Why does the active firewall require a longer preemption delay than that on the standby firewall

14

Preemption starts after the original active firewall recovers. If the preemption delay of the active firewall is too shorter than that on the standby firewall, the active firewall may switch status before the session entries on the standby firewall are completely synchronized to the active firewall. As a result, some services may be interrupted. Therefore, the active firewall requires a longer preemption delay.

Preemption does not start after the standby firewall recovers. Therefore, preemption delay is meaningless for the standby firewall and you can use the default preemption delay.

Other related questions:
Does a long preemption delay for the active firewall affect the failure response speed
No. When the active firewall fails, services are immediately switched to the standby firewall. After the original active firewall recovers, it must wait for the preemption delay before preempting. During the process, the standby firewall is working. Therefore, the long preemption delay of the active firewall does not affect the failure response speed.

Is it normal if the VRRP preemption delay configured on an AR router is different from actual delay
Is it normal if the VRRP preemption delay configured on an AR router is different from actual delay? It is normal. The backup-to-master conversion procedure for VRRP devices is as follows: Backup device: If the backup device receives packets with priority being 0 (lower than the priority of its own packets), the timer is set to Skew_time (offset time). If the packet priority is not 0, the packets are discarded and the backup device changes to the master state immediately. Master device: The master device sends VRRP advertisement packets regularly, and publicizes its configuration information (priority, for example) and working state in the VRRP group. Based on the VRRP packets, the backup device determines whether the master device works normally. - If the master device drops its master state (for example, it quits the backup group), it sends an advertisement packet with priority set to 0, to enable the backup device to change to the master state quickly without waiting for the timer specified by Master_Down_Interval to expire. This switchover time is referred to as the skew time, and is calculated based on the formula: �?56 - Backup device priority)/256 (unit: second). - If the master device encounters a network fault and cannot send an advertisement packet, the backup device will not know the status of the master device immediately and is notified of the fault until the timer specified by Master_Down_Interval expires. In this case, the backup device considers that the master device cannot work normally and switches over to the master state. The value of Master_Down_Interval is calculated based on the formula: 3 x Advertisement_Interval + Skew_time (unit: second). Note: In a performance-unstable network, network congestion may result in a backup device failure to receive packets from the master device within the time specified by Master_Down_Interval. In this case, the backup device will automatically switch over to the master state. If the packets from the master device arrive then, the device switches back to the backup state. This is likely to cause frequent switchover between VRRP devices. To relieve this phenomenon, a preemption delay can be configured to enable the backup device to wait for the preemption delay time after the timer specified by Master_Down_Interval expires. Before this relay time expires, the backup device will not switch over to the master state even if it does not receive an advertisement packet.

Why are not commands executed on the active firewall synchronized to the standby firewall
If you disable the automatic configuration synchronization function, the configurations are not synchronized. Besides, not all commands can be synchronized. For example, interface and routing configurations cannot be synchronized. For commands that can be synchronized, see Specifications.

Why are the session tables on the active and standby firewalls different
Check the status of the heartbeat link. If the heartbeat link fails, the sessions on the active firewall cannot be synchronized to the standby firewall. If the automatic session backup function is disabled, the sessions on the two firewalls are different. Even when the automatic session backup function is enabled, sessions are not synchronized in real time. Only when the sessions to be synchronized are detected by the session aging thread, the sessions are synchronized to the standby firewall. Therefore, established sessions are synchronized to the standby firewall after a period (about 10 seconds). The firewalls do not back up sessions of the following types when the automatic session backup function is enabled: -Sessions to the firewall -Half-open TCP connections -Sessions in which the first packets are UDP packets and subsequent packets are not (such as the BitTorrent packets)

Why the delay of the USG firewall to itself is large?
The delay of the USG2000 & 5000 & 6000 ping itself is normal. The reason for pinging the device is as follows: 1. The ping packet of the device itself needs to be processed from the LPU to the MPU. The MPU will process it from the LPU to the backplane. 2. The main control board processing capacity is limited, but also the core of the control device, can not exceed the processing performance, so the message sent to the main control board is protected, will do the current limit processing. So access to their own traffic may be some delay, are normal circumstances.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top