5 Replies Latest reply on Apr 16, 2014 7:53 AM by mtuma

    Firewall 8.3.1 failover higher takeover time



      I have two identical firewalls currently in version 8.3.1 s4016 failover (peer-to-peer).

      The problem I see is that when a firewall stops working the takeover takes longer than 45 seconds.

      Has anyone ever managed high availability for these firewalls? Time is so high?

      thanks for your help everyone!

        • 1. Re: Firewall 8.3.1 failover higher takeover time



          Can you explain what you mean by "working the takeover takes longer than 45 seconds"? Are you talking about the time it takes for traffic to start passing again?


          By default the firewalls have a 13 second takeover time. That means that if the primary stops sending a heartbeat, the standby will take over after 13 seconds. There may be a few second delay while the standby restarts it's services, but it should not take 45 seconds. The other aspect here that is important is that arp tables on switches and devices need to be updated with the mac address of the new primary. This could be what is taking so long.



          • 2. Re: Firewall 8.3.1 failover higher takeover time

            Thank for your response!

            Yes, I mean that the time that it takes in pass through the firewalls is higher than 45 seconds.

            The switches neighbors are not routing, just in layer 2, so the gratuitous arp doesn't affect them.

            How can I do to adjust the minimun time?  I think the firewall has a time to identify is an interface is not working, so here there is a time, plus, the time that the firewalls takes over, plus the time that the services restart.

            I have about 20 vlans created on a same interface, and the firewall is verifying them. Do you think that is right? Or maybe is better that check on a vlan could be enough?


            Thank you a lot!





            • 3. Re: Firewall 8.3.1 failover higher takeover time



              So in this case, the reason for the failover was because of an interface failing? If so, then that will take longer as the firewall has to recognize that the interface has failed. You should be able to modify the ping interval and failures allowed to cause it to failover faster in the case of the interface failing.


              Also I want to mention that sometimes devices (sometimes Cisco) ignore the gratuitous arps that we send and that causes delays. In that case, the force ARP reset could be used and the firewall will ping the ip. This is a little more forceful of an arp update.



              • 4. Re: Firewall 8.3.1 failover higher takeover time

                I am new to the Sidewinder but 13 Seconds seems long.  The doucmentation says it can be from 3-13 Seconds.   Any issue with changing this to 5 seconds?

                • 5. Re: Firewall 8.3.1 failover higher takeover time



                  The main concern is that there may be a situation where you may have unnecessary failovers. Depending on the configuration of your heartbeat (direct cable, switch, multiple switches in between with firewalls in different buildings), the heartbeat could potentially not be recieved by the standby for a few seconds and cause the failovers. I have tested as low as 3 seconds in a lab environment and did not have issues.


                  To be honest, 13 seconds seems like a long time, but if a failover does occur, typical users will not even notice. They may have to refresh their client a few times but just assume the website is having problems or something