Cisco Cisco ASA 5512-X Adaptive Security Appliance 중요 안전 수칙
ASA FAQ: What happens after failover if dynamic
routes are synchronized?
routes are synchronized?
Document ID: 117816
Contributed by Dinkar Sharma and Magnus Mortensen, Cisco TAC
Engineers.
Aug 10, 2015
Engineers.
Aug 10, 2015
Contents
Introduction
Background Information
What happens after failover if dynamic routes are synchronized?
Background Information
What happens after failover if dynamic routes are synchronized?
Introduction
This document describes what happens after failover if dynamic routes are synchronized.
Background Information
Cisco Adaptive Security Appliance (ASA) code Version 8.4.1 and later synchronize dynamic routes from the
ACTIVE unit to the STANDBY unit. In addition, deletion of routes is also synchronized to the STANDBY
unit. However, the state of peer adjacencies is not synchronized; only the ACTIVE device maintains the
neighbor state and actively participates in dynamic routing.
ACTIVE unit to the STANDBY unit. In addition, deletion of routes is also synchronized to the STANDBY
unit. However, the state of peer adjacencies is not synchronized; only the ACTIVE device maintains the
neighbor state and actively participates in dynamic routing.
What happens after failover if dynamic routes are
synchronized?
synchronized?
If an existing ACTIVE ASA goes down, the STANDBY ASA takes over and processes traffic based on
connection information and routes synchronized by the peer device. The newly ACTIVE ASA continues to
pass traffic for connections that were formed with dynamic routes for 15 seconds even without neighbor
adjacencies. At this point, the newly ACTIVE ASA begins to form neighbor adjacencies with peer routers,
and all routes are synchronized once again. Now, if the adjacency and route learning process takes more than
15 seconds, the ASA drops all connections that use dynamic routes.
connection information and routes synchronized by the peer device. The newly ACTIVE ASA continues to
pass traffic for connections that were formed with dynamic routes for 15 seconds even without neighbor
adjacencies. At this point, the newly ACTIVE ASA begins to form neighbor adjacencies with peer routers,
and all routes are synchronized once again. Now, if the adjacency and route learning process takes more than
15 seconds, the ASA drops all connections that use dynamic routes.
It is important to note that even if the ASA forms a neighbor adjacency and learns routes within 15 seconds, a
brief outage is still expected. This is because the newly ACTIVE ASA forms an adjacency from scratch. Once
the database/topology (Open Shortest Path First/Enhanced Interior Gateway Routing Protocol) exchange has
been completed, all of the routes from the peer routing table are refreshed on the ASA and the peer router
does not have routes to forward packets towards the newly ACTIVE ASA. For this to work without an outage,
the neighbor state has to be synchronized also. The Cisco ASA supports Non-Stop Forwarding from software
Version 9.3.1 and later for dynamic routing protocols Border Gateway Protocol (BGP) and Open Shortest
Path First (OSPF). Refer to the release notes for ASA Version 9.3.1 for more information about this new
feature.
brief outage is still expected. This is because the newly ACTIVE ASA forms an adjacency from scratch. Once
the database/topology (Open Shortest Path First/Enhanced Interior Gateway Routing Protocol) exchange has
been completed, all of the routes from the peer routing table are refreshed on the ASA and the peer router
does not have routes to forward packets towards the newly ACTIVE ASA. For this to work without an outage,
the neighbor state has to be synchronized also. The Cisco ASA supports Non-Stop Forwarding from software
Version 9.3.1 and later for dynamic routing protocols Border Gateway Protocol (BGP) and Open Shortest
Path First (OSPF). Refer to the release notes for ASA Version 9.3.1 for more information about this new
feature.
Updated: Aug 10, 2015
Document ID: 117816