Home
Certification Preparation
Cisco
CCNP
CCNP Security
Correct way to install AIP SSM's in failover ASA's?
oo_snoopy
Hello security buds,
We are currently running two 5520 ASA's in active/standby mode, and I need to install AIP SSM's in both. I'm a little confused on how the failover works and configuration copying.
I've gathered that the IPS config is not copied, so does that mean using the ASDM to manage the IPS is out of the questions (since you can only ASDM into the active ASA)?
So what's the correct way to install these cards? Power down the standby install, don't configure, switchover and repeat? Or should I power down the standby, install and configure then switchover and repeat?
Find more posts tagged with
Comments
oo_snoopy
Cisco wasn't much help, but I've got plan for this. I'll post the steps after I do it for anyone in the future with this problem.
mikearama
We don't run the AIP-SSM's, but we do have the CSC-SSM's, and in Active/Standby mode, so it can't be "too" different, I would think.
I configured the Active appliance with the CSC Wizard in the ASDM... configured IP settings, and created the policy to send interesting traffic to the scanner. The config, as you'd expect, was copied entirely to the Standby appliance, including the config of the CSC.
During failover, the Standby CSC became Active right along with the appliance, scanning all new connections as they formed.
My process was to force failover to the Standby, power down the Primary and install the CSC-SSM. I brought it up and took back Active from the Standby appliance, powering down the Standby and installing its CSC. When it came back up, it stayed in Standby. All the config was done on the Primary.
Which, in retrospect, was pretty much what you described. Go figure.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
