I have two ASA 5520's setup in an active standby configuration. Each pix is configured with a inside and outside interface. I am also using the other two interfaces for the failover, and stateful pair. These firewall's are directly plugged into each other (no switches in between, I don't have any cross over cables so right now they are connected using straight through cables)
I am sourcing a ping from my laptop to a website, and then I force a fail on the active firewall by unplugging one of the monitored interfaces. The failover works but it seems to take too long to failover. I timed it and found that I am able to recover my ping close to a minute later after the failover has happened. Is this normal behavior or is there something wrong in my setup.
Okay so I figured out what was causing the issue. I have an ospf procces running. The setup included 2 layers of asa firewalls. The first set of firewalls connects to the internet on the outside interface and an internet dmz on the inside interface running failover. I generate a default route of 0.0.0.0 0.0.0.0 and advertise that to the second set of firewalls...these firewalls sit on the same dmz segment as the internet firewalls as well as protect the real inside network. The default route is then propogated to the core and beyond.
When the firewall failover happens the ospf process has to start up again on the firewall which essentially shuts it down and causes the default route to be advertised once its learned again. It uses the default ospf timers to send the hello's to establish the adjacency. Once it is re-learned by the ASA traffic starts to flow again.
My question is what is the best way to handle this situation. should I just statically assign default routes on the 2 layers of firewalls as well as default routes for all of the routers participating in the inside network?
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...