cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
540
Views
0
Helpful
4
Replies

ASA Failover Question

ricey
Level 1
Level 1

I have 2 5540 ASA in an Active / Standy setup. The Active firewall has a packet shaper sitting between it and the inside LAN. When I reboot the Packet shaper the FWs failover. I have the default timeings for failover 1 second hello 15 seconds keepalive. I would assume this emans that as long as the Active firewall sends a hello packet within 15 seconds the standby will not assume the active role. The Packet Shaper reboot takes only a couple of seconds (typically 1 or 2 lost ping packets) Am I missing something simple here?

4 Replies 4

Danilo Dy
VIP Alumni
VIP Alumni

The packetshaper takes only a few seconds to reboot. However, the interface link will be down for approximately 40 seconds during the reboot as I tested in a lab.

All systems are like this, it doesn't mean that once they booted successfully, their network link will be up at the same time.

Danilo,

thanks for your quick response. What is the reason for this?

By the way, the packet shaper does not really take only a few seconds to boot, buts "fails open" whenever it is rebooted.

This is probably because of interface health checks. The primary device sees the interface go down and is now "less healthy" than the secondary and fails over.

Pete,

Thanks very much for your respose. Do you know how I can override this default behaviour and ensure the primary stays active unless the secondary does not receive a hello packet within the 15 seconds?

Thanks again,

Rich

Review Cisco Networking for a $25 gift card