62-15
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter62 Configuring Active/Standby Failover
Configuring Active/Standby Failover
Configuring Virtual MAC Addresses
In Active/Standby failover, the MAC addresses for the primary unit are always associated with the active
IP addresses. If the secondary unit boots first and becomes active, it uses the burned-in MAC address for
its interfaces. When the primary unit comes online, the secondary unit obtains the MAC addresses from
the primary unit. The change can disrupt network traffic.
You can configure virtual MAC addresses for each interface to ensure that the secondary unit uses the
correct MAC addresses when it is the active unit, even if it comes online before the primary unit. If you
do not specify virtual MAC addresses the failover pair uses the burned-in NIC addresses as the MAC
addresses.
Note You cannot configure a virtual MAC address for the failover or Stateful Failover links. The MAC and IP
addresses for those links do not change during failover.
To configure the virtual MAC addresses for an interface, enter the following command on the active unit:
Command Purpose
failover polltime interface [msec] time
[holdtime time]
Example:
hostname (config): failover polltime
interface msec 500 holdtime 5
Changes the interface poll and hold times.
Valid values for poll time are from 1 to 15 seconds or, if the optional msec
keyword is used, from 500 to 999 milliseconds. The hold time determines
how long it takes from the time a hello packet is missed to when the
interface is marked as failed. Valid values for the hold time are from 5 to
75 seconds. You cannot enter a hold time that is less than 5 times the poll
time.
If the interface link is down, interface testing is not conducted and the
standby unit could become active in just one interface polling period if the
number of failed interfaces meets or exceeds the configured failover
criteria.
failover polltime [unit] [msec] poll_time
[holdtime [msec] time]
Example:
hostname(config)# failover polltime unit
msec 200 holdtime msec 800
Changes the unit poll and hold times.
You cannot enter a holdtime value that is less than 3 times the unit poll
time. With a faster poll time, the ASA can detect failure and trigger failover
faster. However, faster detection can cause unnecessary switchovers when
the network is temporarily congested.
If a unit does not hear hello packet on the failover communication interface
for one polling period, additional testing occurs through the remaining
interfaces. If there is still no response from the peer unit during the hold
time, the unit is considered failed and, if the failed unit is the active unit,
the standby unit takes over as the active unit.
You can include both failover polltime [unit] and failover polltime
interface commands in the configuration.