https://community.cisco.com/t5/network-security/pix-failover-transition-time/m-p/333831#M550427 <P>Hi all</P><P>I have configured my pix 525 for failover.</P><P>But when i power off my primary (active) unit the ping response initiated to a internet host from one of my vlan gets dropped for a minitue and i start getting the response only after a minute from the internet. </P><P>Is this transition period for failover the normal behaviour or it should come fast.</P><P></P><P>As per cisco website i have read that standby unit should come up in 30 to 45 seconds </P><P></P><P>The output of the sh failover is pasted below.</P><P></P><P>Any help appreciated</P><P>Regards</P><P>Parthiban</P><P></P><P>sh failover</P><P>Failover On</P><P>Cable status: Normal</P><P>Reconnect timeout 0:00:00</P><P>Poll frequency 3 seconds</P><P>failover replication http</P><P>Last Failover at: xx:xx:xx xxx Thu Mar 10 2005</P><P> This host: Primary - Active</P><P> Active time: 598662 (sec)</P><P>Interface outside (x.x.x.x): Normal</P><P>Interface inside (10.1.253.1): Normal</P><P>Interface stateful-failover (10.1.252.1): Normal</P><P>Interface intf3 (0.0.0.0): Link Down (Shutdown)</P><P>Interface REMOTEZONE (10.1.7.254): Normal</P><P>Interface DMZ (10.1.14.254): Normal</P><P>Interface BACKBONEZONE (10.1.6.30): Normal</P><P>Interface INTF4 (0.0.0.0): Link Down (Shutdown)</P><P>Other host: Secondary - Standby</P><P>Active time: 0 (sec)</P><P>Other host: Secondary - Standby</P><P>Active time: 0 (sec)</P><P>Interface outside (x.x.x.x): Normal</P><P>Interface inside (10.1.253.2): Normal</P><P>Interface stateful-failover (10.1.252.2): Normal</P><P>Interface intf3 (0.0.0.0): Link Down (Shutdown)</P><P>Interface REMOTEZONE (10.1.7.253): Normal</P><P>Interface DMZ (10.1.14.253): Normal</P><P>Interface BACKBONEZONE (10.1.6.29): Normal</P><P>Interface INTF4 (10.1.6.28): Link Down (Shutdown)</P> Fri, 21 Feb 2020 08:01:16 GMT ponparthi 2020-02-21T08:01:16Z https://community.cisco.com/t5/network-security/pix-failover-transition-time/m-p/333831#M550427 <P>Hi all</P><P>I have configured my pix 525 for failover.</P><P>But when i power off my primary (active) unit the ping response initiated to a internet host from one of my vlan gets dropped for a minitue and i start getting the response only after a minute from the internet. </P><P>Is this transition period for failover the normal behaviour or it should come fast.</P><P></P><P>As per cisco website i have read that standby unit should come up in 30 to 45 seconds </P><P></P><P>The output of the sh failover is pasted below.</P><P></P><P>Any help appreciated</P><P>Regards</P><P>Parthiban</P><P></P><P>sh failover</P><P>Failover On</P><P>Cable status: Normal</P><P>Reconnect timeout 0:00:00</P><P>Poll frequency 3 seconds</P><P>failover replication http</P><P>Last Failover at: xx:xx:xx xxx Thu Mar 10 2005</P><P> This host: Primary - Active</P><P> Active time: 598662 (sec)</P><P>Interface outside (x.x.x.x): Normal</P><P>Interface inside (10.1.253.1): Normal</P><P>Interface stateful-failover (10.1.252.1): Normal</P><P>Interface intf3 (0.0.0.0): Link Down (Shutdown)</P><P>Interface REMOTEZONE (10.1.7.254): Normal</P><P>Interface DMZ (10.1.14.254): Normal</P><P>Interface BACKBONEZONE (10.1.6.30): Normal</P><P>Interface INTF4 (0.0.0.0): Link Down (Shutdown)</P><P>Other host: Secondary - Standby</P><P>Active time: 0 (sec)</P><P>Other host: Secondary - Standby</P><P>Active time: 0 (sec)</P><P>Interface outside (x.x.x.x): Normal</P><P>Interface inside (10.1.253.2): Normal</P><P>Interface stateful-failover (10.1.252.2): Normal</P><P>Interface intf3 (0.0.0.0): Link Down (Shutdown)</P><P>Interface REMOTEZONE (10.1.7.253): Normal</P><P>Interface DMZ (10.1.14.253): Normal</P><P>Interface BACKBONEZONE (10.1.6.29): Normal</P><P>Interface INTF4 (10.1.6.28): Link Down (Shutdown)</P> Fri, 21 Feb 2020 08:01:16 GMT https://community.cisco.com/t5/network-security/pix-failover-transition-time/m-p/333831#M550427 ponparthi 2020-02-21T08:01:16Z https://community.cisco.com/t5/network-security/pix-failover-transition-time/m-p/333832#M550429 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>have the failover poll interval to the minimum.. i think 3 secs is the min value.. another thing to make sure is to have the switch ports connected to the PIX firewall interfaces, to have port fast enabled...</P><P></P><P>Portfast should be enabled on all the ports whre the PIX interface directly connects, and trunking, channeling should be disabled.. this way, if the PIX's interface goes down during failover, the switch does not have to wait for 30 secs while the port is transitioned from listening state to a forwarding state....</P><P></P><P>try this and let us know....</P><P></P><P>Raj</P></BODY></HTML> Thu, 17 Mar 2005 11:15:12 GMT https://community.cisco.com/t5/network-security/pix-failover-transition-time/m-p/333832#M550429 sachinraja 2005-03-17T11:15:12Z https://community.cisco.com/t5/network-security/pix-failover-transition-time/m-p/333833#M550433 <HTML><HEAD></HEAD><BODY><P>Hi Raj</P><P>Thanks for your response. I have enabled the post fast already for all the ports directly connected to pix. but trunking is also off, I have given switchport mode access in all the ports. what do u mean by channeling on these ports.</P><P>Further my client is worried about the transition time of the secondary firewall only when primary (active) goes down. </P><P>So when i power down my primary active could you please tell me how fast the secondary will become active.</P><P></P><P>Regards</P><P>Parthiban</P></BODY></HTML> Fri, 18 Mar 2005 06:22:08 GMT https://community.cisco.com/t5/network-security/pix-failover-transition-time/m-p/333833#M550433 ponparthi 2005-03-18T06:22:08Z