[c-nsp] ASA IPS Module SSM-20 in Failover Reboot

[Antonio Soares]

There are a few problems that can trigger a failover:

CSCts98806 Standby ASA 5585 Reporting Service Card Failure on Signature
Update
CSCtx92801 ASA: Failover due to data channel failure when making IPS config
changes
CSCud41702 IPS: After IPS config change, a false failover occurs with the
ASA

Cisco has an enhancement to overcome these limitations:

CSCsm81086 Allow user to exclude the status of the SSM or SSP from failover
checks


Regards,

Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt
http://www.ccie18473.net


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ryan West
Sent: quinta-feira, 21 de Fevereiro de 2013 14:11
To: Scott Voll; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA IPS Module SSM-20 in Failover Reboot

Scott,

On Thu, Feb 21, 2013 at 08:50:02, Scott Voll wrote:
> Subject: [c-nsp] ASA IPS Module SSM-20 in Failover Reboot
> 
> I just installed a couple SSM-20's in my ASA's.  install was a little 
> less that I had hoped as the backup came online with the module and 
> the Primary didn't have the module yet.  So we will just say we had a 
> little down time (ever so brief).
> 
> my question now becomes, how do I reboot one of these modules without 
> the ASA failing over to the backup?  I don't want to knock off all my 
> VPN users.
> 

I think you need to treat it like a zero downtime upgrade.  Fail over to the
secondary firewall, reload the module on the old primary and fail back after
state is synced up.  You should not lose VPN authentications during a
failover.  IPsec RA, L2L, webvpn, and SVC sessions should stay intact
between failovers.

-ryan

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/