[c-nsp] ASA IPS Module SSM-20 in Failover Reboot

Antonio Soares amsoares at netcabo.pt
Thu Feb 21 05:37:48 EST 2013

There are a few problems that can trigger a failover:

CSCts98806 Standby ASA 5585 Reporting Service Card Failure on Signature
CSCtx92801 ASA: Failover due to data channel failure when making IPS config
CSCud41702 IPS: After IPS config change, a false failover occurs with the

Cisco has an enhancement to overcome these limitations:

CSCsm81086 Allow user to exclude the status of the SSM or SSP from failover


Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ryan West
Sent: quinta-feira, 21 de Fevereiro de 2013 14:11
To: Scott Voll; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA IPS Module SSM-20 in Failover Reboot


On Thu, Feb 21, 2013 at 08:50:02, Scott Voll wrote:
> Subject: [c-nsp] ASA IPS Module SSM-20 in Failover Reboot
> I just installed a couple SSM-20's in my ASA's.  install was a little 
> less that I had hoped as the backup came online with the module and 
> the Primary didn't have the module yet.  So we will just say we had a 
> little down time (ever so brief).
> my question now becomes, how do I reboot one of these modules without 
> the ASA failing over to the backup?  I don't want to knock off all my 
> VPN users.

I think you need to treat it like a zero downtime upgrade.  Fail over to the
secondary firewall, reload the module on the old primary and fail back after
state is synced up.  You should not lose VPN authentications during a
failover.  IPsec RA, L2L, webvpn, and SVC sessions should stay intact
between failovers.


cisco-nsp mailing list  cisco-nsp at puck.nether.net
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list