Filter
Top Products
20-16
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 20 Configuring the ASA 5585-X IPS SSP
Traffic Flow Stopped on IPS Switchports
Traffic Flow Stopped on IPS Switchports
Problem Traffic on any port located on the ASA 5585-X IPS SSP (1/x) no longer passes through the
adaptive security appliance when the ASA 5585-X IPS SSP is reset or shut down. This affects all traffic
through these ports regardless of whether or not the traffic would have been monitored by the IPS. The
link on the ports will link down when the ASA 5585-X IPS SSP is reset or shut down.
Possible Cause Using the ports located on the ASA 5585-X IPS SSP (1/x), and resetting or shutting
it down via any mechanism.
Solution Use the ports on the adaptive security appliance (0/x) instead because those ports do not lose
their link when the ASA 5585-X IPS SSP is reset or shut down.
Failover Scenarios
The following failover scenarios apply to the ASA 5585-X in the event of configuration changes,
signature/signature engine updates, service packs, and SensorApp crashes on the ASA 5585-X IPS SSP.
Single ASA 5585-X in Fail-Open Mode
• If the ASA is configured in fail-open mode for the ASA 5585-X IPS SSP, and the
ASA 5585-X IPS SSP experiences a configuration change or signature/signature engine update,
traffic is passed through the ASA without being inspected.
• If the ASA is configured in fail-open mode for the ASA 5585-X IPS SSP, and the
ASA 5585-X IPS SSP experiences a SensorApp crash or a service pack upgrade, traffic is passed
through the ASA without being inspected.
Single ASA 5585-X in Fail-Close Mode
• If the ASA is configured in fail-close mode for the ASA 5585-X IPS SSP, and the
ASA 5585-X IPS SSP experiences a configuration change or a signature/signature engine update,
traffic is stopped from passing through the ASA.
• If the ASA is configured in fail-close mode for the ASA 5585-X IPS SSP, and the
ASA 5585-X IPS SSP experiences a SensorApp crash or a service pack upgrade, traffic is stopped
from passing through the ASA.
Two ASA 5585-Xs in Fail-Open Mode
• If the ASAs are configured in fail-open mode and if the ASA 5585-X IPS SSP on the active ASA
experiences a configuration change or a signature/signature engine update, traffic is still passed
through the active ASA without being inspected. Failover is not triggered.
• If the ASAs are configured in fail-open mode, and if the ASA 5585-X IPS SSP on the active ASA
experiences a SensorApp crash or a service pack upgrade, failover is triggered and traffic passes
through the ASA 5585-X IPS SSP that was previously the standby ASA 5585-X IPS SSP.
Two ASA 5585-Xs in Fail-Close Mode
• If the ASAs are configured in fail-close mode, and if the ASA 5585-X IPS SSP on the active ASA
experiences a configuration change or a signature/signature engine update, traffic is stopped from
passing through the active ASA. No failover is triggered.