I am for clarity in the time it takes for twos ASA's configured in active/passive using LAN-based stateful failover in routed mode to failover.
Switch1 -------------- Switch3
ASA1 ---failover link ----- ASA2
Switch2--------------- Switch 4
ASA1 is the active firewall and switch1 fails (hard down).
Does ASA2 have to wait for the holddown time, then all 4 failover tests (link up/down, Network activity, ARP, Broadcast ping) before failover actually occurs? Or is it simply that the expiry of the holddown time determines the actual failover time and the interface failover is simply used as a reporting mechanism for identification of failed interface?
Any help would be greatly appreciated.
Solved! Go to Solution.
The ASA is very configurable when it comes to failover. It all depends on how is it configured, you can have:-
1) Number of failed interfaces that triggers failover-When the number of failed monitored interfaces exceeds the value you set with this command, then the security appliance fails over. The range is between 1 and 250 failures.
2) Percentage of failed interfaces that triggers failover-When the number of failed monitored interfaces exceeds the percentage you set with this command, then the security appliance fails over.
Failover Poll Times-Contains the fields for defining how often hello messages are sent on the failover link, and, optionally, how long to wait before testing the peer for failure if no hello messages are received.
Unit Failover-The amount of time between hello messages among units. The range is between 1 and 15 seconds or between 200 and 999 milliseconds.
Unit Hold Time-Sets the time during which a unit must receive a hello message on the failover link, or else the unit begins the testing process for peer failure. The range is between 1and 45 seconds or between 800 and 999 milliseconds. You cannot enter a value that is less than 3 times the polltime.
Monitored Interfaces-The amount of time between polls among interfaces. The range is between 1and 15 seconds or 500 to 999 milliseconds.
Interface Hold Time-Sets the time during which a data interface must receive a hello message on the data interface, after which the peer is declared failed. Valid values are from 5 to 75 seconds.
Thank you for the information, this is all good stuff. I have a few more questions for you.
Based on the show fail over output (see below)...
Failover unit Primary
Failover LAN Interface: Failover GigabitEthernet1/3 (up)
Unit Poll frequency 500 milliseconds, holdtime 2 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 6 of 250 maximum
failover replication http
My understanding of failover on this set of firewalls is...
All 6 interfaces are monitored, but if hello's aren't received on any one of them for 25 seconds the peer is considered down and fail over will occur. Is this correct?
2. What does the Unit Poll frequency govern and when does it come into play?
3. "When failure occurs in the active security appliance, and the failure isn't caused by a loss of power in the standby security appliance, fail over begins a series of tests to determine which security appliance has failed." The tests are then listed in order as link up/down, network activity, arp, broadcast ping.
I read this as meaning that these four tests aren't actually used in triggering fail over, but are used after fail over in identifying exactly what failed.
Is this correct?
Again, thank you for sharing your knowledge.
Rather than be give a ling winded explanation the blow links will explain ALL.
PIX/ASA Active/Active Failover Config Example:-
PIX/ASA Active/Standby Failover Config Example:-
On second pass, it did answer all questions (once I followed an embedded link) but one. The last outstanding question is related to the interface tests, and whether they play a roll in identifying and triggering fail over (at this time I don't believe they do) or whether their roll is strictly used in identifying and reporting which interface failed on which device AFTER fail over has occurred.