https://community.cisco.com/t5/network-security/cisco-ftd-failover-behavior/m-p/5257934#M1119393 <P>Hello Guys,</P> <P>I am testing the active-passive failover in FTD. First of all the failover works fine for me, but I have query related to the timeouts I received during the testing. My testing process is as follows.</P> <P>Let’s say I have two FTDs, FTD-01 (primary unit) and FTD-02(Secondary Unit). In normal scenario FTD-01 is active and FTD-02 is standby.</P> <P>1. From my laptop I pinged 8.8.8.8 and then removed E1/1 from FTD-01. I received two request timeouts and then it started to ping.</P> <P>2. I reconnected the E1/1 to the FTD-01 and removed E1/1 from the FTD-02. I received 4 request timeouts and then it started to ping.</P> <P>&nbsp;</P> <P>My concern is the difference in timeouts between step 1 and step 2. After failover to FTD-02, I immediately reconnected the E1/1 to FTD-01 and then removed E1/1 from FTD-02. I doubt this aggressive failover actions (without giving the ASA time to settle down) are causing the difference in the timeouts. Once the FTD-02 becomes active does it hold down for some time even if it detects an interface failure?.&nbsp;</P> Fri, 07 Feb 2025 08:56:09 GMT SHABEEB KUNHIPOCKER 2025-02-07T08:56:09Z https://community.cisco.com/t5/network-security/cisco-ftd-failover-behavior/m-p/5257934#M1119393 <P>Hello Guys,</P> <P>I am testing the active-passive failover in FTD. First of all the failover works fine for me, but I have query related to the timeouts I received during the testing. My testing process is as follows.</P> <P>Let’s say I have two FTDs, FTD-01 (primary unit) and FTD-02(Secondary Unit). In normal scenario FTD-01 is active and FTD-02 is standby.</P> <P>1. From my laptop I pinged 8.8.8.8 and then removed E1/1 from FTD-01. I received two request timeouts and then it started to ping.</P> <P>2. I reconnected the E1/1 to the FTD-01 and removed E1/1 from the FTD-02. I received 4 request timeouts and then it started to ping.</P> <P>&nbsp;</P> <P>My concern is the difference in timeouts between step 1 and step 2. After failover to FTD-02, I immediately reconnected the E1/1 to FTD-01 and then removed E1/1 from FTD-02. I doubt this aggressive failover actions (without giving the ASA time to settle down) are causing the difference in the timeouts. Once the FTD-02 becomes active does it hold down for some time even if it detects an interface failure?.&nbsp;</P> Fri, 07 Feb 2025 08:56:09 GMT https://community.cisco.com/t5/network-security/cisco-ftd-failover-behavior/m-p/5257934#M1119393 SHABEEB KUNHIPOCKER 2025-02-07T08:56:09Z https://community.cisco.com/t5/network-security/cisco-ftd-failover-behavior/m-p/5258202#M1119408 <P>Hello</P> <P>I think your tests are not the same .. I think you should let things stabilize.</P> <P>The firewall failover or flapping multiple times is not the feature is meant to serve although it works. The real use case is for a standby unit to takeover from a previous active unit.</P> <P>your step 1 is a simple failover from active unit to a standby unit</P> <P>your step 2 is actually a little more inolved - you are restoring a standby unit F1 that is not standby ready... it is not ready to take over immediately as it is in a failed state due to interface failure. For it to take over immedately, it should have been standby ready. So when you plug in f1 interface and immediately disconnect f2 interface, f1 as to start through a more elaborate process to elect it as active unit.</P> <P>see this guide</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/availability/high-availability/217763-troubleshoot-firepower-threat-defense-hi.html#toc-hId--1435216742" target="_blank">https://www.cisco.com/c/en/us/support/docs/availability/high-availability/217763-troubleshoot-firepower-threat-defense-hi.html#toc-hId--1435216742</A></P> <P>I would suggest in your step2, to split into sub-tasks</P> <P>a) leave ftd2 as active unit</P> <P>b) plug ftd1 interrface and wait till it become standby ready</P> <P>c) now&nbsp; disconnect ftd2 interrface</P> <P>i would think thatthe ping loss should be similar to step 1</P> <P>Hope that helps</P> <P>**Please rate helpful posts**</P> Sat, 08 Feb 2025 06:46:16 GMT https://community.cisco.com/t5/network-security/cisco-ftd-failover-behavior/m-p/5258202#M1119408 ccieexpert 2025-02-08T06:46:16Z