ASA Failover Question

Unanswered Question
Jul 15th, 2009

I have 2 5540 ASA in an Active / Standy setup. The Active firewall has a packet shaper sitting between it and the inside LAN. When I reboot the Packet shaper the FWs failover. I have the default timeings for failover 1 second hello 15 seconds keepalive. I would assume this emans that as long as the Active firewall sends a hello packet within 15 seconds the standby will not assume the active role. The Packet Shaper reboot takes only a couple of seconds (typically 1 or 2 lost ping packets) Am I missing something simple here?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Danilo Dy Wed, 07/15/2009 - 07:23

The packetshaper takes only a few seconds to reboot. However, the interface link will be down for approximately 40 seconds during the reboot as I tested in a lab.

All systems are like this, it doesn't mean that once they booted successfully, their network link will be up at the same time.

ricey Wed, 07/15/2009 - 07:31


thanks for your quick response. What is the reason for this?

By the way, the packet shaper does not really take only a few seconds to boot, buts "fails open" whenever it is rebooted.

plumbis Wed, 07/15/2009 - 10:54

This is probably because of interface health checks. The primary device sees the interface go down and is now "less healthy" than the secondary and fails over.

ricey Thu, 07/16/2009 - 00:01


Thanks very much for your respose. Do you know how I can override this default behaviour and ensure the primary stays active unless the secondary does not receive a hello packet within the 15 seconds?

Thanks again,



This Discussion