Cisco Cisco ASA 5540 Adaptive Security Appliance Manual Técnica
Background Information
In certain situations, it might be necessary to reimage an IPS hardware or software module in an ASA failover
pair deployment. For example, downgrading from Release 7.1(7) to Release 7.0(8) requires a reimage, as
there is no formal downgrade option for the IPS operating system. These steps are used to minimize the
chance of a network outage or false failover during a reimage.
pair deployment. For example, downgrading from Release 7.1(7) to Release 7.0(8) requires a reimage, as
there is no formal downgrade option for the IPS operating system. These steps are used to minimize the
chance of a network outage or false failover during a reimage.
Complete the reimage process on the IPS module in the standby ASA.
1.
Make the standby ASA the active ASA.
2.
Complete the reimage process on the new standby ASA (former active).
3.
Restore the new standby ASA to the active state, if desired.
4.
Note: In rare situations where both modules are in a failed state, the first module brought online causes the
ASA to preempt the failover state. For example, the primary ASA has the active state and has a child module
in a down state. The IPS in the standby ASA is also in a down state. The IPS is then restarted on the standby
ASA. With the IPS in a failed state on the primary active ASA, the failover process considers the standby
more desirable, and forces it to become active.
ASA to preempt the failover state. For example, the primary ASA has the active state and has a child module
in a down state. The IPS in the standby ASA is also in a down state. The IPS is then restarted on the standby
ASA. With the IPS in a failed state on the primary active ASA, the failover process considers the standby
more desirable, and forces it to become active.
Configure
Initial Steps
Back up the current running configuration of both sensors to an external server by use of the CLI (for
example: copy current−config ftp://cisco123:cisco123@10.10.10.10/ips1−backup).
example: copy current−config ftp://cisco123:cisco123@10.10.10.10/ips1−backup).
1.
Position the IPS system image file on an external TFTP server (for example:
IPS−SSM_40−K9−sys−1.1−a−7.0−8−E4.img).
IPS−SSM_40−K9−sys−1.1−a−7.0−8−E4.img).
2.
Reimage the IPS on the Current Standby ASA (ASA 5500 Series only)
Connect to the CLI of the standby ASA via console, Telnet, or Secure Shell (SSH).
1.
Enter the show failover command in order to verify that the ASA is the standby unit.
2.
Enter the hw−module module 1 recover configure command on the ASA and configure the
appropriate IP/TFTP settings.
appropriate IP/TFTP settings.
3.
Enter the hw−module module 1 recover boot command on the ASA in order to transfer the image and
restart the IPS module.
restart the IPS module.
4.
Enter the show module 1 details command on the ASA in order to monitor the recovery status.
5.
Once completed, enter the session 1 command on the ASA in order to connect to the IPS module.
6.
On the IPS, enter the setup command and configure the IP/Subnet Mask/Gateway/ACL.
7.
With the IPS module back on the network, restore the previous configuraton via CLI (for example:
copy ftp://cisco123:cisco123@10.10.10.10/ips1−backup current−config).
copy ftp://cisco123:cisco123@10.10.10.10/ips1−backup current−config).
8.
In order to verify that the IPS running configuration is updated, enter the show config command.
9.
Reinstall the signature license and upgrade the signature definitions as required.
10.
On the standby ASA, enter the failover active command in order to make the standby unit active.
11.
Reimage the IPS on the New Standby ASA (ASA 5500 Series only)
Connect to the CLI of the new standby ASA via console, Telnet, or SSH.
1.
Enter the show failover command in order to verify that the ASA is the new standby unit.
2.
Enter the hw−module module 1 recover configure command on the ASA and configure the
appropriate IP/TFTP settings.
appropriate IP/TFTP settings.
3.
Enter the hw−module module 1 recover boot command on the ASA in order to transfer the image and
restart the IPS module.
restart the IPS module.
4.