topic Re: FTD Active/Standby HA Timers in Network Security

FTD Active/Standby HA Timers

packet2020 — Wed, 30 Jul 2025 20:08:55 GMT

Hi All,

I'm currently deploying a pair of FTD 3140s in active/standby HA. During testing when rebooting or powering off one of the FTDs, we are seeing about 15 seconds of downtime which is due to the default peer poll time of 1 second and peer hold time of 15 seconds. We want to improve on this to acheive 5 seconds downtime. So far I have tested with the following timers with no issues but these are not in production yet

failover polltime unit 1 holdtime 3
failover polltime interface 3 holdtime 15

I understand that the timers can be very aggressive using milliseconds instead of seconds, however we dont need this. Has anyone else used similar timers to the above? Any issues or recommendations?

Re: FTD Active/Standby HA Timers

MHM Cisco World — Wed, 30 Jul 2025 20:27:53 GMT

Less poll time in sec is 1 sec

Less poll time in msec is 500 msec (half sec)

So keep poll with lowest timer 1 sec

And poll holdtime must be 5 times poll timer' so it will be 5 sec.

That I see best.

I check recommend from cisco I dont find something useful.

MHM

Re: FTD Active/Standby HA Timers

Sheraz.Salim — Thu, 31 Jul 2025 08:09:28 GMT

I would advise against changing the default HA timers and recommend keeping the default settings. We had a similar experience about two years ago during a production migration to Cisco ACI using our ASA firewalls.

At the time, the vendor suggested modifying the HA timers to stabilize the firewalls, particularly due to some STP-related issues in the network. While the HA tuning did help stabilize failover behavior, it had a negative impact on site-to-site VPN tunnels, leading to outages that affected critical business operations.

In the end, we had to revert to the default HA timers to restore stability. Based on that experience, I recommend proceeding with caution and thoroughly testing any timer changes in a non-production environment before implementation.