I was not questioning the tests and the reason of why the value was changed to 500 Msec. I was more confused about the values by default on the Unit poll time. The question is very clear on what value to change, I got confused when Looked at the answer that it was 500 msec if the Unit poll time was a total of 15 Seconds. I got confused on the values as they changed from the old pix to the ASA firewall.
Pix firewall Unit Poll frequency 15 seconds, holdtime 45 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 0 of 250 maximum ASA Firewall Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 0 of 250 maximum Even thou, the following document states that is for Pix and ASA firewalls, is not entirely true http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml The values (as well as the example) should be for the Pix, although the commands are almost the same, the timers change. http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html But thanks for the documentation. Mike Date: Tue, 1 May 2012 08:35:09 +0530 Subject: Re: [OSL | CCIE_Security] Lab 13 IPexpert From: kingsley.char...@gmail.com To: mike_c...@hotmail.com CC: ccie_security@onlinestudylist.com The interface health monitoring only takes 1/2 of the holdtime. The criteria of Unit health monitoring, is not receiving three consecutive hellos. Snippet from http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1042444 Unit Health Monitoring The security appliance determines the health of the other unit by monitoring the failover link. When a unit does not receive three consecutive hello messages on the failover link, the unit sends interface hello messages on each interface, including the failover interface, to validate whether or not the peer interface is responsive. The action that the security appliance takes depends upon the response from the other unit. See the following possible actions: •If the security appliance receives a response on the failover interface, then it does not fail over. •If the security appliance does not receive a response on the failover link, but receives a response on another interface, then the unit does not failover. The failover link is marked as failed. You should restore the failover link as soon as possible because the unit cannot fail over to the standby while the failover link is down. •If the security appliance does not receive a response on any interface, then the standby unit switches to active mode and classifies the other unit as failed. Interface Monitoring You can monitor up to 250 interfaces divided between all contexts. You should monitor important interfaces, for example, you might configure one context to monitor a shared interface (because the interface is shared, all contexts benefit from the monitoring). When a unit does not receive hello messages on a monitored interface for half of the configured hold time, it runs the following tests: With regards Kings On Mon, Apr 30, 2012 at 10:58 PM, Mike Rojas <mike_c...@hotmail.com> wrote: Hi, I have a couple of questions just starting lab 13 of IPexpert, In regards of the failover Unit poll time, it says configure to be half of the default. The solution says that the default is 1 second, which I tend to differ: Unit Poll frequency 15 seconds, holdtime 45 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds On the solution, what he modifies is the Unit poll time. Second, if you read the firewall for the interfaces configuration part, the show command is incomplete. If you do a show interface | include|System without being on the context itself, you care not going to see the output as expected. As per the show command exhibit, it is being taken from the ASA system context, otherwise, it would show (by default) hostname and context name, which would rule out two different configuration questions, 1 That the device is indeed in multiple context and second, the names of the contexts to be configured. Is this how the do the questions on the Lab? Mike _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
