Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3829
Views
0
Helpful
5
Replies

ASA FailOver Interface check

ipagliani
Level 1
Level 1

‎01-18-2019 09:09 AM - edited ‎02-21-2020 08:40 AM

Ciao,

In a couple of ASA configured in Active/Passive failover, someone can explain me what's the failover timeout that can be set when a ASA interface link goes down:

Message #466 : fover_health_monitoring_thread: vPifNum = 0x8, No Link

Message #467 : fover_health_monitoring_thread: ifc_check() - group 0 HW failed 1 (mate 0)

 

I need to be understand if I can wait 6/7 seconds before failover when a link goes down.

 

Thanks

0 Helpful
5 Replies 5

Sheraz.Salim
VIP
VIP

‎01-18-2019 09:51 AM - edited ‎01-18-2019 09:52 AM

Failover Poll Times-Contains the fields for defining how often hello messages are sent on the failover link, and, optionally, how long to wait before testing the peer for failure if no hello messages are received.

 

Unit Failover-The amount of time between hello messages among units. The range is between 1 and 15 seconds or between 200 and 999 milliseconds.

 

check the link below

 

https://community.cisco.com/t5/firewalls/asa-failover-times/td-p/994896

please do not forget to rate.
0 Helpful

ipagliani
Level 1
Level 1
In response to Sheraz.Salim

‎01-18-2019 09:58 AM

Thanks for replay,

however after that one link goes down ASA failover in just 4/5 seconds with default timeout.

 

 

 

0 Helpful

Sheraz.Salim
VIP
VIP
In response to ipagliani

‎01-18-2019 10:05 AM - edited ‎01-18-2019 10:05 AM

here you go and do not forget to make it answer so other can get benefit too.

yes 5 is default but can be adjust below is the screen shots.

1.PNG2.PNG

please do not forget to rate.
0 Helpful

ipagliani
Level 1
Level 1
In response to Sheraz.Salim

‎01-21-2019 12:57 AM - edited ‎01-21-2019 01:28 AM

Ciao,

Anyone thinks that this could be case:

 

Optional Active/Standby Failover Settings

  • Interface health monitoring—Enables the ASA to detect and respond to interface failures more quickly

 

Ref. https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_active_standby.html

And again: If the interface link is down, interface testing is not conducted and the standby unit could become active in just one interface polling period if the number of failed interfaces meets or exceeds the configured failover criteria.

 

 

Thanks

0 Helpful

Sheraz.Salim
VIP
VIP
In response to ipagliani

‎01-21-2019 01:26 AM

why dont you adjust the timer according to your needs?

please do not forget to rate.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card