One of the following causes the state of a firewall (in an active/active CONFIGURATION):

• When a firewall has failed.
• A monitored object's failure (a link or path).
• When the firewall goes into a suspended or non-working condition.

Sessions and CONFIGURATIONS from the peer are synchronised via a firewall in a provisional state.

• When a firewall in a virtual wire deployment enters a tentative state owing to a path failure and gets a PACKET to forward, it passes the packet to the peer firewall for processing through the HA3 connection. The packet is processed by the peer firewall and transmitted back to the firewall through the HA3 link to be sent out the egress interface. In a virtual wire deployment, this behaviour keeps the forwarding path intact.
• When a firewall in the tentative state receives a packet in a Layer 3 deployment, it transmits it over the HA3 connection to the peer firewall to own or set up the session. This firewall either sends the packet out to the destination or sends it back to the peer in a tentative state for forwarding, depending on the network topology.

The Tentative Hold Time is activated and routing convergence happens after the failed path or link clears or when a failed firewall changes from tentative to active-secondary state. Before processing any packets, the firewall tries to establish routing adjacencies and populate its route table. Without this timer, the recovering firewall would quickly enter active-secondary mode and silently DISCARD packets due to a lack of sufficient routes.

After links are up and able to receive incoming packets, a firewall exits suspended mode and enters tentative mode for the Tentative Hold Time. Tentative Hold Time range (sec) can be disabled (default is 0 seconds) or set to a value between 10 and 600 seconds; the default is 60.