Why are services interrupted after the original active firewall preempts

20

Services are normal after the active/standby switchover, but services are interrupted after the active firewall preempts. The possible cause is that the network has not converged or sessions are not completely backed up. Besides, if a switch fails, its interfaces may go up and down repeatedly when the switch restarts. If the firewall preempts during the process, services may be interrupted.

In this case, adjust the preemption delay of the original active firewall.

Other related questions:
Why does not the original active firewall preempt after recovery
Possible causes are as follows: -The preemption function is disabled. -The preemption conditions are not met. The original active firewall does not immediately preempt after recovery. Instead, it waits for a delay before the preemption. The preemption delay is set to avoid unstable active/standby switchover.

Problem and solution when the original active firewall does not preempt the active role after recovery
Possible causes are as follows: The preemption function is disabled. The preemption hold-on timer has not expired. The original active firewall does not perform preemption immediately after recovery. Setting preemption hold-on prevents repeated switchover resulting from unstable active firewall status.

Why is service (such as voice) interrupted after being configured with NAT or firewall
The aging time of session table is shorter than the aging time of the service. The session table is aged out, while the service is not. The service packets sent after session table aging are discarded, so the service is interrupted. Run the firewall-nat session aging-time command to increase the TCP/UDP timeout interval.

Some services are interrupted after IPSG is configured on an S series switch. Why
If some services are interrupted after IPSG is configured on an S series switch (except the S1700), possible causes include the following: 1. DHCP snooping is not enabled on a DHCP terminal or the DHCP terminal does not obtain an IP address again after DHCP snooping is enabled. As a result, the dynamic binding table does not contain correct information about the terminal. IP packets sent by the terminal are discarded, and the terminal cannot communicate with the network. Solution: Enable DHCP snooping on the terminal and make the terminal obtain an IP address again to generate a dynamic binding entry in the binding table. 2. No static binding entry corresponding to a static user is generated. As a result, the user cannot go online. Solution: Create a static binding entry for each authorized user connected to the switch. Note: After the ip source check user-bind enable command is configured on an interface or in a VLAN. The interface or VLAN matches all received IP packets against a binding table and discards those not matching the binding table.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top