Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
247
Views
6
Helpful
9
Replies

Cisco FPR 2130 (ASA) Failover Active/Standby takes 1 minute 30 seconds

Jacob Koenn
Level 1
Level 1

‎03-05-2025 04:54 AM

Good morning!

At my job, we have setup our two FPR 2130's running in ASA into an HA Active/Standby pair. This has been great for upgrades. Currently, when we manually enter the command "failover active" on the standby unit, it will failover, but not all interfaces will move or drop, allowing the FW taking over to accept and use those interfaces. It is required to reboot the active FW to allow all interfaces to switch over and work. When this happens (fail over) it takes 1 minute and 30 seconds to restore services. Is there anyway we could cut this down to nearly a blip and still function? Both FPR 2130's have a direct connection used for the fail over configuration, their is not a switch in between the failover interface.

TLDR: Possible to lower our failover time to a blip and not 1 minute 30 seconds? Failover only works when a reboot on active is done, it does not work with "failover active" command on standby.

0 Helpful
9 Replies 9

ahollifield
VIP
VIP

‎03-05-2025 05:32 AM

What exactly do you mean?  "failover active" is fully switching roles.  What do you mean by "it will failover, but not all interfaces will move or drop"?  The links don't actually ever go down. Also why ASA and not Secure Firewall Threat Defense?

Jacob Koenn
Level 1
Level 1
In response to ahollifield

‎03-05-2025 05:51 AM

Morning, appreciate the response.

On the standby unit, you may type "failover active". This will start a manual failover, this should automatically switch over all current active interfaces, to the standby unit, thus making the standby, the new active. Shouldn't traffic switch between the firewalls based upon which one takes over active? (In a sense, when we conduct a manual failover, services do not work unless we reboot the active firewall.)

Our firewalls split their interfaces into a Nexus 9504 Chassis Switch, which host both firewall interfaces on separate blades. Traffic flows based upon whichever is active.

We are accustomed to ASA at this moment and possibly in the future would go FTD, but per tech refresh and planning, that is not in scope at the moment.

0 Helpful

Rob Ingram
VIP
VIP

‎03-05-2025 05:47 AM

@Jacob Koenn do you have portfast configured on the switchport the ASA is connected to?

Please provide the output of "show failover history"

Jacob Koenn
Level 1
Level 1
In response to Rob Ingram

‎03-05-2025 06:15 AM - edited ‎03-05-2025 06:31 AM

Morning Rob, I do not have portfast configured on the ports going to both firewalls.  **EDIT: We do have "spanning-tree port type edge" on some interfaces but not all, I will ensure uniformity of configs. I have also read, it is not recommended to run portfast on firewall HA configs, only servers and workstations, thoughts?

I do not have a recent log of when doing the command, as all prior failovers were conducted by rebooting active, other than this:

03:05:27 UTC Oct 17 2024
Disabled Negotiation Set by the config command
(failover)

03:05:28 UTC Oct 17 2024
Negotiation Cold Standby Detected an Active peer

03:05:30 UTC Oct 17 2024
Cold Standby Sync Config Detected an Active peer

but when manual failover is conducted, services do not work until a reboot is done on the active.

0 Helpful

rschlayer
Level 4
Level 4

‎03-05-2025 07:15 AM - edited ‎03-05-2025 07:15 AM

This is very likely a spanning tree problem. ASA failover is nearly instant (like 1 ping loss) if not all interfaces come up but some do, it is because of the missing portfast configuration (or edge depending on switch version).

Jacob Koenn
Level 1
Level 1

‎03-05-2025 07:38 AM - edited ‎03-05-2025 07:47 AM

Morning,

Would be safe to throw on portfast on all ports containing the FW HA configs? Can you put portfast on a trunk'd interface/does it function when on a trunk?

How it is setup:

Eth1/20 FW-FW01
Eth1/21 FW-FW01
Eth1/22 FW-FW01
Eth1/23 FW-FW01
Eth1/24 FW-FW01
Eth1/25 FW-FW01
Eth1/26 FW-FW02
Eth1/27 FW-FW02
Eth1/28 FW-FW02

Eth2/20 FW-FW02
Eth2/21 FW-FW02
Eth2/22 FW-FW01
Eth2/24 FW-FW01
Eth2/25 FW-FW02
Eth2/26 FW-FW02
Eth2/28 FW-FW02

Is the recommendation to setup portfast on all FW ports that are used / in HA config? Then test.

We are on NXOS: version 9.3(14) Cisco Nexus 9504 Dual Supervisor.

 

0 Helpful

rschlayer
Level 4
Level 4

‎03-05-2025 07:50 AM

Hi,

yes you can use portfast on a trunk and I would recommend doing it for all firewall interfaces connected to your switch. Once you have that set up you can do another failover test.

I believe the command is something like spanning-tree port type edge trunk

Jacob Koenn
Level 1
Level 1
In response to rschlayer

‎03-05-2025 08:00 AM

Copy, I will give this a try and mark as solution if this works, I appreciate the help everyone!

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Jacob Koenn

‎03-05-2025 09:52 AM

I can verify that properly setup firewall plus switches will failover in subsecond time when using the cli "(no) failover active" command. I have used this on many many firewalls with the same results from Pix and ASA 7.x and 8.x all the way though the latest FTD 7.6 (which still use the ASA code in the LINA subsystem).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card