cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
300
Views
0
Helpful
3
Replies

FTD with dual routers

tahscolony
Level 1
Level 1

I have two locations connected by dark fiber. At each site is a router with BGP to an ISP, the routers use iBGP between them, one is the default GW with HSRP. At each site is a 3120 with an FTD instance.  Today I connected one between the inside interface of the standby router, and the public side of the network (edge).  The primary Default GW router is not connected to any IPS. We use a WSA Proxy for web 443.  I ran into an issue with some sites that require SSO were unreachable when the FTD was connected to the standby router.   Technically, it should have been unaffected since the traffic coming from the WSA would be sent to the primary router, through to the internet with the connected ISP, according to trace routes. Nothing was logged as being blocked by the FTD. 

 

We are replacing our 7125 Firepowers with FTD. Our current setup is an inline in front of, and behind the ASA for a public side and internal side IPS.  What I am looking to do is IPS between the router and all out Public facing equipment, but it appears to have caused an issue getting to some sites.  My only thought is possibly asynchronous routing between the two routers and the FTD. If a route points to the ISP on one router traffic goes through the FTD to that router, and if the return traffic happens to prefer the other ISP, then it will come in the other routers, not going through the FTD.  Eventually there will be a second FTD on that router, but still they don't talk to each other, so if traffic hits one way on one, then comes in on the other, would that be the cause of some sites not working? 

 

I'm thinking I would be better off staying with the current setup of in front of just the firewall since its a failover pair and traffic comes in and out of just one firewall, so no asynchronous can happen.

3 Replies 3

ccieexpert
Spotlight
Spotlight

Maybe you can put a diagram so we can better understand current and proposed design and provide suggestions.

two edge  router connect to ISP and use HSRP 
what you need in FTD is only 
default route toward HSRP VIP 
that it 

MHM

tahscolony
Level 1
Level 1

After some review, it was determined this setup could cause a split brain if the FTD drops out and the two routers can't talk to each other. I resolved it by mirroring our old Firepower configuration by inserting the firewall in between the IPS.  Case closed.

Review Cisco Networking for a $25 gift card