[c-nsp] Distance limit of ASA Failover

David White, Jr. (dwhitejr) dwhitejr at cisco.com
Thu Mar 17 17:57:47 EDT 2011 

Yes, but it is not quite as granular.  See:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html#wp1077627

    For optimum performance when using long distance failover, the
    latency for the failover link should be less than 10 milliseconds
    and no more than 250 milliseconds. If latency is more than10
    milliseconds, some performance degradation occurs due to
    retransmission of failover messages.

Sincerely,

David.

Chris Kane wrote:
>
>
> On Thu, Mar 17, 2011 at 5:35 PM, David White, Jr. (dwhitejr)
> <dwhitejr at cisco.com <mailto:dwhitejr at cisco.com>> wrote:
>
>     For the ASA, what is important is the latency caused by the distance.
>     For best results, latency should be less than 10 msec.  There is a 30
>     msec timer used to check the acknowledgment that the peer received the
>     message (this includes round-trip time, plus the time it takes the
>     peer
>     to accept, process, and respond to the message).  However,
>     latencies up
>     to 250 msec is possible/acceptable, but there will be quite a bit of
>     overhead, as the ASA will retransmit every failover message 8 times at
>     this latency.   If the latency is large (near 250 msec), then the
>     failover poll and holdtimes must not be configured at low values.
>     Using a polltime of 1 sec and a holdtime of 15 sec would be fine.
>      Long
>     distance failover should not be deployed when latencies between ASAs
>     exceed 250 msec.
>
>     Sincerely,
>
>     David.
>
>     Chris Kane wrote:
>     > I've been looking for some doco and was hoping someone here had
>     a good
>     > reference. Now that so many of us are extended Layer 2 between
>     data centers
>     > I'd like to find documentation that recommends the distance
>     limit for the
>     > ASA Failover. Since pseudowires hide the Ethernet distance I'm
>     wondering if
>     > there is a time based limitation (ex. 30ms). And I'm assuming only
>     > Active/Standby could be supported in geographically distant
>     (read several
>     > hundred miles apart) data centers.
>     >
>     > Thanks,
>     > -chris
>
>
> David,
>
> Thanks for the email. I'm looking at a design that's likely ~40 msec
> on average. Do you know of any supporting documentation I could use
> for reference?
>
> -chris
>

More information about the cisco-nsp mailing list