ASA active/standby failover with AIP-SSM module installed

Answered Question
Mar 29th, 2010

Hi All,

I am working with 2 ASA 5520 with AIP-SSM-10 installed in both. My goal is to check the failover timer settings so that failover triggers without much delay.

While testing failover, source connected to inside interface of firewall is continuously pinging the destination on the outside of Firewall.

On Primary (active) firewall, I have issued a command "no active failover", which makes the secondary (standby) firewall to become active. Keeping an eye on the continuous ping I found that prior the secondary (previously standby firewall) takes a role of active firewall there were 3 Request Timed Outs.
In order to decrease the time taken for failover to trigger, I have issued command in configuration mode "failover polltime 1 holdtime 5" and observed only 1 Request Timed Out. So I got the result which was needed.

Moving on, the failover test was conducted by shutting down the AIP-SSM module. As expected, shutting down the AIP-SSM module triggered the failover, but I have observed 3 Request Timed Out in continuous ping operation.

Depending on the above scenario, I have following questions.

Q1: Is it possible to decrease the amount of time it takes to trigger the failover when AIP-SSM module fails?

Q2: Changing the polltime in firewall doesnot have any effect on AIP-SSM failure?

Q3: Will the command "failover polltime unit 1 holdtime 5" in configuration mode change the amount of time to trigger the failover, even when AIP-SSM module fails?

I would really appreciate if anyone can help me.

Thank you,

Nagabhushan

Attachment: 
I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 8 months ago

Hi Nagabhushan,

Here are answers to your questions:

Q1: Is it possible to decrease the amount of time it takes to trigger  the failover when AIP-SSM module fails?

A: No, as the AIP-SSM module fails is monitored by the platform failover time (not interface polling). Here is the time for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1079158

Q2: Changing the polltime in  firewall doesnot have any effect on AIP-SSM failure?

A: No, it will not effect on AIP-SSM failure as the time for failover is 2 seconds for AIP-SSM module. Changing the polltime is for the ASA interfaces polling.

Q3: Will the  command "failover polltime unit 1 holdtime 5" in configuration mode  change the amount of time to trigger the failover, even when AIP-SSM  module fails?

A: As per above, no.

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Tue, 03/30/2010 - 01:06

Hi Nagabhushan,

Here are answers to your questions:

Q1: Is it possible to decrease the amount of time it takes to trigger  the failover when AIP-SSM module fails?

A: No, as the AIP-SSM module fails is monitored by the platform failover time (not interface polling). Here is the time for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1079158

Q2: Changing the polltime in  firewall doesnot have any effect on AIP-SSM failure?

A: No, it will not effect on AIP-SSM failure as the time for failover is 2 seconds for AIP-SSM module. Changing the polltime is for the ASA interfaces polling.

Q3: Will the  command "failover polltime unit 1 holdtime 5" in configuration mode  change the amount of time to trigger the failover, even when AIP-SSM  module fails?

A: As per above, no.

Hope that helps.

nagabhushana.k Tue, 03/30/2010 - 02:06

Hi halijenn,

Thank you for your reply.

I really appreciate the help from you. It has cleared my doubts. Once again, thank you very much.

Regards,

Nagabhushan

Actions

This Discussion