FWSM's failover time does not affected by intra-chassis (same switch) or inter-chassis (different switches)setup. But it does when your etherchannel link is smaller, e.g 1 GE, compared to 6GE as recommended by Cisco for inter-chassis. Other than that is if your FWSM participate in dynamic routing like OSPF, where it will affect the failover process, especially on the time taken by OSPF to converge/recover.
FWSM failover time depends on:
* polltime unit [msec] number?The amount of time between hello messages. Set the time in seconds between 1 and 15. The default is 1 second. If you specify msec, you can set the time between 500 and 999 milliseconds.
* holdtime number?Sets the time during which a unit must receive a hello message on the failover link, or else the unit begins the testing process for peer failure. Set the time in seconds between 15 and 45. The default is the greater of 15 seconds or 3 times the polltime. You cannot enter a value that is less than 3 times the polltime.
For example, if the polltime is 1 second, then a 15 second holdtime means 15 hello messages are missed before the unit is tested for failure.
FWSM can allow EIGRP traffic (port 88) to pass through, but not participate in EIGRP.
But since you plan to run transparent mode, it will not be an issue as all EIGRP routing processes will be handled at switch's level. FWSM will only act like a bridge/hub.
2GEs probably just enough for your failover (preferably stateful failover).
For your failover to occur or how fast it will take place, it depend on the time you specify for the polling (failover checking) process. Default value is 1 sec, max is 15 sec. THere's no fix calculation for that. Example:
failover poll 3 -> polling every 3 sec
Please take into consideration that 1 sec probably too fast, and any delay due to congestion or heavy traffic might trigger unnecessary failover. Put any figure based on your network environment
The easiest way to test failover time is to use ping/icmp test. Observe the time it takes to fully swing to the other unit.
Ping from your server/host behind active FWSM to any server/host outside FWSM, or from host/server outside FWSM to server/host behind FWSM, or both.
Then, session into your standby FWSM, and issue 'failover active' command, and immediately measure the time it takes complete the failover between FWSMs. You'll noticed that there will be a 'request timed-out' during the failover process.
The failover time will be different depending on the polling time value.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...