Cisco ASA with AIP-SSM in failover

Posted on November 18, 2010

0



Both the ASA and the AIP-SSM is able to failover or at a minimum to bypass the traffic. ASA fail-open and fail-close commands is for determening to allow or deny the traffic that has to be analysed with IPS.

1. with the following configuration

==ASA==

policy-map outside-policy
class outside-class
ips inline fail-open

==IPS==

ByPass mode auto

=> When AnalysisEngine on primary module goes down, there is no
failover, as the IPS automatically switches to Bypass On (thanks to
Bypass mode set to auto). And traffic should continue to flow through
the ASA without any issue.

2. with the following configuration

==ASA==

policy-map outside-policy
class outside-class
ips inline fail-open

==IPS==

ByPass mode off

=> When AnalysisEngine on primary module goes down, there is no
failover, the ASA detects the failure (due to Bypass mode set to off),
and a fails over to the secondary.
=> When AnalysisEngine on prmiary module goes down, traffic should
continue to flow through the secondary ASA, as you configured ‘ips
inline fail-open’ in the policy. This command tells the ASA to let the
traffic flowing in case of failure of the IPS module (contrary to
fail-close which will block any traffic in such situation)

3. with the following configuration

==ASA==

policy-map outside-policy
class outside-class
ips inline fail-close

==IPS==

ByPass mode off

=> When AnalysisEngine on primary module goes down, there is no
failover, the ASA detects the failure (due to Bypass mode set to off),
and a fails over to the secondary.
=> When AnalysisEngine on prmiary module goes down, all traffic will be
blocked due to the ‘fail-close- option configured in the policy-map.

4. with the following configuration

==ASA==

policy-map outside-policy
class outside-class
ips inline fail-close

==IPS==

ByPass mode auto

=> When AnalysisEngine on primary module goes down, there is no
failover, as the IPS automatically switches to Bypass On (thanks to
Bypass mode set to auto). And traffic should continue to flow through
the ASA without any issue, although the ‘fail-close’ option is
configured. From ASA point of view, the IPS contiune working normally.

1. although the AnalysisEngine went down on the modules, there should
not have been any impact on traffic flowing through the ASA since your
policy map is configured with the ‘fail-open’ option (and bypass mode
was set to off) [= situation 2 above, tested in my lab].

Here is the same shortly:
https://supportforums.cisco.com/docs/DOC-12183

Advertisements