https://community.cisco.com/t5/network-security/firewall-failover/m-p/3758278#M132676 <P>Fo me it looks like "works as designed" ...</P> <P>&nbsp;The INT-FW are probably the perimeter firewalls in your description. These have no clue that there is a change in&nbsp;upstream-reachability. Because these are&nbsp;independent systems, you should make sure that both INTFW can equally reach both DC1 and DC2 firewalls. Typically you achieve this with an additional (redundant) switch between these firewall systems.</P> Wed, 05 Dec 2018 14:59:58 GMT Karsten Iwen 2018-12-05T14:59:58Z https://community.cisco.com/t5/network-security/firewall-failover/m-p/3758188#M132672 <P>Dears<BR />&nbsp;<BR />Please find the attached topology.<BR />&nbsp;<BR />I have some problem in understanding the fail over, whenever the port channel interface of DC-1 fails it shifts over to DC-2 FW but the perimeter firewalls doesn't shift and the traffic gets drops, hence if I m not wrong bydefault the failover should happen on perimeter as well please confirm</P><P>&nbsp;</P><P>thanks</P> Tue, 12 Mar 2019 11:16:52 GMT https://community.cisco.com/t5/network-security/firewall-failover/m-p/3758188#M132672 adamgibs7 2019-03-12T11:16:52Z https://community.cisco.com/t5/network-security/firewall-failover/m-p/3758196#M132673 <P>Can you please clarify Which Port-channel we are referring ?</P><P>As long you are monitoring is configured with right interfaces and the failover condition met the requirements, it automatically fail-over to standby.</P><P>&nbsp;</P><P>To confirm we need to understand your configuration also along with your diagram.</P><P>&nbsp;</P> Wed, 05 Dec 2018 12:55:44 GMT https://community.cisco.com/t5/network-security/firewall-failover/m-p/3758196#M132673 balaji.bandi 2018-12-05T12:55:44Z https://community.cisco.com/t5/network-security/firewall-failover/m-p/3758278#M132676 <P>Fo me it looks like "works as designed" ...</P> <P>&nbsp;The INT-FW are probably the perimeter firewalls in your description. These have no clue that there is a change in&nbsp;upstream-reachability. Because these are&nbsp;independent systems, you should make sure that both INTFW can equally reach both DC1 and DC2 firewalls. Typically you achieve this with an additional (redundant) switch between these firewall systems.</P> Wed, 05 Dec 2018 14:59:58 GMT https://community.cisco.com/t5/network-security/firewall-failover/m-p/3758278#M132676 Karsten Iwen 2018-12-05T14:59:58Z https://community.cisco.com/t5/network-security/firewall-failover/m-p/3758484#M132679 <P>Dear</P><P>so you are confirming that we need a switch in between the DC firewall and Perimeter firewall to address such issue, there is no other solution that can help to solve this problem.</P><P>&nbsp;</P><P>Please advice.</P> Wed, 05 Dec 2018 19:34:59 GMT https://community.cisco.com/t5/network-security/firewall-failover/m-p/3758484#M132679 adamgibs7 2018-12-05T19:34:59Z https://community.cisco.com/t5/network-security/firewall-failover/m-p/3758544#M132681 <P>Hi,</P> <P>As per you topology you need a switch in between DC-FW &amp; INT-FW. Because when ever your AorB interface went down DC-FW switch-over and it will not affect the INT-FW because your&nbsp;<SPAN>C,D,E,F interface are UP.</SPAN></P> <P>INT-FW Switch over occurs only when&nbsp; C,D,E,F interface went down.&nbsp;</P> <P>&nbsp;</P> <P>HTH</P> <P>Abheesh&nbsp;</P> Wed, 05 Dec 2018 21:04:42 GMT https://community.cisco.com/t5/network-security/firewall-failover/m-p/3758544#M132681 Abheesh Kumar 2018-12-05T21:04:42Z https://community.cisco.com/t5/network-security/firewall-failover/m-p/3758568#M132683 <P>There is always more than one solution ... But in this scenario, the switch between the two firewall systems is the most common one and proven to work as expected.</P> Wed, 05 Dec 2018 21:49:21 GMT https://community.cisco.com/t5/network-security/firewall-failover/m-p/3758568#M132683 Karsten Iwen 2018-12-05T21:49:21Z