https://community.cisco.com/t5/network-security/asa-active-standby-polltime-timers/m-p/1865677#M459046 <HTML><HEAD></HEAD><BODY><P>Hello John,</P><P></P><P><SPAN style="text-decoration: underline;"><EM>Now the 'failover polltime interface msec 500 holdtime 5' command... does this tune the time that the ASA uses to test its other interfaces after it doesn't hear a hello from the standby on the failover interface?</EM></SPAN></P><P></P><P>Hello this will let the ASA to send a hello packet each 500 msec and if he does not receive he will try to test the interfaces and if he does not receive any response on the next ( 5 times the poll time. 5*500:2500msec) failover will happen.</P><P></P><P>This setup is known as a subsecond failover, just to let you know the amount of hello packets that will be exchanged on your network will be a lot so you need to think about it.</P><P></P><P>Regards,</P><P></P><P>Julio</P></BODY></HTML> Tue, 21 Feb 2012 17:32:19 GMT Julio Carvajal 2012-02-21T17:32:19Z https://community.cisco.com/t5/network-security/asa-active-standby-polltime-timers/m-p/1865674#M459043 <P>I understand the reason behind tuning these, but I have a few questions.</P><P><SPAN style="font-size: 10pt;"> </SPAN></P><P><STRONG style="font-size: 10pt; ">failover polltime unit msec 200 holdtime msec 800</STRONG></P><P><STRONG></STRONG></P><P><SPAN style="font-size: 10pt;">failover polltime interface msec 500 holdtime 5 </SPAN></P><P><SPAN style="font-size: 10pt;"> </SPAN></P><P><SPAN style="font-size: 10pt;"> </SPAN></P><P>failover polltime unit msec 200 holdtime msec 800 -&gt; I'm assuming this means if the Primary ASA has not heard from the Standby ASA</P><P>within 800 msec than it will attempt to failover to the standby device.</P><P></P><P>I'm a little confused about what the 'failover polltime interface msec 500 holdtime 5' is used for.</P><P></P><P>I understand what it will send out hellos every 500 msec and the holdtime is 5 seconds.</P><P></P><P>My question on the above example is, what is the interface polltime used for that the first polltime cannot provide?</P><P></P><P></P><P></P> Mon, 11 Mar 2019 22:33:09 GMT https://community.cisco.com/t5/network-security/asa-active-standby-polltime-timers/m-p/1865674#M459043 JohnTylerPearce 2019-03-11T22:33:09Z https://community.cisco.com/t5/network-security/asa-active-standby-polltime-timers/m-p/1865675#M459044 <HTML><HEAD></HEAD><BODY><P><STRONG style="font-size: 10pt;">failover polltime unit msec 200 holdtime msec 800</STRONG></P><P></P><P>If a unit does not hear hello packet on the&nbsp; failover communication interface or cable for one polling period,&nbsp; additional testing occurs through the remaining interfaces. If there is&nbsp; still no response from the peer unit during the hold time, the unit is&nbsp; considered failed and, if the failed unit is the active unit, the&nbsp; standby unit takes over as the active unit. </P><P></P><P><STRONG>failover polltime interface msec 500 holdtime 5 </STRONG></P><P></P><P> Use the<STRONG> failover polltime interface</STRONG> command&nbsp; to change the frequency that hello packets are sent out on data&nbsp; interfaces. This command is available for Active/Standby failover only.&nbsp; For Active/Active failover, use the <STRONG>polltime interface</STRONG> command in failover group configuration mode instead of the<STRONG> failover polltime interface </STRONG>command. </P><P></P><P><A name="wp1931234"></A> </P><P> You cannot enter a <STRONG>holdtime</STRONG> value that is less&nbsp; than 5 times the unit poll time. With a faster poll time, the adaptive&nbsp; security appliance can detect failure and trigger failover faster.&nbsp; However, faster detection can cause unnecessary switchovers when the&nbsp; network is temporarily congested. Interface testing begins when a hello&nbsp; packet is not heard on the interface for over half the hold time. </P><P></P><P>check this link for more details.</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1931144">http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1931144</A><SPAN> </SPAN></P></BODY></HTML> Tue, 21 Feb 2012 15:34:32 GMT https://community.cisco.com/t5/network-security/asa-active-standby-polltime-timers/m-p/1865675#M459044 Amit Rai 2012-02-21T15:34:32Z https://community.cisco.com/t5/network-security/asa-active-standby-polltime-timers/m-p/1865676#M459045 <HTML><HEAD></HEAD><BODY><P> Please correct me if I'm wrong.</P><P></P><P>The 'failover polltime unit msec 200 holdtime msec 800' means that that is the failover communication interface (failover cable going between ASAs) does not hear a hello within one polling period (200ms), than additional testing is done</P><P>through the remaining interfaces. If there is still no response within the holdtime timer (800ms), than if this is the</P><P>Active unit it will attempt to failover to the standby unit.</P><P></P><P>Now the 'failover polltime interface msec 500 holdtime 5' command... does this tune the time that the ASA uses to test its other interfaces after it doesn't hear a hello from the standby on the failover interface?</P></BODY></HTML> Tue, 21 Feb 2012 15:58:00 GMT https://community.cisco.com/t5/network-security/asa-active-standby-polltime-timers/m-p/1865676#M459045 JohnTylerPearce 2012-02-21T15:58:00Z https://community.cisco.com/t5/network-security/asa-active-standby-polltime-timers/m-p/1865677#M459046 <HTML><HEAD></HEAD><BODY><P>Hello John,</P><P></P><P><SPAN style="text-decoration: underline;"><EM>Now the 'failover polltime interface msec 500 holdtime 5' command... does this tune the time that the ASA uses to test its other interfaces after it doesn't hear a hello from the standby on the failover interface?</EM></SPAN></P><P></P><P>Hello this will let the ASA to send a hello packet each 500 msec and if he does not receive he will try to test the interfaces and if he does not receive any response on the next ( 5 times the poll time. 5*500:2500msec) failover will happen.</P><P></P><P>This setup is known as a subsecond failover, just to let you know the amount of hello packets that will be exchanged on your network will be a lot so you need to think about it.</P><P></P><P>Regards,</P><P></P><P>Julio</P></BODY></HTML> Tue, 21 Feb 2012 17:32:19 GMT https://community.cisco.com/t5/network-security/asa-active-standby-polltime-timers/m-p/1865677#M459046 Julio Carvajal 2012-02-21T17:32:19Z https://community.cisco.com/t5/network-security/asa-active-standby-polltime-timers/m-p/1865678#M459047 <HTML><HEAD></HEAD><BODY><P> You're probably going to want to punch me after this question...</P><P></P><P>failover polltime unit msec 200 holdtime 800 msec</P><P></P><P>This statement means and the ASA will send a Hello out its Failover link every 200 msec, and if it does not get a response after one, it will wait the holdtime checking on its interfaces and then failing over to the standby.</P><P></P><P>So if this is the case, why do I need the 'failover polltime interface' command?</P><P></P><P>It seems like there doing the same thing.</P><P></P><P>If in the first command, it checkes the interfaces after it doesn't hear a hello, then what is the purpose of the interface</P><P>configuration command.?</P><P></P><P>I understand the timing part just not how they operate together.</P></BODY></HTML> Tue, 21 Feb 2012 21:10:34 GMT https://community.cisco.com/t5/network-security/asa-active-standby-polltime-timers/m-p/1865678#M459047 JohnTylerPearce 2012-02-21T21:10:34Z