ASA Failover Question

ricey · ‎07-15-2009

I have 2 5540 ASA in an Active / Standy setup. The Active firewall has a packet shaper sitting between it and the inside LAN. When I reboot the Packet shaper the FWs failover. I have the default timeings for failover 1 second hello 15 seconds keepalive. I would assume this emans that as long as the Active firewall sends a hello packet within 15 seconds the standby will not assume the active role. The Packet Shaper reboot takes only a couple of seconds (typically 1 or 2 lost ping packets) Am I missing something simple here?

Danilo Dy · ‎07-15-2009

The packetshaper takes only a few seconds to reboot. However, the interface link will be down for approximately 40 seconds during the reboot as I tested in a lab.

All systems are like this, it doesn't mean that once they booted successfully, their network link will be up at the same time.

ricey · ‎07-15-2009

Danilo,

thanks for your quick response. What is the reason for this?

By the way, the packet shaper does not really take only a few seconds to boot, buts "fails open" whenever it is rebooted.

plumbis · ‎07-15-2009

This is probably because of interface health checks. The primary device sees the interface go down and is now "less healthy" than the secondary and fails over.

ricey · ‎07-16-2009

Pete,

Thanks very much for your respose. Do you know how I can override this default behaviour and ensure the primary stays active unless the secondary does not receive a hello packet within the 15 seconds?

Thanks again,

Rich