Solved: ASA Active/Standby polltime timers

JohnTylerPearce · ‎02-21-2012

I understand the reason behind tuning these, but I have a few questions.

failover polltime unit msec 200 holdtime msec 800

failover polltime interface msec 500 holdtime 5

failover polltime unit msec 200 holdtime msec 800 -> I'm assuming this means if the Primary ASA has not heard from the Standby ASA

within 800 msec than it will attempt to failover to the standby device.

I'm a little confused about what the 'failover polltime interface msec 500 holdtime 5' is used for.

I understand what it will send out hellos every 500 msec and the holdtime is 5 seconds.

My question on the above example is, what is the interface polltime used for that the first polltime cannot provide?

Amit Rai · ‎02-21-2012

failover polltime unit msec 200 holdtime msec 800

If a unit does not hear hello packet on the failover communication interface or cable for one polling period, additional testing occurs through the remaining interfaces. If there is still no response from the peer unit during the hold time, the unit is considered failed and, if the failed unit is the active unit, the standby unit takes over as the active unit.

failover polltime interface msec 500 holdtime 5

Use the failover polltime interface command to change the frequency that hello packets are sent out on data interfaces. This command is available for Active/Standby failover only. For Active/Active failover, use the polltime interface command in failover group configuration mode instead of the failover polltime interface command.

You cannot enter a holdtime value that is less than 5 times the unit poll time. With a faster poll time, the adaptive security appliance can detect failure and trigger failover faster. However, faster detection can cause unnecessary switchovers when the network is temporarily congested. Interface testing begins when a hello packet is not heard on the interface for over half the hold time.

check this link for more details.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1931144

View solution in original post

Amit Rai · ‎02-21-2012

failover polltime unit msec 200 holdtime msec 800

If a unit does not hear hello packet on the failover communication interface or cable for one polling period, additional testing occurs through the remaining interfaces. If there is still no response from the peer unit during the hold time, the unit is considered failed and, if the failed unit is the active unit, the standby unit takes over as the active unit.

failover polltime interface msec 500 holdtime 5

Use the failover polltime interface command to change the frequency that hello packets are sent out on data interfaces. This command is available for Active/Standby failover only. For Active/Active failover, use the polltime interface command in failover group configuration mode instead of the failover polltime interface command.

You cannot enter a holdtime value that is less than 5 times the unit poll time. With a faster poll time, the adaptive security appliance can detect failure and trigger failover faster. However, faster detection can cause unnecessary switchovers when the network is temporarily congested. Interface testing begins when a hello packet is not heard on the interface for over half the hold time.

check this link for more details.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1931144

JohnTylerPearce · ‎02-21-2012

Please correct me if I'm wrong.

The 'failover polltime unit msec 200 holdtime msec 800' means that that is the failover communication interface (failover cable going between ASAs) does not hear a hello within one polling period (200ms), than additional testing is done

through the remaining interfaces. If there is still no response within the holdtime timer (800ms), than if this is the

Active unit it will attempt to failover to the standby unit.

Now the 'failover polltime interface msec 500 holdtime 5' command... does this tune the time that the ASA uses to test its other interfaces after it doesn't hear a hello from the standby on the failover interface?

Julio Carvajal · ‎02-21-2012

Hello John,

Now the 'failover polltime interface msec 500 holdtime 5' command... does this tune the time that the ASA uses to test its other interfaces after it doesn't hear a hello from the standby on the failover interface?

Hello this will let the ASA to send a hello packet each 500 msec and if he does not receive he will try to test the interfaces and if he does not receive any response on the next ( 5 times the poll time. 5*500:2500msec) failover will happen.

This setup is known as a subsecond failover, just to let you know the amount of hello packets that will be exchanged on your network will be a lot so you need to think about it.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

JohnTylerPearce · ‎02-21-2012

You're probably going to want to punch me after this question...

failover polltime unit msec 200 holdtime 800 msec

This statement means and the ASA will send a Hello out its Failover link every 200 msec, and if it does not get a response after one, it will wait the holdtime checking on its interfaces and then failing over to the standby.

So if this is the case, why do I need the 'failover polltime interface' command?

It seems like there doing the same thing.

If in the first command, it checkes the interfaces after it doesn't hear a hello, then what is the purpose of the interface

configuration command.?

I understand the timing part just not how they operate together.