Also of note, the IPS' are actually not Cisco at all and not managed
by me. They are IPS units from sourcefire managed by a 3rd party.
On Sun, Mar 24, 2013 at 11:44 PM, Jay McMickle <jay.mcmickle_at_yahoo.com> wrote:
> It should indeed, but I agree, I too had this issue March 8, 2013 (yes, I remember the exact date as it was catastrophic).
>
> We have 5585-20's in HA A/S, with IPS 4270's inline with fail-close as well.
>
> I came unglued when this occurred, and Cisco stated this was a "software" issue but without any attributing bug. We are were running 9.0.1 on the ASA's (now 9.1.1-4), and could not reproduce the issue on our 5585-20/4270 lab hardware with the same IOS. The default failover is set for 1 interface, but to your point, if it doesn't mark it down, it won't failover. In the lab, it worked as expected. In production, it did not, but now does.
>
> May I ask what code on the ASA's your running?
>
> BTW- the IPS's locked up due to a bug in the 7.1(6)E4 IPS engine when signature 694 was pushed. Interesting to see if any of these variables were constants in your environment.
>
> I'm taking the Security IE lab on Wednesday of this week, and these little nuances made me a bit nervous!
>
> Cheers.
>
> Regards,
> Jay McMickle CCIE #35355
> Sent from my iPhone
>
> On Mar 24, 2013, at 10:17 PM, Joe Astorino <joeastorino1982_at_gmail.com> wrote:
>
>> I ran into an interesting situation tonight, and am trying to piece
>> together what happened and what should happen. Pretty simple setup:
>>
>> 2 ASA's running in active standby. These ASA's have a number of
>> interfaces and sub-interfaces all of which are monitored in the
>> failover configuration. There are IPS units physically inline between
>> these ASA's on most of the interfaces. The failover interface itself
>> is of course a straight connection between the ASA's
>>
>> So, the IPS on the primary side "locked up" and it is set to
>> fail-closed. From the inside network, the interfaces on the primary
>> ASA were completely unreachable. I was unable to ping the interfaces
>> at all. I was expecting that when this happened, the ASA's would
>> trigger failover because several of the monitored interfaces were not
>> reachable but they didn't. When logging into the standby unit,
>> everything showed "normal" ...all the monitored interfaces were
>> normal. As soon as I manually failed it over, that changed and the
>> interfaces that were unreachable on the other side showed up as
>> "failed".
>>
>> So basically, the ASA's were unable to communicate with each other
>> over several of the monitored data-interfaces, but the status still
>> showed "normal" until a manual failover was done. If the failover link
>> is fine, but the ASA's cannot communicate via the monitored data
>> interfaces shouldn't that trigger a failover event?
>>
>> --
>> Regards,
>>
>> Joe Astorino
>> CCIE #24347
>> http://astorinonetworks.com
>>
>> "He not busy being born is busy dying" - Dylan
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
-- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan Blogs and organic groups at http://www.ccie.netReceived on Mon Mar 25 2013 - 00:03:18 ART
This archive was generated by hypermail 2.2.0 : Wed Apr 03 2013 - 19:06:19 ART