[c-nsp] FWSM HA secondary reload & long downtime

Peter Rathlev peter at rathlev.dk
Mon Mar 9 17:15:44 EDT 2009


Hi,

We've had some problems with an old pair of FWSMs lately running 2.3(4).
We're testing and collecting information to maybe open a ticket, but
during this I found something I hadn't expected.

Currently we have experienced ~10 secs failover from active to standby
in a HA pair when using 3 sec hello and 10 sec downtime. This is fine
for us.

On a running system we can switch around with "no failover active" /
"failover active" with no problems either.

BUT: When we reload the standby unit, we experience very long downtime.
It seems to happen when the standby unit resurfaces and seems to be for
as long as they're replicating configurations.

This time around it was the configured secondary that was active. When
the primary was brought up the secondary's logs said:

Mar 09 2009 16:39:56: %FWSM-1-709003: (Secondary) Beginning configuration replication: Send to mate.
Mar 09 2009 16:41:26: %FWSM-1-709004: (Secondary) End Configuration Replication (ACT)

Are we supposed to have this much downtime for an _up_ convergence? This
pair is configured with 19 contexts, so replication of course must take
some time. I just don't see why the running active has to stop
forwarding traffic.

I can't seem to find any information on this on cisco.com, still looking
though. I can't test it very much because we only have one spare
FWSM. :-(

Failover configuration from sys context:

failover
failover lan unit secondary
failover lan interface failover vlan 553
failover polltime unit 3 holdtime 10
failover polltime interface 3
failover interface-policy 1
failover replication http
failover link statefullfailover vlan 554
failover interface ip failover 10.220.254.1 255.255.255.0 standby 10.220.254.2
failover interface ip statefullfailover 10.220.253.1 255.255.255.0 standby 10.220.253.2

The primary (standby) is of course configured similarly.

Any comments/pointers very much appreciated. :-)

Regards,
Peter




More information about the cisco-nsp mailing list