Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

The pix failover time

The pix failover switching time is too long , why none cisco documents give the time.

4 REPLIES

Re: The pix failover time

Hi,

I think you can speed up the failover poll to 3 second. Default is 5. But other stuffs, such as failover test for NIC status, network activity, arp and ping test is still there.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094ea7.shtml

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278a.html

Rgds,

AK

New Member

Re: The pix failover time

I have configure the poll to 3 seconds,but the switchover time is still too long for our application,and up to 20 icmp packets will be lost ,all application has to be reinitialized.

Re: The pix failover time

Hi .. make sure the switcports where the PIXes interfaces are connected is configured as portfast. in that way if the failover ocurrs then the port changes to forwarding state inmediatly .. otherwise it will wait for about 30 seconds before transmitting data. Also if you are using LAN based failover .. remember that even thought it overcome the 6feet distance limitation compared to serial cable , however it is slower. Also make sure you have configured stateful failover as well - failover link - If using LAN based failover it is recommended you use a dedicated interface.

Please rate if you find this info useful

New Member

Re: The pix failover time

Hi,

I'm currently fiddlig with two ASA-5520 boxes, with 7.1(2)7, tied together via LAN stateful failover. I modified the parameter "failover polltime interface 3", but still, when I disconnect the ethernet cable from an interface of the active ASA, it takes 10-12 secs the cluster to switch to standby ASA. This time seems to be too high ... Has anybody reached a better time in LAN based failover ?

And the second question -- during this failover, an admin connection (telnet, ssh) from the inside segment to the inside interface is broken and must be reestablished. I expected the connection to survive. Why does not it ? Is it due to the fact that stateful failover does not transfer user auth info between boxes ?

Thanks,

ixf

111
Views
0
Helpful
4
Replies