08-17-2015 01:11 PM - edited 03-11-2019 11:26 PM
Hi everyone
I am about to put in production two ASA firewall in an active/standby mode to my network. I'm asking myself about the failover polltime and timeout in relation with the STP convergence time. I don't want the standby firewall to get active because of a STP convergence. As the two firewall will be installed in two different closet for security, they may be impacted by a loop convergence in the network. In the future (years), the network will adopt etherchannel link, but until then, I rely on STP.
By the way, the firewall will act as redundant router on a stick.
I’m planning to get the exact STP convergence time into the two loop that the firewalls will be installed on by using fping and wireshark. With those, il will be able to get the convergence time in milliseconds that STP take to converge.
The primary questions that I have are :
Is there a best practice regarding failover timers when STP convergence time get in the way?
May I configure the firewalls timers to (x) time the STP convergence time or else?
Of course, the gold of those questions is to reduce to a minimum the failover time.
Thanks for your helps, have a nice day.
02-13-2016 05:12 AM
Hi guys,
I've a similar questions here; on my current 5515 Active-Standby configuration I just updated from 9.1(6) to 9.1(7) and during the process:
no boot system disk0:/asa916-8-smp-k8.bin
boot system disk0:/asa917-smp-k8.bin
boot system disk0:/asa916-8-smp-k8.bin
reboot
I noticed 4 packets lost:
Reply from 69.98.55.10: bytes=32 time=49ms TTL=243
Reply from 69.98.55.10: bytes=32 time=48ms TTL=243
Reply from 69.98.55.10: bytes=32 time=49ms TTL=243
Reply from 69.98.55.10: bytes=32 time=49ms TTL=243
Reply from 69.98.55.10: bytes=32 time=49ms TTL=243
Reply from 69.98.55.10: bytes=32 time=48ms TTL=243
Reply from 69.98.55.10: bytes=32 time=49ms TTL=243
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 69.98.55.10: bytes=32 time=49ms TTL=243
Reply from 69.98.55.10: bytes=32 time=49ms TTL=243
Reply from 69.98.55.10: bytes=32 time=49ms TTL=243
Reply from 69.98.55.10: bytes=32 time=49ms TTL=243
Here's my config:
show run failover
failover
failover lan unit secondary
failover lan interface failover GigabitEthernet0/3
failover interface ip failover 1.1.1.1 255.255.255.252 standby 1.1.1.2
How can I lower this to maybe 2 packets lost?
Thanks,
Florin.
02-17-2016 12:35 PM
Here're the timers tweaking lines:
failover polltime unit msec 250 holdtime msec 999
failover polltime interface msec 500 holdtime 5
If you wander what's the point of the 2nd one when you have the first one, the answer would be just in case the 1st one doesn't apply although I can't think of real life scenario.
03-03-2016 06:09 AM
Hi Florin,
I think that you could failover the load to the standby ASA (with failover active CLI command) before rebooting the ASA who was active at first. After the reload do the same on the freshly reloaded ASA to bring him back active and get the load.
As the setup is now in production, I could not test it for you. But as I remember, the provoked failover was really quick with minimum lost.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide