ASA active/standby failover with AIP-SSM module installed
I am working with 2 ASA 5520 with AIP-SSM-10 installed in both. My goal is to check the failover timer settings so that failover triggers without much delay.
While testing failover, source connected to inside interface of firewall is continuously pinging the destination on the outside of Firewall.
On Primary (active) firewall, I have issued a command "no active failover", which makes the secondary (standby) firewall to become active. Keeping an eye on the continuous ping I found that prior the secondary (previously standby firewall) takes a role of active firewall there were 3 Request Timed Outs. In order to decrease the time taken for failover to trigger, I have issued command in configuration mode "failover polltime 1 holdtime 5" and observed only 1 Request Timed Out. So I got the result which was needed.
Moving on, the failover test was conducted by shutting down the AIP-SSM module. As expected, shutting down the AIP-SSM module triggered the failover, but I have observed 3 Request Timed Out in continuous ping operation.
Depending on the above scenario, I have following questions.
Q1: Is it possible to decrease the amount of time it takes to trigger the failover when AIP-SSM module fails?
Q2: Changing the polltime in firewall doesnot have any effect on AIP-SSM failure?
Q3: Will the command "failover polltime unit 1 holdtime 5" in configuration mode change the amount of time to trigger the failover, even when AIP-SSM module fails?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...