[prev in list] [next in list] [prev in thread] [next in thread]
List: sidewinder
Subject: Re: [Sidewinder] Reducing HA failover times
From: sidewinder () adeptech ! com
Date: 2005-09-29 16:28:19
Message-ID: 433C1623.7050604 () spawar ! navy ! mil
[Download RAW message or body]
The OSPF timers were tuned very low. I tested the HELLO to as low as 2
seconds and the dead timer to 6 seconds. Since OSPF is a link-state
routing protocol, I actually don't think these had an affect. When the
secondary firewall took over and sends the initial hello, the firewall
and router should establish a relationship right away.
Thanks for the input though.
Can anyone running in HA mode withough dynamic routing provide the
failover times they see and priority values. I suspect the dealy I am
seeing may be caused by the gated process being started late in the
failover process, but that is only a guess.
sidewinder@adeptech.com wrote:
> sidewinder@adeptech.com wrote:
>
>> We have been able to get HA failover down to just under 40 seconds by
>> increasing the priority settings. We running gated to provide dynamic
>> routing via OSPF.
>>
>> Based on the info I have, there is a built-in ping for HA and it must
>> fail for 3 seconds prior to the failover processing to begin. At that
>> point there is another delay that the user can manage via the priority
>> setting. We configured our priority so that this process should last
>> 8 seconds. I added 500 routes to my internal router and I can start
>> gated and it will learn all routes in about 5 seconds.
>>
>> Adding these times, 3 second ping, 8 second HA failover, and 5 seconds
>> for gated, only account for 18 seconds. Does anyone know why HA is
>> taking almost 40 seconds?
>>
>> I assume that the Sidewinder G2 has to bring up all of the services,
>> read in its policy, etc, prior to starting gated and these other
>> processes are taking up the extra time.
>>
>> I also wonder if the failover would be faster if we were not using
>> dynamic routing. Can anyone that is running in HA without dynamic
>> routing comment on the failover times they are seeing relative to the
>> priority setting on the firewall?
>>
>> _______________________________________________
>> Sidewinder mailing list
>> Sidewinder@adeptech.com
>> http://mail.adeptech.com/mailman/listinfo/sidewinder
>>
> 40 seconds is the default dead timer for OSPF. It sounds like the
> firewall failover is working, but the router is waiting for that timer
> to expire. You can reduce the hello and dead timers on the Sidewinders
> and the routers for faster failover. Normally the dead timer is 4 times
> the hello timer.
>
> Hope that helps,
>
> Joe
> _______________________________________________
> Sidewinder mailing list
> Sidewinder@adeptech.com
> http://mail.adeptech.com/mailman/listinfo/sidewinder
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic