State of a firewall (in an active/active
configuration) caused by one of the following: A
firewall in tentative state synchronizes sessions and configurations
from the peer. In a virtual wire deployment, when
a firewall enters tentative state due to a path failure and receives
a packet to forward, it sends the packet to the peer firewall over
the HA3 link for processing. The peer firewall processes the packet
and sends it back over the HA3 link to the firewall to be sent out
the egress interface. This behavior preserves the forwarding path
in a virtual wire deployment. In a Layer 3 deployment, when a firewall in tentative state
receives a packet, it sends that packet over the HA3 link for the
peer firewall to own or set up the session. Depending on the network
topology, this firewall either sends the packet out to the destination
or sends it back to the peer in tentative state for forwarding.
After
the failed path or link clears or as a failed firewall transitions
from tentative state to active-secondary state, the Tentative
Hold Time is triggered and routing convergence occurs.
The firewall attempts to build routing adjacencies and populate
its route table before processing any packets. Without this timer,
the recovering firewall would enter active-secondary state immediately
and would silently discard packets because it would not have the
necessary routes. When a firewall leaves suspended state,
it goes into tentative state for the Tentative Hold Time after
links are up and able to process incoming packets. Tentative
Hold Time range (sec) can be disabled (which is 0 seconds)
or in the range 10-600; default is 60. |