Good catch and observation, Mike.
Those new ASA values ARE a significant departure from the old PIX values. It
would be interesting to understand why they chose to make such a dramatic shift
in what would appear to be "core" (baseline) value - even IF the move was made
from an old, legacy (PIX) platform to the new ASA.
Thank you for documenting your observation!
Sincerely,
Joshua Dughi
[email protected]
Tel. 307-752-5891
--- On Mon, 4/30/12, Mike Rojas <[email protected]> wrote:
From: Mike Rojas <[email protected]>
Subject: Re: [OSL | CCIE_Security] Lab 13 IPexpert
To: [email protected]
Cc: [email protected]
Date: Monday, April 30, 2012, 10:01 PM
I was not questioning the tests and the reason of why the value was changed to
500 Msec. I was more confused about the values by default on the Unit poll
time. The question is very clear on what value to change, I got confused when
Looked at the answer that it was 500 msec if the Unit poll time was a total of
15 Seconds. I got confused on the values as they changed from the old pix to
the ASA firewall.
Pix firewall
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 250 maximum
ASA Firewall
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 250 maximum
Even thou, the following document states that is for Pix and ASA firewalls, is
not entirely true
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml
The values (as well as the example) should be for the Pix, although the
commands are almost the same, the timers change.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html
But thanks for the documentation.
Mike
Date: Tue, 1 May 2012 08:35:09 +0530
Subject: Re: [OSL | CCIE_Security] Lab 13 IPexpert
From: [email protected]
To: [email protected]
CC: [email protected]
The interface health monitoring only takes 1/2 of the holdtime. The criteria of
Unit health monitoring, is not receiving three consecutive hellos.
Snippet from
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1042444
Unit Health Monitoring
The security appliance determines the health of the other unit by monitoring
the failover link. When a unit does not receive three consecutive hello
messages on the failover link, the unit sends interface hello messages on each
interface, including the failover interface, to validate whether or not the
peer interface is responsive. The action that the security appliance takes
depends upon the response from the other unit. See the following possible
actions:
•If the security appliance receives a response on the failover interface, then
it does not fail over.
•If the security appliance does not receive a response on the failover link,
but receives a response on another interface, then the unit does not failover.
The failover link is marked as failed. You should restore the failover link as
soon as possible because the unit cannot fail over to the standby while the
failover link is down.
•If the security appliance does not receive a response on any interface, then
the standby unit switches to active mode and classifies the other unit as
failed.
Interface Monitoring
You can monitor up to 250 interfaces divided between all contexts. You should
monitor important interfaces, for example, you might configure one context to
monitor a shared interface (because the interface is shared, all contexts
benefit from the monitoring).
When a unit does not receive hello messages on a monitored interface for half
of the configured hold time, it runs the following tests:
With regards
Kings
On Mon, Apr 30, 2012 at 10:58 PM, Mike Rojas <[email protected]> wrote:
Hi,
I have a couple of questions just starting lab 13 of IPexpert, In regards of
the failover Unit poll time, it says configure to be half of the default. The
solution says that the default is 1 second, which I tend to differ:
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
On the solution, what he modifies is the Unit poll time.
Second, if you read the firewall for the interfaces configuration part, the
show command is incomplete. If you do a show interface | include|System without
being on the context itself, you care not going to see the output as expected.
As per the show command exhibit, it is being taken from the ASA system context,
otherwise, it would show (by default) hostname and context name, which would
rule out two different configuration questions, 1 That the device is indeed in
multiple context and second, the names of the contexts to be configured.
Is this how the do the questions on the Lab?
Mike
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
-----Inline Attachment Follows-----
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
