Twice in the past two weeks my ASA 5520s in an Active/Standby setup have failed over when it appears there should have been no reason to.
I think this is is 3 or 4 times total they've done it since I implemented them. After the first false failover maybe about 6 months ago I increase all the poll and holdtime timeouts.
Here is a snippet from "show failover":
Failover unit Primary
Failover LAN Interface: ASA-failover GigabitEthernet0/3 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 15 seconds, holdtime 75 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
failover replication http
Version: Ours 7.2(3), Mate 7.2(3)
My settings seems pretty lax and hopefully I am translating them right.
The secondary unit will poll the primary unit every 15 seconds and if no response is received in 45 seconds (3 tries) it will failover.
The secondary unit will poll the primary unit's interfaces every 15 seconds and if just one of them doesn't respond within 75 seconds (5 tries), then it fails over.
I know these may seem lax for some of your standards but if the internet goes out here for a minute it's no big deal.
The problem I have is that when they do failover maybe about 2 or 3 of the 35 site to site VPN tunnels we have up won't make the transition properly. The only fix I've found is to issue the "failover active" command on the primary ASA to make it the active one again.
The failover connection is via a crossover cable on Gi 0/3 on both devices so I don't think it could be something related to the switch that interfaces Gi 0/0-0/2 run to would it?
My only other guess is just to upgrade the software to version 8.
Thanks for any help.