
  In addition, how do I tell if it uses regular or stateful failover mode?
  Thank you

  I wanted to provide this as well, since I found it and it also helped me answering my question.
  This output shows Active/Active failover output.
  **Note** it says PIX; however, I beleive it will be the same output for ASA.
  PIX1(config-subif)#show failover
  Failover On
  Cable status: N/A - LAN-based failover enabled
  Failover unit Primary
  Failover LAN Interface: LANFailover Ethernet3 (up)
  Unit Poll frequency 15 seconds, holdtime 45 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 250 maximum
  Version: Ours 7.2(2), Mate 7.2(2)
  Group 1 last failover at: 06:12:45 UTC Apr 16 2007
  Group 2 last failover at: 06:12:43 UTC Apr 16 2007
    This host:    Primary
    Group 1       State:          Active
                  Active time:    359610 (sec)
    Group 2       State:          Standby Ready
                  Active time:    3165 (sec)
                    context1 Interface inside (192.168.1.1): Normal
                    context1 Interface outside (172.16.1.1): Normal
                    context2 Interface inside (192.168.2.2): Normal
                    context2 Interface outside (172.16.2.2): Normal
    Other host:   Secondary
    Group 1       State:          Standby Ready
                  Active time:    0 (sec)
    Group 2       State:          Active
                  Active time:    3900 (sec)
                    context1 Interface inside (192.168.1.2): Normal
                    context1 Interface outside (172.16.1.2): Normal
                    context2 Interface inside (192.168.2.1): Normal
                    context2 Interface outside (172.16.2.1): Normal

• Stop/start in PGW active/standby mode

  Hi all
  My VOIP Network has 2 PGW in active/standby mode. But when we add more telco, the state of ss7path is OOS. i must stop/start the PGW and ss7path is IS status.
  Now PGW is running services. it processing many call with other telco.
  i have question need to support.
  When we stop/start PGW,has PGW disconnected all call or not?
  Thank for supporting
  PhaiLQ

  If you restart the service on active pgw, calls are disconnected. If you don't want out of services you must pass the control to the standby server first.
  From mml console of active server use the command:
  rtrv-ne    to check the status, the output is:
      MGC-01 - Media Gateway Controller 2010-09-07 16:53:42.655 MEST
  M  RTRV
     "Type:MGC"
     "Hardware platform:sun4u sparc SUNW,Sun-Fire-V240"
     "Vendor:"Cisco Systems, Inc.""
     "Location:MGC-01 - Media Gateway Controller"
     "Version:"9.6(1)""
     "Platform State:ACTIVE" 
  sw-over::confirm to swich control to standby server
  now restart the service
  /etc/init.d/CiscoMGC stop
  /etc/init.d/CiscoMGC start
  P.S. If I remember the right way, the OOS (out of service) state of new ss7 path can be set in IS (in service) via mml command line without service restart.
  set- your ss7 path ::IS   use tab for help
  Regards.

• Calendar entries in Active Standby mode

  A double question, but both are closely related.
  In Active Standby mode it shows upcoming calendar entries for today and future ones.
  Q1) Can someone clarfify does it only show 1 entry for future events, since I have placed 2 entries for tomorrow and 1 for the day after. But only 1 (the first) appears in Active Standby.
  Q2) I THINK IS A BUG!! It does not show Anniversary as future events in Active Standby. It only appears when it is on the day (bit late if you need to buy a present!).
  Any comments
  Andrew
  Device: N70
  Version: V 2.0536.0.2 12-09-05 RM-84

  I think this is by design. Not quite sure what the basis is of what is included and what is not. Items from the current day seem to show up in greater numbers than in future days.
  All About Symbian - News, reviews and software for S60 phones.

• E5-00 Active Standby Mode

  I have a Nokia E5
  I have tried to experiment with the Modes function, whereby you can have one profile for business and another for personal.
  The first time I went into Modes (from the control panel), I was asked to go into "Active Standby Mode", which I did.   Now everything has changed and I am not sure whether I like it.
  Is it possible to get back to how I was before - i.e. before I went into Active Standby Modes ?

  Hi,
  No unfortunately the only way of doing this will be from the app shortcuts. There is to my knowledge no way of doing this automatically. Might be there is an ext. developed app that I do not know of.
  BR, PerLs

• 6288 - Active Standby Mode menu lost

  Hello,
  The Active Standby Mode menu has disappear from
  Menu-Settings-Standby Mode Settings.
  I can't access this setting any more.
  My firmware version is 6.10.
  Thanks for any advices.
  JeromeMessage Edited by hidje on 21-Jul-200707:37 AM

  I have the same problem. I don't know if I'll use that option but is annoing that I can't activate it. I have software version 6.10 and in display-standby option first submenu is wallpaper (not active standby setting).
  Does anyone fixed this BUG?

• Step to prep CSC SSM on ASA Active/Standby mode

  Hi all, 
  I am trying to setup Active/Standby HA mode for my site.
  Currently the site was installed with one unit ASA firewall with CSC-SSM module, the second unit is the new unit ready to be setup.
  My question:
  01. My concern is second unit CSC-SSM, what is the proper procedure or step need to prep it?
  Is it need to prep the CSC-SSM before the ASA in HA mode Or it will auto propagate the configuration when both unit in HA mode?
  What else need to concern? am i need to setup different IP for the CSC-SSM management interface?
  Thanks
  Noel

  Hello Yong,
  Configuration related to the CSC or SSM modules will never get propagated so you will basically need to configure it manually.
  Also it's not like if the Config on both modules is different failover will fail but ofcourse you wanna have the same one
  IP addresses for each of the modules will be dedicated ones. Remember that failover will fail if one box has the CSC and the other not.
  Looking for some Networking Assistance? 
  Contact me directly at [email protected]
  I will fix your problem ASAP.
  Cheers,
  Julio Carvajal Segura
  http://laguiadelnetworking.com

• Will the AIP-SSM for the ASA stop this?

  I have a client emailed me today that someone did a script injection attack on one of their web servers. It ran a backdoor Trojan virus on their web server. I know the AIP-SSM will stop the Trojan, but will it stop someone from doing the script injection attack. If so, is it documented and can you point me to the document.
  Thanks.
  Dan

  Hi,
  If you know exactly which of the various script injection attacks was used you can simply look it up here:
  http://tools.cisco.com/security/center/home.x
  If you don't know exactly which one then it's slightly harded to know whether it would have been stopped, but searching on "script injection" or similar should narrow down the candidates and give you an idea on whether it would have been stopped or not.
  Remember that an IPS isn't perfect, but it *will* significantly lower your risk if setup and maintained properly.
  HTH
  Andrew.

• Admin TACACS+ access fails ASA in Active/Standby Configuration

  We have two ASA 5510 with version 8.2(1) in Active/Standby configuration, the failover works fine, but when the primary ASA comes back it remains standby , so we manually change it to active with the failover active command, then we try to access the device using a TACACS+ account , it doesnt work , just the local account works; after a period of time (15min) , the TACACS+ access start to work.

  I'm not sure about your configuration but when in timed mode, a server that is declared "failed" will once again
  be made available after 30 seconds. Unlike reactivation mode, it is not
  necessary for all of the servers to fail before any can be reactivated.
  On possible source of confusion to be aware of in timed mode:
  The "show aaa-server" command will continue to show the server as FAILED
  until the server is needed to authenticate a connection.
  depletion
  Reactivates failed servers only after all of the servers in the group are inactive.
  timed
  Reactivates failed servers after 30 seconds of down time.
  Please tweak reactivation mode.
  Regards,
  ~JG
  Do rate helpful posts

• CISCO ASA Failover

  Any one tell me which protocole is use  for failove in ASA & how it  working.

  ASAs use keepalive packets between eachother that are sent over the failover link.  By using the keepalive packets, the standby ASA monitors the health status of the Active ASA.  If the standby ASA stops recieving keepalive packets from the active ASA it will send out 3 test packets, out the monitored interfaces.  that is to say it will send test packets out the actual interfaces that will trigger a failover if one of them fails.  If the standby ASA still does not recieve a reply from the active ASA it will now assume that the active ASA is dead and will take over the role as active ASA.
  The failover link is also used to replicate the configuration between the active and standby ASAs.
  The state link is used to replicate the state table and other relevant active connection information.
  Please remember to rate and select a correct answer

• Connectivity Issues Cisco ASA 5515 in Transparent Mode

  Hi,
  we´re having problems with one transparent mode setup at one customer site. The ASA is equiped with a CX Module, but we´re not using it, so far in the service policy rules it was enabled and matched all traffic, but in "monitor only" mode. There is a global acl that allows any-any-IP.
  Firewall-Info:
  - ASA Version 9.1(2) 
  - Interfaces gi0/0 + gi0/2 without any interface errors
  The ASA 5515x is configured as a "bump in the wire". In general our setup is working but with beginning of the installation of the firewall the customer faces following connection issues, without the firewall no problems:
  - Connections to SAP-Servers behind the MPLS begin to drop, affected all users
  - Incoming monitoring sessions (ping/snmp) from central management are facing ping timeouts, connection timeouts
  - http downloads are stopping, Customer: it will stop responding and the download will fail.
  In general the customer describes it this way: "We do not have the best connection here so once we connected the firewall all the problems are magnified"
  I recognized, that we unconfigured the default inspection during initial setup and reconfigured this entry for the cx module. So the the default inspection with all the settings are not present any more... How important are these settings? One phenomen is, that I´ve seen a large numbers of concurrent connections that increased over time. And we already had that situation, that the firewall reached the max-conn count.
  Should I try to reconfigure the default inspection, as it ships from factory? And whats the best way to check for problems? What can be the reason for the dropping connections?
  I attached a network plan and the firewall config, hopefully, that somebody has an idea. Of course I can provide additional information...
  Best Regards
  Sebastian

  Hi Vibhor,
  thanks for your reply. Does this also affect the traffic, even the setting is set to "Monitor Only" ?
  Is it recommend to configure the default-inspection rule as a default setting? 
  Further Question: I´ve read sth. about, that service policy rules must be "reloaded" to take effect, after they have been changed. Is that right and how do I reload them?
  Here is an output from sh asp drop, do I have to care about certain values? This values result from two connected users doing some downloads over a 2Mbit connection.
  ciscoasa# show asp drop
  Frame drop:
    Invalid encapsulation (invalid-encap)                                       10
    First TCP packet not SYN (tcp-not-syn)                                     114
    TCP failed 3 way handshake (tcp-3whs-failed)                                 3
    TCP RST/FIN out of order (tcp-rstfin-ooo)                                   18
    Dst MAC L2 Lookup Failed (dst-l2_lookup-fail)                               33
    L2 Src/Dst same LAN port (l2_same-lan-port)                                260
    FP L2 rule drop (l2_acl)                                                  2958
    Interface is down (interface-down)                                        9420
    No management IP address configured for TFW (tfw-no-mgmt-ip-config)        117
    Dropped pending packets in a closed socket (np-socket-closed)               66
  Thanks
  Sebastian