Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1087
Views
0
Helpful
3
Replies

ASA HA Pair and OSPF with router

Lance Wendel
Level 1
Level 1

‎03-20-2013 08:19 AM - edited ‎03-11-2019 06:16 PM

Hi all

customer has ASA cluster pair which is running 8.2 (5)

This firewall is participating in the OSPF process, and the affected interface are in the "Area 0". "Remote stations" are also a Cisco components (eg, WS-C3750-24TS-S with 12.2 (44) SE5,

When you perform "no failover active" the firewall cluster and also triggered by removing a cable  (not the SYNC interface) takes the standby node as expected.

Tests have shown that it can take up to ~ 60 seconds until the newly activated firewall works again(this really means everything is now up and running as it should do ),ping from the firewall to the Internet via LAN. Prior to the implementation of OSPF showed a non-measurable results, no ping loss though.

there are two questions at the moment

1 ) could this problem be solved by upgrading the ASA to 8.4 = already answered

2 ) any known  configuration parameters which we could apply on the router ?

also keep in mind

The standby becomes active almost immediately. Passing packets via that firewall takes that high amount of waiting time. The culprit might be the missing routing data (OSPF update …)

any advice on the OSPF please?

thanks in advance

Lancellot

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎03-20-2013 10:20 AM

Hello Lance,

I would that 8.4 would be great as we support the exchange of  stateful information regarding routing protocols via the stateful link so after an event the secondary unit will take place and start routing as it has built the routing table with the primary unit via the stateful link info

Hope that I could help

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Lance Wendel
Level 1
Level 1
In response to Julio Carvajal

‎03-20-2013 10:32 AM

Hi Jcarvaja

thanks for the reply, I have seen the release notes on the Cisco site and also came across the following

link http://www.groupstudy.com/archives/ccielab/201210/msg00460.html

which stat once failover it will have a delay of 10sec.

also found the following link with the bug, hence I am trying to find some tweak on router level

http://www.gossamer-threads.com/lists/cisco/nsp/161609

regards,

Lancellot

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Lance Wendel

‎03-20-2013 12:41 PM

Hello Lance,

Yeahp,

Do you see the same behavior after failover happens?

Does the OSPF neighorship goes down?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card