Re: Failover takes over 50 minutes to get from bulk sync to Standy Rea

Chess Norris · ‎07-04-2024

Hello,

I am trubleshooting a failover issue for a customer who experience problem with failover. They were upgrading the ASA on their FPR 4112 and after the standby unit rebooted, it took over 50 minutes to get from Bulk Sync to Standby Ready. The two firewalls are located at different DC's and this may result in some delays however, the time the FW takes to change from negotiation, cold standby, sync config until bulk sync is quite fast. The problem is the long time it takes to change from bulk sync to standby ready.

Anyone seeing this before?

2024-07-04 163901.jpg

Thanks

/Chess

MHM Cisco World · ‎07-04-2024

I read before it indeed take long time for active to sync bulk to standby more than 20 min so if the sync is end and it OK even if it take long time that no problem.

MHM

Chess Norris · ‎07-04-2024

Hello @MHM Cisco World Do you have a link to the document or website where you read that? I've personally newer see this kind of delay before.

MHM Cisco World · ‎07-04-2024

sure friend

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/220668-upgrade-ftd-ha-managed-by-fmc.html

tvotna · ‎07-04-2024

@Chess Norris, not sure why @MHM Cisco World pointed you to a document which is of no relevance here...

50 minutes delay is not normal of course. I've never seen this on a FPR-4145 or 4150 with 10M+ connections. Bulk sync can take time, e.g. few minutes, but 50 min is too much. You need to examine syslog and terminal messages from the standby unit (e.g. at errors level) and check CPU ("show cpu det", "show proc cpu-usage sorted non-zero") and blocks on the standby unit ("show blocks") during and after config sync. How many connections does active unit have and what's the conn rate on it? ("show conn count", "show resource usage" / "show perfmon"). What version do you use?

Failover takes over 50 minutes to get from bulk sync to Standy Ready