12-05-2018 04:47 AM - edited 03-12-2019 04:16 AM
Dears
Please find the attached topology.
I have some problem in understanding the fail over, whenever the port channel interface of DC-1 fails it shifts over to DC-2 FW but the perimeter firewalls doesn't shift and the traffic gets drops, hence if I m not wrong bydefault the failover should happen on perimeter as well please confirm
thanks
Solved! Go to Solution.
12-05-2018 01:04 PM
Hi,
As per you topology you need a switch in between DC-FW & INT-FW. Because when ever your AorB interface went down DC-FW switch-over and it will not affect the INT-FW because your C,D,E,F interface are UP.
INT-FW Switch over occurs only when C,D,E,F interface went down.
HTH
Abheesh
12-05-2018 01:49 PM
There is always more than one solution ... But in this scenario, the switch between the two firewall systems is the most common one and proven to work as expected.
12-05-2018 04:55 AM
Can you please clarify Which Port-channel we are referring ?
As long you are monitoring is configured with right interfaces and the failover condition met the requirements, it automatically fail-over to standby.
To confirm we need to understand your configuration also along with your diagram.
12-05-2018 06:59 AM
Fo me it looks like "works as designed" ...
The INT-FW are probably the perimeter firewalls in your description. These have no clue that there is a change in upstream-reachability. Because these are independent systems, you should make sure that both INTFW can equally reach both DC1 and DC2 firewalls. Typically you achieve this with an additional (redundant) switch between these firewall systems.
12-05-2018 11:34 AM
Dear
so you are confirming that we need a switch in between the DC firewall and Perimeter firewall to address such issue, there is no other solution that can help to solve this problem.
Please advice.
12-05-2018 01:49 PM
There is always more than one solution ... But in this scenario, the switch between the two firewall systems is the most common one and proven to work as expected.
12-05-2018 01:04 PM
Hi,
As per you topology you need a switch in between DC-FW & INT-FW. Because when ever your AorB interface went down DC-FW switch-over and it will not affect the INT-FW because your C,D,E,F interface are UP.
INT-FW Switch over occurs only when C,D,E,F interface went down.
HTH
Abheesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide