Understand the timers that apply to an HA pair and the
timer profiles you can apply.
High availability (HA) timers facilitate a firewall
to detect a firewall failure and trigger a failover. To reduce the
complexity in configuring timers for an HA pair, you can select
from three profiles: Recommended, Aggressive and Advanced.
These profiles auto-populate the optimum HA timer values for the
specific firewall platform to enable a speedier HA deployment.
Use the Recommended profile for typical
failover timer settings and the Aggressive profile
for faster failover timer settings. The Advanced profile
allows you to customize the timer values to suit your network requirements.
The following table describes each timer included in the profiles
and the current preset values (Recommended/Aggressive) across the
different hardware models; these values are for current reference
only and can change in a subsequent release.
Interval during which the firewall will remain
active following a path monitor or link monitor failure. This setting
is recommended to avoid an HA failover due to the occasional flapping
of neighboring devices.
0/0
0/0
0/0
Preemption Hold Time (min)
Time that a passive or active-secondary firewall
will wait before taking over as the active or active-primary firewall.
1/1
1/1
1/1
Heartbeat Interval (ms)
Frequency at which the HA peers exchange
heartbeat messages in the form of an ICMP (ping).
1000/1000
2000/1000
2000/1000
Promotion Hold Time (ms)
Time that the passive firewall (in active/passive
mode) or the active-secondary firewall (in active/active mode) will
wait before taking over as the active or active-primary firewall
after communications with the HA peer have been lost. This hold
time will begin only after the peer failure declaration has been
made.
2000/500
2000/500
2000/500
Additional Master Hold Up Time (ms)
Time interval in milliseconds that is applied
to the same event as Monitor Fail Hold Up Time (range is 0 to 60,000;
default is 500). The additional time interval is applied only to
the active firewall in active/passive mode and to the active-primary
firewall in active/active mode. This timer is recommended to avoid
a failover when both firewalls experience the same link/path monitor failure simultaneously.
500/500
500/500
7000/5000
Hello Interval (ms)
Interval in milliseconds between hello packets
that are sent to verify that the HA functionality on the other firewall
is operational (range is 8,000 to 60,000; default is 8,000).
8000/8000
8000/8000
8000/8000
Flap Max
A flap is counted when one of the following
occurs:
A preemption-enabled firewall leaves the active
state within 20 minutes after becoming active.
A link or path fails to stay up for 10 minutes after becoming
functional.
In the case of a failed preemption or non-functional
loop, this value indicates the maximum number of flaps that are
permitted before the firewall is suspended (range 0 to 16; default
is 3).
