The ASA CX Module failover

Similar Questions

• Access to the ASA 5515 IPS administration

  Hello!

  I can not access the ASA IPS module.

  I try to ASDM. Configuration-> IPS. I type user name and password, see following message: "error connecting to the sensor. Error loading sensor.

  Could you please help me fix my config?

  I have the topology of the network like this

  http://www.Cisco.com/image/gif/paws/113690/IPS-config-mod-01.gif

  My config

  KR - ASA # sh run concert int 0/5

  !

  interface GigabitEthernet0/5

  nameif inside

  security-level 100

  IP 172.33.1.253 255.255.255.0 watch 172.33.1.254

  !

  interface Management0/0

  management only

  No nameif

  security-level 0

  no ip address

  !

  KR - ASA # sh details ips module

  App name: IPS

  App status. : to the top

  App Status / / Desc: Normal operation

  App version: 4,0000 E4

  Flight status data: to the top

  Status: to the top

  License: IPS active Module perpetual

  Mgmt IP addr: 172.33.1.251

  MGMT network mask: 255.255.255.0

  Mgmt gateway: 172.33.1.253

  MGMT access list: 172.33.1.0/24

  MGMT access list: 172.34.1.0/24

  Web to MGMT ports: 443

  Mgmt TLS enabled: true

  !

  KR - ASA # ping 172.33.1.251

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 172.33.1.251, wait time is 2 seconds:

  !!!!!

  Success rate is 100 per cent (5/5), round-trip min/avg/max = 10/10/10 ms

  !

  permit same-security-traffic inter-interface

  permit same-security-traffic intra-interface

  !

  Thank you!

  Hi Vladimir,.

  Yups, this is an issue that is seen. Downgrade of Java should solve the problem. If this is not the case, turn on java debugging logs and paste those here:

  Go to control panel-> java right click-> Open-> Advanced-> check all the boxes that appear under debugging and click the radio button to see the console

  Rerun the IDM in browser and collect data in the java console window and paste it here.

  -

  Kind regards

  Sourav Kakkar

• IPS modules in the ASA config for active/passive failover

  Hey guys,.

  We have two ASA in a situation of active/passive failover each with a module AIP-SSM-20 IPS.

  These modules are intended to synchronize their configs like the ASA do? Alternatively, they each have a separate entity and each need to be configured separately?

  Thanks for any help!

  Each will have their own IP address, and each must be configured separately.

  They will not communicate with each other and share no configuration.

  You will need to make sure the config is changed in one of the other.

  Monitoring station pull events from two sensors.

  The SSMs rely on the SAA for the TCP state tracking so they will work very well in a design of failover ASA.

• ASA with different failover module IPS

  Hi all

  Is it possible to configure the failover of the ASA with different IPS module configuration because we have: ASA 5585-X with firepower PHC-10 and ASA 5585-X with IPS SSP-10

  Thank you

  N °

  Inventories of material (basic unit, memory and optional modules) must be the same in a pair of failover ASA.

• Licenses of the ASA, a license or two for a failover pair

  I had two units ASA firewall configured as a failover pair.  Now I need increases the SSL VPN license, do I need a licence for the ASA pair or two licenses, one for each unit.  Can use a key of activation on both units?

  One thing I know for sure, put the key on the Active unit, cannot synchronize the license to the standby unit.

  Thank you very much in advance.

  It depends on the version. The ASA 8.3 and later versions, you can share a single license through an HA pair.

• FAILOVER OF THE ASA

  What is the reference of the item required to activate the failover of the asa?

  you first need to safety over the license to enable failover if you run of ASA 5510, otherwise if you're running 5520's and higher then follow the steps in the example located here:

  http://www.Cisco.com/en/us/customer/products/ps6120/prod_configuration_examples_list.html

• New deployment with the ASA and AIP - SSM module

  Hi guys and girls,

  I think to deploy an ASA with IPS module AIP - SSM to my perimeter. I'm going to use / * Style Definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-margin : 0 ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;} Cisco IPS Manager Express (IME) to monitor the IP addresses to monitor the ASA. I have no plans on deploying a device IDS.

  Question: The IME is designed to send notices to the subject of threats? What are some of the configurations in your network? (Just prick with the last question.)

  THX...

  IME is designed only for IPS monitor (whether it be IPS appliance, module AIP - SSM on ASA or other module IPS). IME is not able on the control of ASA.

  EMI can provide advice by email about events which are fires on the IPS, while the IPS itself cannot. EMI may also keep all the events triggered by the IPS, while SPI buffer is small enough, that so if you have huge demonstrations, the buffer gets replaced pretty quickly.

  Here is more information about IME, if you are interested:

  http://www.Cisco.com/en/us/products/ps9610/index.html

• Block P2P software using the ASA-AIP-SSM-20 module

  Hello

  I have a question about blocking P2P traffic on ASA AIP module. I've searched the forums and all I could find were solutions using regex, port block, MPF, but no example of implementation of AIP.

  Could someone point me in the right direction please?

  Thank you very much

  Martin

  Hello

  You can find all the associated p2p signatures in:

  http://Tools.Cisco.com/Security/Center/home.x

  A search using Signatures, p2p, all. Then, you can set the respective signatures to your needs.

  SPSP

• VPN failover between the ASA

  I do a search in the search of the best solution for switching between two ASA and hoped that someone wants to point me in the right direction.

  The situation is this, we got:

  -Head Office 2:

  Each is equipped with an ASA 5505

  -10 branches

  Each is equipped with a 887 integrated services router.

  Each is BranchOffice must have a redundant VPN connection at the headquarters of these two, and they all need to use the first person as main and the other in high school. In case of failure, all branches need to use the second connection VPN going the second seat.

  In my research, I'm looking for the best possible solution, with faster failover, but have no idea where to start my research.

  I hope someone has a good answer for this one.

  Thank you very much in advance,

  Kind regards

  Dwayne

  I do not understand why people continue to use ASA devices for VPN endpoint.  the ASA is NOT designed for complex VPN scenarios.  It is designed for simple scenarios.  In terms of VPN by using comparison, ASA is a person with a basic education while Cisco IOS is like a person with a college degree.

  For the scenario, you will be much better using Cisco IOS routers everywhere, where you can implement the GRE/IPSec or DMVPN.  Both cases will be sastify to your needs.

• ASA status interface failover: Normal (pending)

  I've been struggling with this, I have two ASA running 8.6 that show the interfaces being monitored as well.

  I'm under 9.2 on these and tell waiting interfaces. Also can I disable SPI monitored? I ask only the cause at the time where the IPS is a module of the SAA, if I had to restart, the units would be tipping. I don't know if it's the same now with the IPS is a software based inside the ASA running on a separate hard drive.

  ASA5515-01 # show failover
  Failover on
  Unit of primary failover
  Failover LAN interface: FAILOVER of GigabitEthernet0/5 (top)
  Frequency of survey unit 1 seconds, 15 seconds holding time
  Survey frequency interface 5 seconds, 25 seconds hold time
  1 political interface
  Watched 3 114 maximum Interfaces
  MAC address move Notification not defined interval
  Version: Our 9.2 (2) 4, Mate 4 9.2 (2)
  Last failover at: 03:55:44 CDT October 21, 2014
  This host: primary: enabled
  Activity time: 507514 (s)
  slot 0: ASA5515 rev hw/sw (1.0/9.2(2)4 State) (upward (Sys)
                    Interface to the outside (4.35.7.90): Normal (pending)
                    Interface inside (172.20.16.30): Normal (pending)
  Interface Mgmt (172.20.17.10): Normal (pending)
  Slot 1: IPS5515 rev hw/sw (N/A 7.1 (4) E4) State (to the top/to the top)
  IPS, 7.1 (4) E4, upward
  Another host: secondary - ready Standby
  Activity time: 0 (s)
  slot 0: ASA5515 rev hw/sw (1.0/9.2(2)4 State) (upward (Sys)
                    Interface (0.0.0.0) outdoors: Normal (pending)
  Interface (0.0.0.0) inside: Normal (pending)
  Interface (0.0.0.0) Mgmt: Normal (pending)
  Slot 1: IPS5515 rev hw/sw (N/A 7.1 (4) E4) State (to the top/to the top)
  IPS, 7.1 (4) E4, upward

  Failover stateful logical Update Statistics
  Relationship: unconfigured.

  ASA5515-01 # poster run | failover Inc.
  failover
  primary failover lan unit
  LAN failover FAILOVER GigabitEthernet0/5 interface
  failover interface ip FAILOVER 10.10.1.1 255.255.255.252 ensures 10.10.1.2
  ASA5515-01 # ping 10.10.1.2
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 10.10.1.2, time-out is 2 seconds:
  !!!!!
  Success rate is 100 percent (5/5), round-trip min/avg/max = ms 02/01/10
  # ASA5515-01

  ------------

  I read also not to use a design where a cable is directly connected to each unit, and instead each interface must connect on a downstream switch port so that the status of the link is still up to a firewall interface if the other firewall interface fails. Otherwise, the two units detects a link down condition and assume that their own interface is down. Never really thought about it in that sense. Anyone use a direct attached cable and have problems?

  Hello

  I rarely troubleshoot failover configurations so I am little rusty with associated with these problems.

  First thing that comes to mind is that configurations under interfaces has "standby" configured IP address? I wondered as the changeover seems to be configured and the link between the units is fine but the unit ready standby shows just 0.0.0.0 for each interface.

  -Jouni

• The ASA for FW and IPS options with high availability

  Question 1:

  -----------

  I'm looking for IPS solution for the customer and the verification of the ASA next part number;

  ASA5540-AIP20-K9

  (ASA 5540 appliance w / AIP-SSM-20, SW, HA, 4GE + 1FE, 3DES/AES)

  What does AP mean here - what software?

  In this case you have to buy a second unit (at the same price) for the recovery of?

  (I wondered if ASA has also a cost - efficient as PIX failover solution-discounted price for the unit of failover).

  If I choose the ASA VPN edition is it possible to add IPS inside module?

  Hello

  Q: what does AP means here - what software? In this case you have to buy a second unit (at the same price) for the recovery of?

  The "ASA5540-AIP20-K9" is only for 1 unit of ASA, with function of software HA (active/active, active / standby). You can add/buy another unit to achieve HA/recundancy.

  I think that the price of a unit all them is always the same, ASA has no unit to voluntarily make the function FO.

  Q: if I choose the ASA VPN edition is it possible to add IPS inside module?

  Large malicious Intrusion Prevention & mitigation program is included, as mentioned in the 'picture' 3 Security of the network to the VPN gateway"in:

  http://www.Cisco.com/en/us/products/ps6120/products_data_sheet0900aecd80402e3f.html

  Rgds,

  AK

• For ASA IPS modules

  Hello

  I would ask you to help learn p/n for the IPS/IDS modules in:

  -ASA 5510

  -ASA 5515 X

  I would like to buy our dealer, but he asks that no part numbers, that he can't find them...

  I know that for ASA5510 was AIP-SSM-10, but it currently is EOS. ASA 5515 X has software module, but I can't find this p/n.

  Concerning

  Hi Michal,

  IPS-ASA5515-SSP

  SSP ASA IPS 5515-X license

  SF-ASAIPS64 - 7.1 - K9

  ASA software IPS 5500-X 7.1 for IPS SSP

  You can always check through "https://apps.cisco.com/Commerce/home".

  It may be useful

  G1

• Filtering in Cisco ASA using module sfr Web

  Hello

  I have Cisco ASA 5515-x version 9.2 (2) and I use ASDM version 7.2 (2). I module 5.3.1 LICO of ASA. I want to activate the ASA web filtering feature. Previously, I used the method of expression regex in the SAA to perform url filtering, but it was not effective. Since then, I have the license for the management of firesight I want to use it.

  But I am confused as some cisco docs say to set the firesight management in vmware while others offer to run the boot image in the SAA itself. What is the right way to do it?

  The show module command, I see that my module of sfr is in place so that means the sfr module is pre-installed, and I can't do a lot of configurations?

  It would be better for me to run ASA itself, but if it does not work like that then I will configure in VM. So please me clearify that concerns my options and my best chance.

  If it should be installed on a virtual machine or ASA itself, then please give me the link to download the boot images and other files on cisco.com. I have the user name and password, but did not find the correct software.

  Thank you in advance.

  Your ASA 5515-x performs the minimum version required to support the fire power module (sfr). The module also runs the initial version of the software of the firepower for ASA-based module firepower.

  With this combination of Software ASA and firepower on your device, you will need to use an external administrator of firepower to manage module (create strategies, apply licenses, monitor events etc.).

  From ASA 9.5 (1) and firepower 6.0, you have the opportunity to make the most of the same functions via ASDM. You must upgrade the ASA (both ASDM) and firepower to achieve module.

  In both cases, you should Protect licenses and URL filtering for the module of firepower.

  The Quick Start Guide is here: http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepo...

  See also the excellent vidoe Lab Minutes guides for firepower: http://labminutes.com/video/sec/ASA%20FirePower

  The ASA and ASDM software is here:

  https://software.Cisco.com/download/type.html?mdfid=284143128&flowid=31442

  Software module of firepower is here:

  https://software.Cisco.com/download/release.html?mdfid=286271171&flowid=...

  To run the power of fire management center VM, the software is here:

  https://software.Cisco.com/download/release.html?mdfid=286259687&flowid=...

  All the links above require a username cisco.com entitled (support agreement) to download the software.

• Management of the IPS software modules

  Is it posible to manage software module IPS (ASA5555-X) in a different way than with ASA interface management (via IP) or should I use int mgmt if I want to use IPS?

  If you want to use the GUI, you must use the management interface.

  You can ssh (or telnet - not recommended because it is not secure) in the ASA of any interface where you have enabled ssh access and session to CLI (painful but possible) configuration module.

• Content of the ASA CX filtering, looking for suggestions

  I wanted to get some feedback on how the rest of you the security people do web content filtering.

  The CX did a great job with HTTP but when it comes to HTTPS there leaves a lot to desire. When the CX first went live, it was configured to decrypt all the HTTPS traffic and deny transactions to servers "to the aid of a certificate not approved" and "If the secure session handshaking fails" lit.

  Immediately, I started to implement the policy of 'do not read' and it worked very well for most of the sites affected by issues of HTTPS decryption. Other sites required certificate HTTPS imported to the CX for it to work.

  However, due to the constant "error: 140920E3:SSL routines: SSL3_GET_SERVER_HELLO:parse tlsext" I experimented with different work a rounds until I found these articles.

  http://www.exploresecurity.com/the-small-print-for-OpenSSL-legacy_renego...

  https://www.digicert.com/news/2011-06-03-SSL-renego.htm

  ATC suggestion was to create a deny statement (with the help of a group of objects that defines the ENTIRE domain name) at the top of the ACL that send traffic to the ASA to the CX. It was the only way to keep the CX deny "using a certificate not approved" and "If the secure session handshaking fails" decryption settings turned on.

  Now I feel I'm back to square one, as the number of exceptions have grown exponentially. This led me to believe that I need to return to the path of the content filtering is implemented. My goal is to apply a simple and scalable solution. As I see it, I can continue to add to the list of exemptions "ASA to CX", is not a scalable solution, because it requires all FQDN to be defined (e.g. bank.com, server1.bank.com, server2.bank.com, etc.). The alternative is to relax the decryption CX configurations which I think is the equivalent to remove the airbags in a car for weight reduction to make it faster.

  Any input would be appreciated!

  I came to the conclusion that SSL decryption is no longer possible, where a robust PKI was deployed in a company. Even in this case we would ideally use a dedicated appliance SSL decryption, so we can give the CX (or ASA with firepower service module) good old http for inspection.

  The right software modules do not have the processing power to line decryption rate for everything, but the more modest rate of return.

  In addition, the CX is now removed for modules of firepower, so you won't see any significant new addressing this gap on the CX.