Solved: PIX HSRP Gateway Failover Not Working

rfranzke · ‎02-13-2012

Hello Netpros,

Turned up a new colo service last week using some PIX 515E firewalls and two Cat 2950 series switches. I have attached a diagram of the layout which I have used elsewhere with good success. Basically I have two switches connected together via port channel (2 ports). The colo facility gives me two HSRP enabled links, of which I plug one into switch A and the other in switch B. The PIxes are a failover pair with the primary plugged into the same switch A as the primary HSRP link.The backup PIX is plugged into the backup switch where the backup HSRP link is. When I unplug the primary HSRP link the PIX can ping the HSRP gateway still, but nothing beyond that. Nothing gets it to work until I plug the link back in.

The only thing I could see that might cause an issue is the 'ip verify reverse-path' command on the PIXes. But even the switches cannot ping out beyond the HSRP gateway. Just seems like all inbound routing stops. I am not sure what the colo facility has going on their side but it seems like they are using just some Cisco 6509s and doing HSRP between them. Seems pretty simple but so far this is proving un-usable as is.

The PIX BTW just uses a default route to the HSRP gateway. Any help here would be appreciated. Thanks in advance.

mvsheik123 · ‎02-15-2012

Hi Bob.. thanks for the update and I can understand how hard it will be without knowing other end config /having access.Glad everything worked out well. I stressed on ISP end as your design is most commonly used design. Please mark the posting as resolved, so others can check on this.

Thanks

MS

View solution in original post

mvsheik123 · ‎02-13-2012

Hi,

Check if you see the same behaviour with a test laptop (directly connected to the switches) and if so, I would chase the ISP to check on their config.

Thx

MS

rfranzke · ‎02-15-2012

Thanks for the reply here. I should have mentioned this in initial post but yes all links are in the same VLAN. I pressed the ISP as this was not making any sense to me as to why this would not work and they looked into it. Turns out they had messed up the initial OSPF configuration on their core routers for our routes and that was what seems to have messed things up for us. I had them correct their mistake and tested again and now everything is working properly. I also discovered that they had mismarked the primary and secondary links they handed to us and they were backwards. I swapped those around and I can correctly see the HSRP MAC in the correct switch. This was confusing me and compunding the issue some as I would see the well-known HSRP MAC as being learned from the wrong switch. When I tried swapping these around before, the routing configuration not being correct further masked what was going on. Its hard to tell what is happening when you cannot see the configuration on the other side, at least for me. All the more amazing to me that so many of folks on here can do it so easily. In hindsight I probably should have pressed them on it before posting here, but I just wanted to make sure I did not have anything incorrect on my gear. Thanks for the help.

Bob.

mvsheik123 · ‎02-15-2012

Hi Bob.. thanks for the update and I can understand how hard it will be without knowing other end config /having access.Glad everything worked out well. I stressed on ISP end as your design is most commonly used design. Please mark the posting as resolved, so others can check on this.

Thanks

MS