• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1701
  • Last Modified:

Cisco IPS Module SSM-10 - how to configure in active/active failover


I have 2 ASA's that are setup in active/active failover. Each ASA has an ASA-SSM-10 IPS module.

I have 2 contexts - edge firewall (lets call it context1) and internal firewall (context2).

Context 1 is active on the 1st firewall and context2 is active on the second firewall.

I do not find any options or documentation on how the configuration would work exactly.

I want the IPS on the 1st ASA to monitor the context that is active on it (context1) and the IPS on the 2nd ASA to monitor context2.
Then when a device fails, the IPS on the remaining active device must monitor both contexts.

My problem is that it seems that the config of the 2 IPS's are not synched.

Please confirm if my following understanding is correct:
1. I will configure a virtual sensor on the 1st IPS. The context that is normally active on this ASA (context1) will then be linked to that virtual sensor.
2. I will then configure a another virtual sensor with a different name on the 2nd IPS. The conext that is normally active on that ASA (context2) will then be linked to that virtual sensor.

This should work, but what if one ASA fails? Will the context that now becomes active know that it must work with the available IPS?
If so, what must I do with the config?

Since the config of virtual sensors do not seem to sync, do I need to make the virtual sensor names and configs exactly the same on both devices? (i.o.w "sync" the config myself). If this is not done, then the virtual sensor that is not on the remaining active IPS will not be available to the context that had to failover.

Your assistance will be highly appreciated.

  • 3
  • 2
1 Solution
The IPS modules are not part of ASA HA.

There is no method to automatically sync them.

Your suggested architecture does not make sense, the IPS should be used on the ASA that it is installed in, an IPS on a different ASA does not have the backplane connection to enable it to connect.

I would suggest that you used configured each IPS in the same way, so that in the event of a failover event (planned or unplanned) you still have have active IPS.
salt-eitAuthor Commented:

I know that the IPS must be used on the ASA it is in because it works only over the backplane.

So what I want to do is:

ASA01 has context1 active on it. IPS01 is installed on ASA01 and has a virtual sensor called vs1. context1 uses vs1 - therefore using the IPS01 that is on the ASA that the context is active one. IPS01 also has a virtual sensor vs2.

ASA02 has context2 active on it. IPS02 is installed on ASA02 and has a virtual sensor called vs2. context2 uses vs2 - therefore using the IPS02 that is on the ASA that the context is active one. IPS02 also has virtual sensor vs1.

So on IPS01 context1 will use vs1. vs2 will not be used on this IPS because the context2 assigned to it is not active on this ASA. Only when the context2 fails over to this ASA will that context try to use the IPS01 that is on the ASA and will then find and use the vs2 on it.
The opposite will happen if the contexts fail to the other ASA.

Is this understanding of how it will work correct?
Aha, you are running active/active

Configure both IPSs to monitor both contexts, then when not failed over, the IPS will only be "working" on the context that is active on the ASA, and in a failover condition it will be active on both.
salt-eitAuthor Commented:
OK so that confirms the setup I plan to do is the correct method.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now