Support User Manuals

Cisco Systems IPS 7.1 Home Security System User Manual

Open as PDF

of 1042

18-14

Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1

OL-19892-01

Chapter 18 Configuring the ASA 5500 AIP SSM

ASA 5500 AIP SSM Failover Scenarios

Single ASA in Fail-Open Mode

• If the ASA is configured in fail-open mode for the ASA 5500 AIP SSM, and the

ASA 5500 AIP SSM experiences a configuration change or signature/signature engine update,

traffic is passed through the ASA without being inspected.

• If the ASA is configured in fail-open mode for the ASA 5500 AIP SSM, and the

ASA 5500 AIP SSM experiences a SensorApp crash or a service pack upgrade, traffic is passed

through the ASA without being inspected.

Single ASA in Fail-Close Mode

• If the ASA is configured in fail-close mode for the ASA 5500 AIP SSM, and the

ASA 5500 AIP SSM experiences a configuration change or a signature/signature engine update,

traffic is stopped from passing through the ASA.

• If the ASA is configured in fail-close mode for the ASA 5500 AIP SSM, and the

ASA 5500 AIP SSM experiences a SensorApp crash or a service pack upgrade, traffic is stopped

from passing through the ASA.

Two ASAs in Fail-Open Mode

• If the ASAs are configured in fail-open mode and if the ASA 5500 AIP SSM on the active ASA

experiences a configuration change or a signature/signature engine update, traffic is still passed

through the active ASA without being inspected. Failover is not triggered.

• If the ASAs are configured in fail-open mode, and if the ASA 5500 AIP SSM on the active ASA

experiences a SensorApp crash or a service pack upgrade, failover is triggered and traffic passes

through the ASA 5500 AIP SSM that was previously the standby module.

Two ASAs in Fail-Close Mode

• If the ASAs are configured in fail-close mode, and if the ASA 5500 AIP SSM on the active ASA

experiences a configuration change or a signature/signature engine update, traffic is stopped from

passing through the active ASA. No failover is triggered.

• If the ASAs are configured in fail-close mode, and if the ASA 5500 AIP SSM on the active ASA

experiences a SensorApp crash or a service pack upgrade, failover is triggered and traffic passes

through the module that was previously the standby for the ASA 5500 AIP SSM.

Configuration Examples

Use the following configuration for the primary ASA:

interface GigabitEthernet0/7

description LAN Failover Interface

failover

failover lan unit primary

failover lan interface folink GigabitEthernet0/7

failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2

Use the following configuration for the secondary ASA:

interface GigabitEthernet0/7

description LAN Failover Interface

failover

failover lan unit secondary

failover lan interface folink GigabitEthernet0/7

failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2

previous next