Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2414
Views
0
Helpful
3
Replies

ASA backup heart beat

Go to solution
cisco8887
Level 2
Level 2

‎11-22-2016 04:44 AM - edited ‎03-12-2019 01:34 AM

Hi All,

Is anyone aware of a method to allow additional backup heartbeat if the failover link is down ?

Palo Alto offers this functionality .

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Oliver Kaiser
Level 7
Level 7
In response to cisco8887

‎11-22-2016 03:08 PM

ASA uses both failover link and configured data interfaces for keepalive meesages. If 3 consecutive hello packets are missed it will send additional testing packets over the configured interfaces to determine the state of its interfaces.

Testing consists of the following four consecutive tests:

  1. NIC Status: Verify link up/down state. If NIC is down, this test will fail
  2. Network Activity Test: Count packets received on interface for 5 seconds. If packets are received interface is marked as operational
  3. ARP Status: Check 10 last arp entries. Re-send ARP packets to those hosts and wait for 5 seconds for response. If any packets are received, the interface is marked as operational
  4. Broadcast Ping Test: Send broadcast ping and count received packets for 5 seconds. If any packets are received the interface is marked as operational

So basically if your failover link fails, you should still receive keep-alive packets via the data interfaces. If for whatever reason, 3 consecutive hello-packets are missed the 4 checks will be triggered to determine the interface state.

Hello packets use IP protocol 105 to exchange information.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Oliver Kaiser
Level 7
Level 7

‎11-22-2016 02:14 PM

Interface monitoring can be configured to send keep-alive messages over data interfaces (default for physical interfaces). In case of failover link going down, primary and secondary ASA are still able to exchange hello messages.

Let me know if this answers your question.

0 Helpful

Go to solution
cisco8887
Level 2
Level 2
In response to Oliver Kaiser

‎11-22-2016 02:44 PM

thanks for this but I thought interface monitoring is local to each firewall to see if its interface is up

for instance if you setup monitoring on interface inside and outside, it won't ping or send heartbeat over inside and outside but monitor them to ensure they are no going down.

the failover link will only change hello packets, by the way what protocol/port is the hello packet using ?

0 Helpful

Go to solution
Oliver Kaiser
Level 7
Level 7
In response to cisco8887

‎11-22-2016 03:08 PM

ASA uses both failover link and configured data interfaces for keepalive meesages. If 3 consecutive hello packets are missed it will send additional testing packets over the configured interfaces to determine the state of its interfaces.

Testing consists of the following four consecutive tests:

  1. NIC Status: Verify link up/down state. If NIC is down, this test will fail
  2. Network Activity Test: Count packets received on interface for 5 seconds. If packets are received interface is marked as operational
  3. ARP Status: Check 10 last arp entries. Re-send ARP packets to those hosts and wait for 5 seconds for response. If any packets are received, the interface is marked as operational
  4. Broadcast Ping Test: Send broadcast ping and count received packets for 5 seconds. If any packets are received the interface is marked as operational

So basically if your failover link fails, you should still receive keep-alive packets via the data interfaces. If for whatever reason, 3 consecutive hello-packets are missed the 4 checks will be triggered to determine the interface state.

Hello packets use IP protocol 105 to exchange information.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card