Symptom
++ FPR1K/FPR2K: Increase in failover time in Transparent Mode with high number of Sub-Interfaces
• In the debug "MAC update Time" is seen cause the delay.
17:56:03 UTC Jan 9 2023
Standby Ready Just Active Set by the config command
(failover active)
17:56:23 UTC Jan 9 2023
Just Active Active Drain Set by the config command
(failover active) <-- 20 sec delay
17:56:23 UTC Jan 9 2023
Active Drain Active Applying Config Set by the config command
(failover active)
ciscoasa/pri/act# debug menu fover 18 1
mac_prog_time :18390
tfw_mgmt_ip_time :40
ip_prog_time :540
client_notify_time:0
ifc_up_time :10
ipv6_prog_time :0
ipv4_prog_time :440
np_ha_prog_time :10
ciscoasa/pri/act# show failover trace informational
Jan 09 UTC 17:56:23.095 [SWITCH] [INFO]HA NTFY: notify client HA Internal Control of status event HA_STATUS_PEER_STATE state Standby Ready
Jan 09 UTC 17:56:22.665 [SWITCH] [INFO]MAC update Time: 18390 <----
Jan 09 UTC 17:56:04.005 [FAIL] [INFO]Vlan status(DOWN) update Time: 0
Jan 09 UTC 17:56:04.005 [SWITCH] [INFO]Primary: At 551180 Switching to ACTIVE. Set by the config command
Conditions
++ FPR2K/FPR1K in Transparent mode with high number of BVI
++ Impacts both ASA/FTD
Further Problem Description
++As per https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/device-ops-tfw.html , You can create up to 250 bridge groups, with 64 interfaces per bridge group. which is total of 16000 sub-interfaces.
