TAC tells me that is related with this bug: +++++++++++++++++++++++++++++++ CSCud41702 Bug Details
IPS: After IPS config change, a false failover occurs with the ASA Symptom: Immediately after an IPS config change, an ASA failover occurs with the following messages: Nov 14 23:01:41 10.30.91.76 ASA-1-505013 ASA5585-SSP-IPS40 Module in slot 1, application reloading "IPS", vers ion "7.1(6)E4" Config Change Nov 14 23:01:45 10.30.91.76 ASA-1-505015 ASA5585-SSP-IPS40 Module in slot 1, application up "IPS", version "7. 1(6)E4" Normal Operation Nov 14 23:01:45 10.30.91.76 ASA-1-323006 ASA5585-SSP-IPS40 Module in slot 1 experienced a data channel communi cation failure, data channel is DOWN. Conditions: ASA-IPS pair in failover running code versions 8.4(4)1 and 7.1(6)E4, respectively Workaround: None +++++++++++++++++++++++++++++++ Fixed-In: Release-Pending Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoa...@netcabo.pt http://www.ccie18473.net -----Original Message----- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: sexta-feira, 18 de Janeiro de 2013 19:23 To: 'Pete Lumbis' Cc: 'cisco-nsp' Subject: Re: [c-nsp] ASA5585-X IPS Upgrade causes ASA failover Just found that even with a basic configuration change like enabling a signature, I have a failover... Is this normal ? Thanks. Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoa...@netcabo.pt http://www.ccie18473.net -----Original Message----- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: sexta-feira, 9 de Novembro de 2012 23:56 To: 'Pete Lumbis' Cc: 'cisco-nsp' Subject: Re: [c-nsp] ASA5585-X IPS Upgrade causes ASA failover Thanks, it seems another enhancement that won't see the light of day... Found in 8.0.3... Code that has almost 5 years... Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoa...@netcabo.pt http://www.ccie18473.net -----Original Message----- From: Pete Lumbis [mailto:alum...@gmail.com] Sent: sexta-feira, 9 de Novembro de 2012 22:06 To: Antonio Soares Cc: cisco-nsp Subject: Re: [c-nsp] ASA5585-X IPS Upgrade causes ASA failover CSCsm81086 - Allow user to exclude the status of the SSM or SSP from failover checks Still in the New state :( On Fri, Nov 9, 2012 at 3:08 PM, Antonio Soares <amsoa...@netcabo.pt> wrote: > Hello group, > > I had a bad surprise today, I was updating the IPS software of two > ASA5585-SSP-IPS10 modules and found that it caused the Failover of the > parent ASA5585-SSP-10. It seems this is the normal behavior > (https://supportforums.cisco.com/thread/2035549) but I was not > expecting this at all. I'm not using any of the SSP-IPS10 interfaces > thus there is not monitoring on those interfaces so why the hell this > is like this ? I knew that the IPS upgrade would cause the module > reload but taking into account what I mentioned, it caught me > completely by surprise. This should not be a big problem but since I > have OSPF running on the ASAs, Failover is something that breaks a lot > of things. No NSF support... :( > > Anyone knows if it is possible to disable this behavior, I mean, the > implicit monitoring of the IPS module ? This is what failover history > shows > me: > > 18:36:55 WEST Nov 9 2012 > Standby Ready Just Active Service card in other > unit has failed > 18:36:55 WEST Nov 9 2012 > Just Active Active Drain Service card in other > unit has failed > 18:36:55 WEST Nov 9 2012 > Active Drain Active Applying Config Service card in other > unit has failed > 18:36:55 WEST Nov 9 2012 > Active Applying Config Active Config Applied Service card in other > unit has failed > 18:36:55 WEST Nov 9 2012 > Active Config Applied Active Service card in other > unit has failed > > Is this really the expected behavior ? I'm still trying to find where > this is documented. > > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S/SP) > amsoa...@netcabo.pt > http://www.ccie18473.net > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/