Cisco IPS Module SSM-10 - how to configure in active/active failover

Posted on 2012-08-15
Last Modified: 2012-08-16

I have 2 ASA's that are setup in active/active failover. Each ASA has an ASA-SSM-10 IPS module.

I have 2 contexts - edge firewall (lets call it context1) and internal firewall (context2).

Context 1 is active on the 1st firewall and context2 is active on the second firewall.

I do not find any options or documentation on how the configuration would work exactly.

I want the IPS on the 1st ASA to monitor the context that is active on it (context1) and the IPS on the 2nd ASA to monitor context2.
Then when a device fails, the IPS on the remaining active device must monitor both contexts.

My problem is that it seems that the config of the 2 IPS's are not synched.

Please confirm if my following understanding is correct:
1. I will configure a virtual sensor on the 1st IPS. The context that is normally active on this ASA (context1) will then be linked to that virtual sensor.
2. I will then configure a another virtual sensor with a different name on the 2nd IPS. The conext that is normally active on that ASA (context2) will then be linked to that virtual sensor.

This should work, but what if one ASA fails? Will the context that now becomes active know that it must work with the available IPS?
If so, what must I do with the config?

Since the config of virtual sensors do not seem to sync, do I need to make the virtual sensor names and configs exactly the same on both devices? (i.o.w "sync" the config myself). If this is not done, then the virtual sensor that is not on the remaining active IPS will not be available to the context that had to failover.

Your assistance will be highly appreciated.

Question by:salt-eit
    LVL 36

    Expert Comment

    The IPS modules are not part of ASA HA.

    There is no method to automatically sync them.

    Your suggested architecture does not make sense, the IPS should be used on the ASA that it is installed in, an IPS on a different ASA does not have the backplane connection to enable it to connect.

    I would suggest that you used configured each IPS in the same way, so that in the event of a failover event (planned or unplanned) you still have have active IPS.
    LVL 36

    Expert Comment


    Author Comment


    I know that the IPS must be used on the ASA it is in because it works only over the backplane.

    So what I want to do is:

    ASA01 has context1 active on it. IPS01 is installed on ASA01 and has a virtual sensor called vs1. context1 uses vs1 - therefore using the IPS01 that is on the ASA that the context is active one. IPS01 also has a virtual sensor vs2.

    ASA02 has context2 active on it. IPS02 is installed on ASA02 and has a virtual sensor called vs2. context2 uses vs2 - therefore using the IPS02 that is on the ASA that the context is active one. IPS02 also has virtual sensor vs1.

    So on IPS01 context1 will use vs1. vs2 will not be used on this IPS because the context2 assigned to it is not active on this ASA. Only when the context2 fails over to this ASA will that context try to use the IPS01 that is on the ASA and will then find and use the vs2 on it.
    The opposite will happen if the contexts fail to the other ASA.

    Is this understanding of how it will work correct?
    LVL 36

    Accepted Solution

    Aha, you are running active/active

    Configure both IPSs to monitor both contexts, then when not failed over, the IPS will only be "working" on the context that is active on the ASA, and in a failover condition it will be active on both.

    Author Comment

    OK so that confirms the setup I plan to do is the correct method.


    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    Read about achieving the basic levels of HRIS security in the workplace.
    Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now