cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1378
Views
0
Helpful
3
Replies

ASA Firewall failover timers tuning with STP convergence time

michel.prevost
Level 1
Level 1

Hi everyone

I am about to put in production two ASA firewall in an active/standby mode to my network. I'm asking myself about the failover polltime and timeout in relation with the STP convergence time. I don't want the standby firewall to get active because of a STP convergence. As the two firewall will be installed in two different closet for security, they may be impacted by a loop convergence in the network. In the future (years), the network will adopt etherchannel link, but until then, I rely on STP.

By the way, the firewall will act as redundant router on a stick.

I’m planning to get the exact STP convergence time into the two loop that the firewalls will be installed on by using fping and wireshark. With those, il will be able to get the convergence time in milliseconds that STP take to converge.

 

The primary questions that I have are :

 

Is there a best practice regarding failover timers when STP convergence time get in the way?

May I configure the firewalls timers to (x) time the STP convergence time or else?

 

Of course, the gold of those questions is to reduce to a minimum the failover time.

 

Thanks for your helps, have a nice day.

 
3 Replies 3

Florin Barhala
Level 6
Level 6

Hi guys,

I've a similar questions here; on my current 5515 Active-Standby configuration I just updated from 9.1(6) to 9.1(7) and during the process:

no boot system disk0:/asa916-8-smp-k8.bin

boot system disk0:/asa917-smp-k8.bin
boot system disk0:/asa916-8-smp-k8.bin

reboot

I noticed 4 packets lost:

Reply from 69.98.55.10: bytes=32 time=49ms TTL=243
Reply from 69.98.55.10: bytes=32 time=48ms TTL=243
Reply from 69.98.55.10: bytes=32 time=49ms TTL=243
Reply from 69.98.55.10: bytes=32 time=49ms TTL=243
Reply from 69.98.55.10: bytes=32 time=49ms TTL=243
Reply from 69.98.55.10: bytes=32 time=48ms TTL=243
Reply from 69.98.55.10: bytes=32 time=49ms TTL=243
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 69.98.55.10: bytes=32 time=49ms TTL=243
Reply from 69.98.55.10: bytes=32 time=49ms TTL=243
Reply from 69.98.55.10: bytes=32 time=49ms TTL=243
Reply from 69.98.55.10: bytes=32 time=49ms TTL=243

Here's my config:

show run failover
failover
failover lan unit secondary
failover lan interface failover GigabitEthernet0/3
failover interface ip failover 1.1.1.1 255.255.255.252 standby 1.1.1.2

How can I lower this to maybe 2 packets lost?

Thanks,

Florin.

Here're the timers tweaking lines:

failover polltime unit msec 250 holdtime msec 999

failover polltime interface msec 500 holdtime 5

If you wander what's the point of the 2nd one when you have the first one, the answer would be just in case the 1st one doesn't apply although I can't think of real life scenario.

Hi Florin,

 

I think that you could failover the load to the standby ASA (with failover active CLI command) before rebooting the ASA who was active at first. After the reload do the same on the freshly reloaded ASA to bring him back active and get the load.

 

As the setup is now in production, I could not test it for you. But as I remember, the provoked failover was really quick with minimum lost. 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: