Q:
What is the time taken for IAP to failover from primary to backup controller in an IAP VPN scenario ?
A: By default, Instant APs verify the status of heartbeat messages every 5 seconds and look for lost packets 6 times before marking the IPsec tunnel as down.
So it takes 30 seconds and after this it tries one more attempt to connect on same primary controller since “primary tunnel tunnel retry times is set to 2 by default”.
So totally it takes 60 seconds(1 min) to fail over from primary controller to backup controller.
With Fast failover enabled :
When fast failover enabled IAP will establish the primary and back tunnel simultaneously and when the primary controller is down(heart beat miss). Again, Instant APs verify the status of heartbeat messages every 5 seconds and look for lost packets 6 times before marking the IPsec tunnel as down.
So It will take 30 seconds to failover from primary controller to backup controller only when Fast failover is enabled.
Conclusion : 1. Default setting without fast failover IAP takes 60 seconds for failover.
2. Default settings with fast failover IAP takes 30 seconds for failover.