Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA active/standby failover with AIP-SSM module installed

Hi All,

I am working with 2 ASA 5520 with AIP-SSM-10 installed in both. My goal is to check the failover timer settings so that failover triggers without much delay.

While testing failover, source connected to inside interface of firewall is continuously pinging the destination on the outside of Firewall.

On Primary (active) firewall, I have issued a command "no active failover", which makes the secondary (standby) firewall to become active. Keeping an eye on the continuous ping I found that prior the secondary (previously standby firewall) takes a role of active firewall there were 3 Request Timed Outs.
In order to decrease the time taken for failover to trigger, I have issued command in configuration mode "failover polltime 1 holdtime 5" and observed only 1 Request Timed Out. So I got the result which was needed.

Moving on, the failover test was conducted by shutting down the AIP-SSM module. As expected, shutting down the AIP-SSM module triggered the failover, but I have observed 3 Request Timed Out in continuous ping operation.

Depending on the above scenario, I have following questions.

Q1: Is it possible to decrease the amount of time it takes to trigger the failover when AIP-SSM module fails?

Q2: Changing the polltime in firewall doesnot have any effect on AIP-SSM failure?

Q3: Will the command "failover polltime unit 1 holdtime 5" in configuration mode change the amount of time to trigger the failover, even when AIP-SSM module fails?

I would really appreciate if anyone can help me.

Thank you,

Nagabhushan

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: ASA active/standby failover with AIP-SSM module installed

Hi Nagabhushan,

Here are answers to your questions:

Q1: Is it possible to decrease the amount of time it takes to trigger  the failover when AIP-SSM module fails?

A: No, as the AIP-SSM module fails is monitored by the platform failover time (not interface polling). Here is the time for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1079158

Q2: Changing the polltime in  firewall doesnot have any effect on AIP-SSM failure?

A: No, it will not effect on AIP-SSM failure as the time for failover is 2 seconds for AIP-SSM module. Changing the polltime is for the ASA interfaces polling.

Q3: Will the  command "failover polltime unit 1 holdtime 5" in configuration mode  change the amount of time to trigger the failover, even when AIP-SSM  module fails?

A: As per above, no.

Hope that helps.

2 REPLIES
Super Bronze

Re: ASA active/standby failover with AIP-SSM module installed

Hi Nagabhushan,

Here are answers to your questions:

Q1: Is it possible to decrease the amount of time it takes to trigger  the failover when AIP-SSM module fails?

A: No, as the AIP-SSM module fails is monitored by the platform failover time (not interface polling). Here is the time for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1079158

Q2: Changing the polltime in  firewall doesnot have any effect on AIP-SSM failure?

A: No, it will not effect on AIP-SSM failure as the time for failover is 2 seconds for AIP-SSM module. Changing the polltime is for the ASA interfaces polling.

Q3: Will the  command "failover polltime unit 1 holdtime 5" in configuration mode  change the amount of time to trigger the failover, even when AIP-SSM  module fails?

A: As per above, no.

Hope that helps.

New Member

Re: ASA active/standby failover with AIP-SSM module installed

Hi halijenn,

Thank you for your reply.

I really appreciate the help from you. It has cleared my doubts. Once again, thank you very much.

Regards,

Nagabhushan

1021
Views
0
Helpful
2
Replies