Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
374
Views
0
Helpful
1
Replies

interface shutdown in firewall

Go to solution
suthomas1
Level 6
Level 6

‎02-14-2011 05:00 AM - edited ‎03-11-2019 12:50 PM

if one out of few interface , monitored under failover, is shutdown on the primary firewall, what impact will it cause with failover of devices.

how will the connection be regained in such case.

thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎02-14-2011 02:45 PM

By default, when 1 out of the few ASA "monitored" interfaces are shutdown, it will failover to the standby unit within 5 seconds.

You can check which interfaces are monitored by issueing the "show monitor-interface" command, as not all interfaces are possibly configured to be monitored. ASA will only detect failure on "monitored" interfaces and if failure occurs on interface that is not being monitored, failover will not occur.

You can also change the policy on when failover occurs with the command: failover interface-policy [num/%]

You can configure it in such a way that only when 2 out of the 5 monitored interfaces are down to trigger the failover. However, if you are happy with the default of 1 monitored interface failure, then just leave it as default.

Here is the configuration guide for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/ha_active_standby.html#wp1116789

Here is the failover default times for different failures for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/ha_overview.html#wp1079158

Hope this helps.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎02-14-2011 02:45 PM

By default, when 1 out of the few ASA "monitored" interfaces are shutdown, it will failover to the standby unit within 5 seconds.

You can check which interfaces are monitored by issueing the "show monitor-interface" command, as not all interfaces are possibly configured to be monitored. ASA will only detect failure on "monitored" interfaces and if failure occurs on interface that is not being monitored, failover will not occur.

You can also change the policy on when failover occurs with the command: failover interface-policy [num/%]

You can configure it in such a way that only when 2 out of the 5 monitored interfaces are down to trigger the failover. However, if you are happy with the default of 1 monitored interface failure, then just leave it as default.

Here is the configuration guide for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/ha_active_standby.html#wp1116789

Here is the failover default times for different failures for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/ha_overview.html#wp1079158

Hope this helps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card