Best practice for ASA Active/Standby failover

Similar Messages

• Cisco ASA Active standby failover problem

  We have configured ASA Active standby failover with ASA5505 . When primary unit power off, secondary unit became active. when primary unit power on, then primary unit is becoming active again. i think for active standby setup there is no preemption. The real issue is when primary ASA became active after power on all the external connectivity getting down. Please see the below config,
  ASA01# show run
  ASA01# show running-config 
  : Saved
  ASA Version 8.2(5) 
  hostname ASA01
  enable password PVSASRJovmamnVkD encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 192.168.1.1 MPLS_Router description MPLS_Router 
  name 192.168.2.1 SCADA_Router description SCADA_Router
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
   switchport access vlan 2
  interface Ethernet0/3
  interface Ethernet0/4
   switchport access vlan 3
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.3.8 255.255.255.0 standby 192.168.3.9 
  interface Vlan2
   nameif outside
   security-level 0
   ip address 192.168.1.8 255.255.255.0 standby 192.168.1.9 
  interface Vlan3
   description LAN Failover Interface
  ftp mode passive
  clock timezone AST 3
  access-list inside_access_in extended permit icmp any any 
  access-list inside_access_in extended permit ip any any 
  access-list inside_access_in extended permit ip any host MPLS_Router 
  access-list outside_access_in extended permit icmp any any 
  access-list outside_access_in extended permit ip any any 
  access-list outside_access_in extended permit ip any 192.168.2.0 255.255.255.0 
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  failover
  failover lan unit primary
  failover lan interface FAILOVER Vlan3
  failover key *****
  failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route-map Route_Out permit 1
   match ip address inside_access_in outside_access_in
   match interface inside
  route outside 0.0.0.0 0.0.0.0 MPLS_Router 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.2.0 255.255.255.0 inside
  http authentication-certificate inside
  http authentication-certificate outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet 192.168.2.0 255.255.255.0 inside
  telnet 192.168.1.0 255.255.255.0 outside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username admin password eY/fQXw7Ure8Qrz7 encrypted
  prompt hostname context 
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:1a8e46a787aa78502ffd881ab62d1c31
  : end

  I suggest removing the failover configuration on both units and then re-add them, and then test.
  Primary
  failover lan interface FAILOVER Vlan3
  failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
  failover lan unit primary
  failover key KEY
  failover
  Secondary
  failover lan interface FAILOVER Vlan3
  failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
  failover lan unit secondary
  failover key KEY
  failover
  Please remember to select a correct answer and rate helpful posts

• Best Practices for ASA 5500 Device Monitoring

  I have looked high and low and am unable to find anything on this topic. I am hoping that somebody here may be able to share some insight into what are considered the best practices for monitoring ASA's--specifically the 5510 with Sec+ License.
  My current monitoring application keeps reporting issues with outbound interface buffers being too high, but there are not any performance issues and I believe the thresholds are just set absurdly low.
  Thank you in advance for any assistance.

  Hi James,
  You probably won't be able to find any all-encompassing documentation for these types of best practices that cover all scenarios. The better method would be to define exactly what items you'd like to monitor and we can provide some guidance on how to best get that working for you.
  -Mike

• Best Practice for ASA Route Monitoring Options?

  We have one pair Cisco ASA 5505 located in different location and there are two point to point links between those two locations, one for primary link (static route w/ low metric) and the other for backup (static route w/ high metric). The tracked options is enabled for monitoring the state of the primary route. the detail parameters regarding options as below,
  Frequency: 30 seconds               Data Size: 28 bytes
  Threshold: 3000 milliseconds     Tos: 0
  Time out: 3000 milliseconds          Number of Packets: 8
  ------ show run------
  sla monitor 1
  type echo protocol ipIcmpEcho 10.200.200.2 interface Intersite_Traffic
  num-packets 8
  timeout 3000
  threshold 3000
  frequency 30
  sla monitor schedule 1 life forever start-time now
  ------ show run------
  I'm not sure if the setting is so sensitive that the secondary static route begins to work right away, even when some small link flappings occur.
  What is the best practice to set those parameters up in the production environment. How can we specify the reasonanble monitoring options to fit our needs.
  Thank you for any idea.

  Hello,
  Of course too sensitive might cause failover to happen when some packets get lost, but remember the whole purpose of this is to provide as less downtime to your network as possible,
  Now if you tune these parameters what happen is that failover will be triggered on a different time basis.
  This is taken from a cisco document ( If you tune the sla process as this states, 3 packets will be sent each 10 seconds, so 3 of them need to fail to SLA to happen) This CISCO configuration example looks good but there are network engineers that would rather to use a lower time-line than that.
  sla monitor 123
  type echo protocol ipIcmpEcho 10.0.0.1 interface outside
  num-packets 3
  frequency 10
  Regards,
  Remember to rate all of the helpful posts ( If you need assistance knowing how to rate a post just let me know )

• Best practice for BC activation

  Hi All,
  Can any one suggest the best ways to install business content?? I had problem many times.......what are the points we should keep in mind and the best approach would b very helpful for future perusal.
  Also Last time I went for a option as before and after and it had overwritten all the existing ones for which people had customized stuff....so that was a big thing....
  Kindly update ...
  Thanks
  Tina

  Hi,
  I hope, The following Link is sufficient for getting btter idea on Activation of Business content.
  http://help.sap.com/saphelp_bw32/helpdata/en/80/1a66d5e07211d2acb80000e829fbfe/frameset.htm
  http://help.sap.com/saphelp_bw32/helpdata/en/62/35dbbff5d7054aaae9cd79aeb815c7/frameset.htm
  Problem on 0DBDUNS:
  In the screen of Business content activation ,I hope, you have selected 'Data flow before' as the grouping ,in the activation of Data target. If so, remove the tick mark for 'Instalation' of those 0DBDUNS_APPENDIX_ATTR_1 and 0DBDUNS_IMPORT_ATTR  update rules.
  With rgds,
  Anil Kumar Sharma .P

• ASA Active/Standby mode and Hello messages

  Hi Everyone,
  On ASA  Active/Standby mode  i know thatsay inside or any other interface of active and standby ASA should connect to same switch and vlan.
  When we assign say ip address to inside interface of both ASA like
  ip address 192.168.x.1 255.255.255.0 standby 192.168.x.2 255.255.255.0
  Need to know if these inside interface talk to each other or not?
  Do they send hello messages?
  Thanks
  MAhesh

  Hi Mahesh,
  The ASA Active/Standby Failover pair uses both the dedicated Failover interface and the actual Data interfaces to monitor the "health" of the Failover pair.
  The units send Failover hello messages and wait for a reply to determine if the other unit is alive or not.
  By default all Physical interfaces are automatically monitored. To my understanding Logical interfaces such as Trunk interfaces are NOT monitored by default. You will have to configure monitoring for each subinterface of the Trunk that you want to be monitored.
  You would use the command
  monitor-interface
  Check the Command Reference section for this
  http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/m.html#wp2123112
  I would also suggest reading the following section of the Configuration Guide
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html#wp1079010
  It has information of the Unit and Interface health monitoring of the Failover pair.
  If you want to debug Failover activity you could use the command
  debug fover
  It has multiple additional parameter after that command
  Here is the Command Reference section for the debug command
  http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/d1.html#wp2093011
  You can even attach a computer on the switch between the ASAs and capture the packets between them an you can see the Failover messages etc from the ASAs
  - Jouni

• ASA 5520 VPN load balancing with Active/Standby failover on 2 devices only...

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  This topic has been beat to death, but I did not see a real answer. Here is configuration:
  1) 2 x ASA 5520, running 8.2
  2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
  3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
  4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
  This sounds trivial, but I cannot find a clear answer (without testing this); and many people are confusing the issue. Here are some examples of confusion. These do not apply to my scenario.
  Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
  The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
  In any case, any experts out there that can answer question? TIA!

  Wow, some good info posted here (both questions and some answers). I'm in a similar situation with a couple of vpn load-balanced pairs... my goal was to get active-standby failover up and running in each pair- then I ran into this thread and saw the first post about the unique IP addr pools (and obviously we can't have unique pools in an active-standby failover rig where the complete config is replicated). So it would seem that these two features are indeed mutually exclusive. Real nice initial post to call this out.
  Now I'm wondering if the ASA could actually handle a single addr pool in an active-standby fo rig- *if* the code supported the exchange of addr pool status between the fo members (so they each would know what addrs have been farmed out from this single pool)? Can I get some feedback from folks on this? If this is viable, then I suppose we could submit a feature request to Cisco... not that this would necessarily be supported anytime soon, but it might be worth a try. And I'm also assuming we might need a vip on the inside int as well (not just on the outside), to properly flip the traffic on both sides if the failover occurs (note we're not currently doing this).
  Finally, if a member fails in a std load-balanced vpn pair (w/o fo disabled), the remaining member must take over traffic hitting the vip addr (full time)... can someone tell me how this works? And when this pair is working normally (with both members up), do the two systems coordinate who owns the vip at any time to load-balance the traffic? Is this basically how their load-balancing scheme works?
  Anyway, pretty cool thread... would really appreciate it if folks could give some feedback on some of the above.
  Thanks much,
  Mike

• Best practice for server configuration for iTunes U

  Hello all, I'm completely new to iTunes U, never heard of this until now and we have zero documentation on how to set it up. I was given the task to look at best practice for setting up the server for iTunes U, and I need your help.
  *My first question*: Can anyone explains to me how iTunes U works in general? My brief understanding is that you design/setup a welcome page for your school with sub categories like programs/courses, and within that you have things like lecture audio/video files and students can download/view them on iTunes. So where are these files hosted? Is it on your own server or is it on Apple's server? Where & how do you manage the content?
  *2nd question:* We have two Xserve(s) sitting in our server room ready to roll, my question is what is the best method to configure them so it meets our need of "high availability in active/active mode, load balancing, and server scaling". Originally I was thinking about using a 3rd party load balancing device to meet these needs, but I was told there is no budget for it so this is not going to happen. I know there is IP Failover but one server has to sit in standby mode which is a waste. So the most likely scenario is to setup DNS round robin and put both xserves in active/active. My question now is (this maybe related to question 1), say that all the content data like audio/video files are stored by us, (We are going to link a portion of our SAN space to Xserve for storage), if we are going with DNS round robin and put the 2 servers in Active/Active mode, can both servers access a common shared network space? or is this not possible and each server must have its own storage space? And therefore I must use something like RSYNC to make sure contents on both servers are identical? Should I use XSAN or is RSYNC good enough?
  Since I have no experience with iTunes U whatsoever, I hope you understand my questions, any advice and suggestion are most welcome, thanks!

  Raja Kondar wrote:
  wht is the Best Practice for having server pool i.e
  1) having a single large serverpool consisting of "n" number of guest vm
  2) having a multiple small serverpool consisting of less of number of guest vm I prefer option 1, as this gives me the greatest amount of resources available. I don't have to worry about resources in smaller pools. It also means there are more resources across the pool for HA purposes. Not sure if this is Official Best Practice, but it is a simpler configuration.
  Keep in mind that a server pool should probably have up to 20 servers in it: OCFS2 starts to strain after that.

• Active/Standby Failover with pair of 5510s and redundant L2 links

  Hi
  I just got two ASA5510-SEC-BUN-K9 and I'm wondering is it possible to implement an Active/Standby Failover configuration (Routed mode) with two ASA5510 and redundant pair of switches from both inside and outside interfaces? In other words, I would like to have two L2 links from each ASA (in pair od ASAa) to each L2 switch (in pair of redundant L2 Switches). The configuration I would like to achive is just like one in Cisco Security Appliance Command Line Configuration Guide, page B-23, figure B-8, with only difference that I wouldn't go with multiple security contexts (I want Active/Standby failover).
  Thanks in advance
  Zoran Milenkovic

  Hello Zoran,
  Absolutely. You can have 2 ASAs configured in Active/Standby mode. For reference, here is a link which has a network connectivity diagram based on PIX, however, connectivity would still be same with ASAs-
  http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/failover.html#wp1053462
  The difference is that on ASA, you can only have LAN-Based failover, hence you'll need to use one additional interface on both ASAs for failover-link. You can connect these two failover-link interfaces directly using a cross cable.
  Apart from this, please refer to following link on how to go with configuration of Lan-based Active/Standby failover-
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1064158
  Also make sure that both ASAs have required hardware/software/license based on following link-
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1047269
  Hope this helps.
  Regards,
  Vibhor.

• Active/Standby failover automatic primary active

  I have 2 ASAs 5510 with same physical configuration and running ok with active/standby failover mode. Like we have PREEMPT command in active/active failover to get back primary active after its been rebooted from failed mode. This command makes primary back to active and makes secondary firewall standby automatically.
  Need help to know any such command for active/standby failover for automatic primary active. Currently we have to use command FAILOVER ACTIVE on primary to make it active manually.

  Remember, failover in ASA works differently than HSRP. ASA does NOT use
  HSRP. Furthermore, there is NO HSRP ip address in ASA either. You are
  talking about two different technologies.
  Think of it this way. HSRP technology works very similar to VRRP and
  Juniper NSRP. All of these technologies use virtual IP address. If you
  have two devices, you will have an Virtual IP address, in addition
  to the physical ip addresses of the two devices. ASA does not use the
  extra VIP.

• Networking "best practice" for setting up a farm

  Hi all.
  We would like to set an OracleVM farm, and I have a question about "best practice" for
  configuring the network. Some background:
  - The hardware I have is comprised of machines with 4 gig-eth NICs each.
  - The storage will be coming primarily from a backend NAS appliance (Netapp, FWIW).
  - We have already allocated a separate VLAN for management.
  - We would like to have HA capable VMs using OCFS2 (on top of NFS.)
  I'm trying to decide between 2 possible configurations. The first would keep physical separation
  between the mgt/storage networks and the DomU networks. The second would just trunk
  everything together across all 4 NICs, something like:
  Config 1:
  - eth0 - management/cluster-interconnect
  - eth1 - storage
  - eth2/eth3 => bond0 - 8021q trunked, bonded interfaces for DomUs
  Config 2:
  - eth0/1/2/3 => bond0
  Do people have experience or recommendation about the best configuration?
  I'm attracted to the first option (perhaps naively) because CI/storage would benefit
  from dedicated bandwidth and this configuration might also be more secure.
  Regards,
  Robert.

  user1070509 wrote:
  Option #4 (802.3ad) looks promising, but I don't know if this can be made to work across
  separate switches.It can, if your switches support cross-switch trunking. Essentially, 802.3ad (also known as LACP or EtherChannel on Cisco devices) requires your switch to be properly configured to allow trunking across the interfaces used for the bond. I know that the high-end Cisco and Juniper switches do support LACP across multiple switches. In the Cisco world, this is called MEC (Multichassis EtherChannel).
  If you're using low-end commodity-grade gear, you'll probably need to use active/passive bonds if you want to span switches. Alternatively, you could use one of the balance algorithms for some bandwitch increase. You'd have to run your own testing to determine which algorithm is best suited for your workload.
  The Linux Foundation's Net:Bonding article has some great information on bonding in general, particularly on the various bonding methods for high availability:
  http://www.linuxfoundation.org/en/Net:Bonding

• (Request for:) Best practices for setting up a new Windows Server 2012 r2 Hyper-V Virtualized AD DC

  Could you please share your best practices for setting up a new Windows Server 2012 r2 Hyper-V Virtualized AD DC, that will be running on a new WinSrv 2012 r2 host server.   (This
  will be for a brand new network setup, new forest, domain, etc.)
  Specifically, your best practices regarding:
  the sizing of non virtual and virtual volumes/partitions/drives,  
  the use of sysvol, logs, & data volumes/drives on hosts & guests,
  RAID levels for the host and the guest(s),  
  IDE vs SCSI and drivers both non virtual and virtual and the booting there of,  
  disk caching settings on both host and guests.  
  Thanks so much for any information you can share.

  A bit of non essential additional info:
  We are small to midrange school district who, after close to 20 years on Novell networks, have decided to design and create a new Microsoft network and migrate all of our data and services
  over to the new infrastructure .   We are planning on rolling out 2012 r2 servers with as much Hyper-v virtualization as possible.
  During the last few weeks we have been able to find most of the information we need to undergo this project, and most of the information was pretty solid with little ambiguity, except for
  information regarding virtualizing the DCs, which as been a bit inconsistent.
  Yes, we have read all the documents that most of these posts tend point to, but found some, if not most are still are referring to performing this under Srvr 2008 r2, and haven’t really
  seen all that much on Srvr2012 r2.
  We have read these and others:
  Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100), 
  Virtualized Domain Controller Technical Reference (Level 300),
  Virtualized Domain Controller Cloning Test Guidance for Application Vendors,
  Support for using Hyper-V Replica for virtualized domain controllers.
  Again, thanks for any information, best practices, cookie cutter or otherwise that you can share.
  Chas.

• Best practices for setting up projects

  We recently adopted using Captivate for our WBT modules.
  As a former Flash and Director user, I can say it’s
  fast and does some great things. Doesn’t play so nice with
  others on different occasions, but I’m learning. This forum
  has been a great source for search and read on specific topics.
  I’m trying to understand best practices for using this
  product. We’ve had some problems with file size and
  incorporating audio and video into our projects. Fortunately, the
  forum has helped a lot with that. What I haven’t found a lot
  of information on is good or better ways to set up individual
  files, use multiple files and publish projects. We’ve decided
  to go the route of putting standalones on our Intranet. My gut says
  yuck, but for our situation I have yet to find a better way.
  My question for discussion, then is: what are some best
  practices for setting up individual files, using multiple files and
  publishing projects? Any references or input on this would be
  appreciated.

  Hi,
  Here are some of my suggestions:
  1) Set up a style guide for all your standard slides. Eg.
  Title slide, Index slide, chapter slide, end slide, screen capture,
  non-screen capture, quizzes etc. This makes life a lot easier.
  2) Create your own buttons and captions. The standard ones
  are pretty ordinary, and it's hard to get a slick looking style
  happening with the standard captions. They are pretty easy to
  create (search for add print button to learn how to create
  buttons). There should instructions on how to customise captions
  somewhere on this forum. Customising means that you can also use
  words, symbols, colours unique to your organisation.
  3) Google elearning providers. Most use captivate and will
  allow you to open samples or temporarily view selected modules.
  This will give you great insight on what not to do and some good
  ideas on what works well.
  4) Timings: Using the above research, I got others to
  complete the sample modules to get a feel for timings. The results
  were clear, 10 mins good, 15 mins okay, 20 mins kind of okay, 30
  mins bad, bad, bad. It's truly better to have a learner complete
  2-3 short modules in 30 mins than one big monster. The other
  benefit is that shorter files equal smaller size.
  5) Narration: It's best to narrate each slide individually
  (particularly for screen capture slides). You are more likely to
  get it right on the first take, it's easier to edit and you don't
  have to re-record the whole thing if you need to update it in
  future. To get a slicker effect, use at least two voices: one male,
  one female and use slightly different accents.
  6) Screen capture slides: If you are recording filling out
  long window based databse pages where the compulsory fields are
  marked (eg. with a red asterisk) - you don't need to show how to
  fill out every field. It's much easier for the learner (and you) to
  show how to fill out the first few fields, then fade the screen
  capture out, fade the end of the form in with the instructions on
  what to do next. This will reduce your file size. In one of my
  forms, this meant the removal of about 18 slides!
  7) Auto captions: they are verbose (eg. 'Click on Print
  Button' instead of 'Click Print'; 'Select the Print Preview item'
  instead of 'Select Print Preview'). You have to edit them.
  8) PC training syntax: Buttons and hyperlinks should normally
  be 'click'; selections from drop down boxes or file lists are
  normally 'select': Captivate sometimes mixes them up. Instructions
  should always be written in the correct order: eg. Good: Click
  'File', Select 'Print Preview'; Bad: Select 'Print Preview' from
  the 'File Menu'. Button names, hyperlinks, selections are normally
  written in bold
  9) Instruction syntax: should always be written in an active
  voice: eg. 'Click Options to open the printer menu' instead of
  'When the Options button is clicked on, the printer menu will open'
  10) Break all modules into chapters. Frame each chapter with
  a chapter slide. It's also a good idea to show the Index page
  before each chapter slide with a progress indicator (I use an
  animated arrow to flash next to the name of the next chapter), I
  use a start button rather a 'next' button for the start of each
  chapter. You should always have a module overview with the purpose
  of the course and a summary slide which states what was covered and
  they have complete the module.
  11) Put a transparent click button somewhere on each slide.
  Set the properties of the click box to take the learner back to the
  start of the current chapter by pressing F2. This allows them to
  jump back to the start of their chapter at any time. You can also
  do a similar thing on the index pages which jumps them to another
  chapter.
  12) Recording video capture: best to do it at normal speed
  and be concious of where your mouse is. Minimise your clicks. Most
  people (until they start working with captivate) are sloppy with
  their mouse and you end up with lots of unnecessarily slides that
  you have to delete out. The speed will default to how you recorded
  it and this will reduce the amount of time you spend on changing
  timings.
  13) Captions: My rule of thumb is minimum of 4 seconds - and
  longer depending on the amount of words. Eg. Click 'Print Preview'
  is 4 seconds, a paragraph is longer. If you creating knowledge
  based modules, make the timing long (eg. 2-3 minutes) and put in a
  next button so that the learner can click when they are ready.
  Also, narration means the slides will normally be slightly longer.
  14) Be creative: Capitvate is desk bound. There are some
  learners that just don't respond no matter how interactive
  Captivate can be. Incorporate non-captivate and desk free
  activities. Eg. As part of our OHS module, there is an activity
  where the learner has to print off the floor plan, and then wander
  around the floor marking on th emap key items such as: fire exits;
  first aid kit, broom and mop cupboard, stationary cupboard, etc.
  Good luck!

• What are the best practices for using the enhancement framework?

  Hello enhancement framework experts,
  Recently, my company upgraded to SAP NW 7.1 EhP6.  This presents us with the capability to use the enhancement framework.
  A couple of senior programmers were asked to deliver a guideline for use of the framework.  They published the following statement:
  "SAP does not guarantee the validity of the enhancement points in future releases/versions. As a result, any implemented enhancement points may require significant work during upgrades. So, enhancement points should essentially be used as an alternative to core modifications, which is a rare scenario.".
  I am looking for confirmation or contradiction to the statement  "SAP does not guarantee the validity of enhancement points in future releases/versions..." .  Is this a true statement for both implicit and explicit enhancement points?
  Is the impact of activated explicit and implicit enhancements much greater to an SAP upgrade than BAdi's and user exits?
  Is there any SAP published guidelines/best practices for use of the enhancement framework?
  Thank you,
  Kimberly
  Edited by: Kimberly Carmack on Aug 11, 2011 5:31 PM

  Found an article that answers this question quite well:
  [How to Get the Most From the Enhancement and Switch Framework as a Customer or Partner - Tips from the Experts|http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/c0f0373e-a915-2e10-6e88-d4de0c725ab3]
  Thank you Thomas Weiss!

• Workflow not completed, is this best practice for PR?

  Hi SAP Workflow experts,
  I am new in workflow and now responsible to support existing PR release workflow.
  The workflow is quite simple and straightforward but the issue here is the workflow seems like will never be completed.
  If the user released the PR, the next activity is Requisition released that using task TS20000162.
  This will send work item to user (pr creator) sap inbox which when they double click it will complete the workflow.
  The thing here is, in our organization, user does not access SAP inbox hence there are thousands of work item that has not been completed. (our procurement system started since 2009).
  Our PR creator will receive notification of the PR approval to theirs outlook mail handled by a program that is scheduled every 5 minutes.
  Since the documentation is not clear enough, i can't digest why the implementer used this approach.
  May I know whether this is the best practice for PR workflow or not?
  Now my idea is to modify the send email program to complete the workitem after the email being sent to user outlook mail.
  Not sure whether it is common or not though in workflow world.
  Any help is deeply appreciated.
  Thank you.

  Hello,
  "This will send work item to user (pr creator) sap inbox which when they double click it will complete the workflow."
  It sounds liek they are sending a workitem where an email would be enough. By completing the workitem they are simply acknowledging that they have received notification of the completion of the PR.
  "Our PR creator will receive notification of the PR approval to theirs outlook mail handled by a program that is scheduled every 5 minutes."
  I hope (and assume) that they only receive the email once.
  I would change the workflow to send an email (SendMail step) to the initiator instead of the workitem. That is normally what happens. Either that or there is no email at all - some businesses only send an email if something goes wrong. Of course, the business has to agree to this change.
  Having that final workitem adds nothing to the process. Replace it with an email.
  regards
  Rick Bakker
  hanabi technology