ISR4K ZBF HA with Interchassis Redundancy and NAT issues

kbystrak1 · ‎05-03-2022

I am trying to setup two identical 4331 to do interchassis redundancy with NAT and ZBF in a High Availability configuration.

Both devices are running the same IOS-XE (16.12.04) with SEC licensing. I have followed several guides and videos online to setup the redundancy groups and everything has worked out according to plan until the very end where I need to verify the firewall states are synced on both the ACTIVE and the STANDBY devices.

The routers took all my commands except for this:

R1 (config)# parameter-map type inspect global
R1 (config-profile)# redundancy
R1 (config-red)#

Entering the redundancy command just switches the configuration mode rather than creating a configuration entry.

When i view my NAT translations on both routers they appear to be the same so I am fairly confident that the NAT redundancy is correct. The same goes for viewing ZBG inspections. They seem to show the same sessions on both routers. What is confusing me is the videos and examples i have seen online look different than what i am seeing when i show my sessions.

Here is a snippet from one of my firewalls (the ACTIVE one):

R1#sh policy-map type inspect zone-pair ZP-inside-2-outside sessions
  Zone-pair: ZP-inside-2-outside
  Service-policy inspect : PM-permit-common-protocols

    Class-map: CM-invalid-src (match-all)
      Match: access-group name ZP-ACL-invalid_source_IPs
      Drop
        0 packets, 0 bytes

    Class-map: CM-protocol-https (match-all)
      Match: protocol https
      Inspect
        Established Sessions
         Session ID 0x00011547 (10.15.70.70:60525)=>(34.237.73.95:443) https SIS_OPEN
          Created 02:40:13, Last heard 02:40:13
          Bytes sent (initiator:responder) [0:0]
         Session ID 0x0001243A (10.15.70.70:51791)=>(45.60.11.212:443) https SIS_OPEN
          Created 02:40:13, Last heard 02:40:13
          Bytes sent (initiator:responder) [0:0]


    Class-map: CM-insp-traffic (match-all)
      Match: class-map match-any CM-cls-insp-traffic
        Match: protocol dns
        Match: protocol ftp
        Match: protocol http
        Match: protocol icmp
        Match: protocol imap
        Match: protocol pop3
        Match: protocol netshow
        Match: protocol shell
        Match: protocol realmedia
        Match: protocol rtsp
        Match: protocol smtp
        Match: protocol sql-net
        Match: protocol streamworks
        Match: protocol tftp
        Match: protocol vdolive
        Match: protocol tcp
        Match: protocol udp
      Inspect
        Established Sessions
         Session ID 0x0000239C (10.15.70.70:64251)=>(172.253.63.188:5228) tcp SIS_OPEN
          Created 01:57:05, Last heard 01:57:05
          Bytes sent (initiator:responder) [0:0]
         Session ID 0x00002C85 (10.15.70.70:59071)=>(213.136.8.188:23) tcp SIS_OPEN
          Created 00:00:12, Last heard 00:00:12
          Bytes sent (initiator:responder) [0:0]
         Session ID 0x00002A70 (10.15.70.70:61506)=>(108.168.178.52:1235) udp SIS_OPEN
          Created 00:25:01, Last heard 00:25:01
          Bytes sent (initiator:responder) [0:0]


    Class-map: CM-sip-inspect (match-any)
      Match: protocol sip
      Inspect


    Class-map: CM-h323-inspect (match-any)
      Match: protocol h323
      Inspect


    Class-map: CM-h225ras-inspect (match-any)
      Match: protocol h225ras
      Inspect


    Class-map: CM-h323callsigalt-inspect (match-any)
      Match: protocol h323callsigalt
      Inspect


    Class-map: CM-skinny-inspect (match-any)
      Match: protocol skinny
      Inspect


    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes

What i was expecting to see is something like this (snippet reduced to just show one example):

R1#sh policy-map type inspect zone-pair ZP-inside-2-outside sessions
  Zone-pair: ZP-inside-2-outside
  Service-policy inspect : PM-permit-common-protocols

....some extra stuff removed....

    Class-map: CM-insp-traffic (match-all)
      Match: class-map match-any CM-cls-insp-traffic
        Match: protocol dns
        Match: protocol ftp
        Match: protocol http
        Match: protocol icmp
        Match: protocol imap
        Match: protocol pop3
        Match: protocol netshow
        Match: protocol shell
        Match: protocol realmedia
        Match: protocol rtsp
        Match: protocol smtp
        Match: protocol sql-net
        Match: protocol streamworks
        Match: protocol tftp
        Match: protocol vdolive
        Match: protocol tcp
        Match: protocol udp
      Inspect
        Established Sessions
         Session ID 0x0000239C (10.15.70.70:64251)=>(172.253.63.188:5228) tcp SIS_OPEN
          Created 01:57:05, Last heard 01:57:05
          Bytes sent (initiator:responder) [0:0]
          HA State: ACTIVE, RG ID: 1

The Bit there at the end where is says "HA State: ACTIVE, RG ID:1" is not there on my routers.

Can someone confirm for me this is normal? Perhaps due to different IOS-XE versions?

MHM Cisco World · ‎05-03-2022

Friend you need bypass TCP and NAT statefull.
let me check my note back you later.

MHM Cisco World · ‎05-03-2022

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/115956-zbfw-ha-config-ts-00.html

please check this Doc.

kbystrak1 · ‎05-03-2022

@MHM Cisco World wrote:
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/115956-zbfw-ha-config-ts-00.html
please check this Doc.

I looked over that doc and it is exactly what i have except for the section in question:

!
parameter-map type inspect global
 redundancy
 log dropped-packets enable 
!

which I am thinking might be outdated. When i check the command reference here: http://www.cisco.com/en/US/docs/ios-xml/ios/security/m1/sec-cr-p1.html#wp1595727264 it seems as though there is no redundancy command anymore. It also mentions that the "parameter-map type inspect global" command has been replaced with the "parameter-map type inspect-global" command.

I get different results from both:

R1(config)#parameter-map type inspect global
R1(config-profile)#?
parameter-map commands:
  alert           Turn on/off alert
  exit            Exit from parameter-map
  lisp            Turn on LISP options
  log             Configure inspect logging parameters
  max-incomplete  Specify max half-open connection
  no              Negate or set default values of a command
  per-box         Configure per-box attributes
  session         Configure session total parameter
  tcp             Configure tcp syn-flood limit
  vrf             vrf binding with parameter map
 
R1(config-profile)#

R1(config)#parameter-map type inspect-global
R1(config-profile)#?
parameter-map commands:
  aggressive-aging        Aggressive Aging parameters
  alert                   Turn on/off alert
  application-inspect     Turn on application inspection
  exit                    Exit from parameter-map
  icmp-unreachable-allow  ICMP unreachable packets are allowed
  inspect                 vrf binding with parameter map
  lisp                    Turn on LISP options
  log                     Configure inspect logging parameters
  max-incomplete          Specify max half-open connection
  no                      Negate or set default values of a command
  tcp                     Configure tcp syn-flood limit
  zone-mismatch           Configure zone-mismatch option
R1(config-profile)#

But neither of them have redundancy as a possible command.

Just as a test, I jumped into an older 2911 running IOS 15.7(3)M4b and tried the command:

2911(config)#parameter-map type inspect global
2911(config-profile)#?
parameter-map commands:
  WAAS            firewall and Cisco WAE interoperability configuration
  alert           turn alerts for global parameters on/off
  exit            Exit from parameter-map
  exporter        configure exporter for firewall
  l2-transparent  transparent mode commands
  log             Inspect packet logging
  max-incomplete  specify max number of incomplete connections before clamping
  nbar-classify   Configure NBAR Classification for ZBFW inspect
  no              negate or set default values of a command
  one-minute      specify one-minute-sample watermarks for clamping
  redundancy      Enable FW High Availability
  sessions        maximum number of inspect sessions
  tcp             tcp setting options
  zone-mismatch   Configure Zone mismatch

2911(config-profile)#

It seems like at some point the configured changed a bit. Here in a more recent document the redundancy command is configured elsewhere: Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE 17 - Configuring Firewall Stateful Interchassis Redundancy [Cisco IOS XE 17] - Cisco

Maybe that is what i am missing?

MHM Cisco World · ‎05-03-2022

You use IOS-XE not IOS
so some command is different.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-17/sec-data-zbf-xe-17-book.pdf

kbystrak1 · ‎05-03-2022

I think i may have found the answer to my own question. I think in newer IOS-XE versions, the

parameter-map type inspect global
redundancy

command is no longer necessary.

The IOS-XE 17 ZBF Configuration guide has 4 examples related to this type of setup.

Configuring Firewall Stateful Interchassis Redundancy

Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls

Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT

Interchassis High Availability Support in IPv6 Zone-Based Firewalls

In all four of the instructions above the command is no longer present in the instructions. It is only mentioned one time at the end of the Configuring Firewall Stateful Interchassis Redundancy instructions where it is part of the example config at the end but there is no other mention of it. I think this might have been a mistake by Cisco when they wrote the sample config. Perhaps they reused one from a previous IOS release where the command was available/required. In the other three instructions is is never mentioned at all and is not present in the sample configurations either.

Additionally, in the Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls there is a sample output of the "show policy-map type inspect zone-pair sessions" command near the end that looks like mine and does not include the "HA State: ACTIVE, RG ID:1" information. The sample config on that guide is for IPv6 but the commands are all basically the same as the ones for IPv4.

It would be great if someone had access to a router running a IOS-XE 17 and could check to see if this is true. Is anyone willing to try a few commands on their router to check?

(config)# parameter-map type inspect global
then ? to see whats there

(config)# parameter-map type inspect-global
then ? to see whats there

(config)# parmeter-map type inspect TEST
then ? to see whats there

MHM Cisco World · ‎05-04-2022

try this way

parameter-map type inspect pmap-udp <- config redundancy under each inspect 
redundancy

kbystrak1 · ‎05-04-2022

@MHM Cisco World wrote:

try this way

parameter-map type inspect pmap-udp <- config redundancy under each inspect 
redundancy

This is what i get:

R1(config)#parameter-map type inspect pmap-udp
R1(config-profile)#?
parameter-map commands:
  alert                   Turn on/off alert
  application-inspect     Turn on application inspection
  audit-trail             Turn on/off audit trail
  dns-timeout             Specify timeout for DNS
  exit                    Exit from parameter-map
  gtp                     Config inspection parameter for gtp
  icmp                    Config timeout values for icmp
  icmp-unreachable-allow  ICMP unreachable packets are allowed
  log                     Configure inspect logging parameters
  max-incomplete          Specify maximum number of incomplete connections
                          before clamping
  no                      Negate or set default values of a command
  one-minute              Specify one-minute-sample watermarks for clamping
  sessions                Configure sessions related parameters
  tcp                     Config timeout values for tcp connections
  udp                     Config timeout values for udp flows
  zone-mismatch           Config zone-mismatch option

R1(config-profile)#