[c-nsp] ASA IPS Module SSM-20 in Failover Reboot
Ryan West
rwest at zyedge.com
Thu Feb 21 04:11:18 EST 2013
Scott,
On Thu, Feb 21, 2013 at 08:50:02, Scott Voll wrote:
> Subject: [c-nsp] ASA IPS Module SSM-20 in Failover Reboot
>
> I just installed a couple SSM-20's in my ASA's. install was a little
> less that I had hoped as the backup came online with the module and
> the Primary didn't have the module yet. So we will just say we had a
> little down time (ever so brief).
>
> my question now becomes, how do I reboot one of these modules without
> the ASA failing over to the backup? I don't want to knock off all my
> VPN users.
>
I think you need to treat it like a zero downtime upgrade. Fail over to the secondary firewall, reload the module on the old primary and fail back after state is synced up. You should not lose VPN authentications during a failover. IPsec RA, L2L, webvpn, and SVC sessions should stay intact between failovers.
-ryan
More information about the cisco-nsp
mailing list