cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2056
Views
0
Helpful
3
Replies

Cisco IOS Firewall with Stateful Failover

acjarvis
Level 1
Level 1

I'm looking at using the IOS Firewall feature set with stateful failover between two 2900 series routers.  I have been working with a configuration that involves the "inside" being WAN interfaces on two different subnets and the "outside" being two LAN interfaces on the same subnet using HSRP.  In reading the datasheet there were two configurations mentioned but mine isn't exactly either.

What I am seeing is the sessions not sycning up.  I have tried reversing the inside/outside roles and they were sycing the sessions across.  You could see them by using the  "show ip inspect sessions" command and validate the HEX value of the sessions.  Now I see the sessions on the HSRP active router but not the HSRP standby router.

I have enabled several different debugs but I'm not getting a lot of output and even with I clear the active sessions for the ip inspect ha session I don't really get anything.

Anyone have any tips for getting a configuration similar to this working?

3 Replies 3

Kureli Sankar
Cisco Employee
Cisco Employee

I believe this link will provide all the answers that you are looing for.

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_sfo.html

-KS

I have been using that link for the configuration.  In looking at the guide it's wanting HSRP on both sides(inside and outside).  What I was curious was if anyone has done something similar to the diagram below.  I have also attached the diagram in case the picture below is too small. 

As far as i know you can't do this because a requirement is that HSRP must be run on the inside interfaces ie. from the doc that you are working from -

Restrictions for Stateful Failover

When configuring redundancy for a Cisco IOS firewall, the following restrictions exist:

HSRP requires the inside interface to be connected via LANs.

So unless you connect the WAN interfaces to the same subnet i don't it's possible.

Jon

Review Cisco Networking for a $25 gift card