Twice in the past two weeks my ASA 5520s in an Active/Standby setup have failed over when it appears there should have been no reason to.
I think this is is 3 or 4 times total they've done it since I implemented them. After the first false failover maybe about 6 months ago I increase all the poll and holdtime timeouts.
Here is a snippet from "show failover":
Failover unit Primary
Failover LAN Interface: ASA-failover GigabitEthernet0/3 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 15 seconds, holdtime 75 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
failover replication http
Version: Ours 7.2(3), Mate 7.2(3)
My settings seems pretty lax and hopefully I am translating them right.
The secondary unit will poll the primary unit every 15 seconds and if no response is received in 45 seconds (3 tries) it will failover.
The secondary unit will poll the primary unit's interfaces every 15 seconds and if just one of them doesn't respond within 75 seconds (5 tries), then it fails over.
I know these may seem lax for some of your standards but if the internet goes out here for a minute it's no big deal.
The problem I have is that when they do failover maybe about 2 or 3 of the 35 site to site VPN tunnels we have up won't make the transition properly. The only fix I've found is to issue the "failover active" command on the primary ASA to make it the active one again.
The failover connection is via a crossover cable on Gi 0/3 on both devices so I don't think it could be something related to the switch that interfaces Gi 0/0-0/2 run to would it?
My only other guess is just to upgrade the software to version 8.
Take a look at the output of 'show failover history' and any syslogs you have from the time of the failover. These should give you an idea of why the failover occurred and a place to start troubleshooting the issue.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :