cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2449
Views
20
Helpful
10
Replies

ASA5500 failover time optimization

Good day

I have a Firewall ASA5500, during the failover test. the system tooks roughly 40sec to converge. Do you know any information about how I can optimize this time? 

 

Thanks in advance for your support!

 

10 Replies 10

balaji.bandi
Hall of Fame
Hall of Fame

Can you post the output of below command to look on both?

 

show failover

EDIT :

 

check the timers

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/failover.html#wp1142481

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

EMX-INTERNAL-FW-B/pri/act# show failover
Failover On
Last Failover at: 19:51:48 CDT Jun 2 2020
This context: Active
Active time: 149989 (sec)
Interface management (10.10.71.11): Normal (Not-Monitored)
Interface oob-net01 (10.10.70.51): Link Down (Not-Monitored)
Peer context: Standby Ready
Active time: 2268 (sec)
Interface management (10.10.71.12): Normal (Not-Monitored)
Interface oob-net01 (10.10.70.52): Normal (Not-Monitored)

Stateful Failover Logical Update Statistics
Status: Configured.
Stateful Obj xmit xerr rcv rerr
RPC services 0 0 0 0
TCP conn 445431 0 0 0
UDP conn 0 0 0 0
ARP tbl 4259662 0 6964 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 20 0 12 2
Router ID 0 0 0 0
User-Identity 2 0 1 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0

Failover is normally smooth. one or two ping packet loss occurs. what is configured in between two units. if its a switch check the spanning tree convergence. could be some thing not right at layers 2. also looking into your output one of the interface is in down state. and non of the link are in monitor mode.

 

EMX-INTERNAL-FW-B/pri/act# show failover
Failover On
Last Failover at: 19:51:48 CDT Jun 2 2020
This context: Active
Active time: 149989 (sec)
Interface management (10.10.71.11): Normal (Not-Monitored)
Interface oob-net01 (10.10.70.51): Link Down (Not-Monitored)
Peer context: Standby Ready
Active time: 2268 (sec)
Interface management (10.10.71.12): Normal (Not-Monitored)
Interface oob-net01 (10.10.70.52): Normal (Not-Monitored)

please do not forget to rate.

 

lets start again :) what is the issue you having on these two units. I believe, you saying when you do a failover between two units their is a connectivity issue/lost in between? or you see a downtime in your network?

 

please provide show failover history show run failover on both unit.

 

looking into your text file everything is configured fine. give us more information what is the issue is and what exactly you help on.

please do not forget to rate.

.

thanks for the information, is the failover 40-second delay you were mentioned, from Active to Standby failover, or both failover taking the same time.

 

how is these device connected? the same switch or a different location?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Devices are in the same room, side by side. 

I am  running routing protocols, OSPF (Open Shortest Path First),  which   is forced to re-establish adjacencies. Because of this behavior I end up with long convergence times and routes flapping

I see you running OSPF when doing failover the adjacencies are re-establishes however if i remember ospf adjanecnies take around between 5 to 10 seconds. have you configured the stateful failover too? just thinking stateful failover will replicate but you will still see the new adjacenies. Is this failover vlan is also a part of ospf? 

please do not forget to rate.
Review Cisco Networking for a $25 gift card