07-17-2008 03:03 PM - edited 03-11-2019 06:16 AM
I am for clarity in the time it takes for twos ASA's configured in active/passive using LAN-based stateful failover in routed mode to failover.
Switch1 -------------- Switch3
| |
ASA1 ---failover link ----- ASA2
| |
Switch2--------------- Switch 4
Scenario:
ASA1 is the active firewall and switch1 fails (hard down).
Does ASA2 have to wait for the holddown time, then all 4 failover tests (link up/down, Network activity, ARP, Broadcast ping) before failover actually occurs? Or is it simply that the expiry of the holddown time determines the actual failover time and the interface failover is simply used as a reporting mechanism for identification of failed interface?
Any help would be greatly appreciated.
Solved! Go to Solution.
07-18-2008 02:39 PM
07-18-2008 02:19 AM
Jeremy,
The ASA is very configurable when it comes to failover. It all depends on how is it configured, you can have:-
1) Number of failed interfaces that triggers failover-When the number of failed monitored interfaces exceeds the value you set with this command, then the security appliance fails over. The range is between 1 and 250 failures.
2) Percentage of failed interfaces that triggers failover-When the number of failed monitored interfaces exceeds the percentage you set with this command, then the security appliance fails over.
Failover Poll Times-Contains the fields for defining how often hello messages are sent on the failover link, and, optionally, how long to wait before testing the peer for failure if no hello messages are received.
Unit Failover-The amount of time between hello messages among units. The range is between 1 and 15 seconds or between 200 and 999 milliseconds.
Unit Hold Time-Sets the time during which a unit must receive a hello message on the failover link, or else the unit begins the testing process for peer failure. The range is between 1and 45 seconds or between 800 and 999 milliseconds. You cannot enter a value that is less than 3 times the polltime.
Monitored Interfaces-The amount of time between polls among interfaces. The range is between 1and 15 seconds or 500 to 999 milliseconds.
Interface Hold Time-Sets the time during which a data interface must receive a hello message on the data interface, after which the peer is declared failed. Valid values are from 5 to 75 seconds.
HTH.
07-18-2008 07:27 AM
Andrew,
Thank you for the information, this is all good stuff. I have a few more questions for you.
Based on the show fail over output (see below)...
Failover On
Failover unit Primary
Failover LAN Interface: Failover GigabitEthernet1/3 (up)
Unit Poll frequency 500 milliseconds, holdtime 2 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 6 of 250 maximum
failover replication http
My understanding of failover on this set of firewalls is...
All 6 interfaces are monitored, but if hello's aren't received on any one of them for 25 seconds the peer is considered down and fail over will occur. Is this correct?
2. What does the Unit Poll frequency govern and when does it come into play?
3. "When failure occurs in the active security appliance, and the failure isn't caused by a loss of power in the standby security appliance, fail over begins a series of tests to determine which security appliance has failed." The tests are then listed in order as link up/down, network activity, arp, broadcast ping.
I read this as meaning that these four tests aren't actually used in triggering fail over, but are used after fail over in identifying exactly what failed.
Is this correct?
Again, thank you for sharing your knowledge.
07-18-2008 07:49 AM
Rather than be give a ling winded explanation the blow links will explain ALL.
PIX/ASA Active/Active Failover Config Example:-
PIX/ASA Active/Standby Failover Config Example:-
HTH.
07-18-2008 07:53 AM
I've actually read both articles already. Neither one answers my questions unfortunately.
07-18-2008 08:14 AM
On second pass, it did answer all questions (once I followed an embedded link) but one. The last outstanding question is related to the interface tests, and whether they play a roll in identifying and triggering fail over (at this time I don't believe they do) or whether their roll is strictly used in identifying and reporting which interface failed on which device AFTER fail over has occurred.
07-18-2008 02:39 PM
Jeremy,
You are correct, nothing fancy just up or down!
HTH.
07-21-2008 07:42 AM
Sweet,
Thank you for all your help and patience. It is very much appreciated! : )
07-21-2008 09:19 AM
np - glad to help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: