Solved: transparent firewall active/standby mode connect with L3SW

hungvu.bk37 · ‎10-25-2022

HI all,

I have a Network Diagram as below. I configure firewall as active/standby transparent mode (attached is firewall configuration file).

But when I use command "Sh Failover" the result show as below:

------------------------------------

Failover On
Failover unit Primary
Failover LAN Interface: f-over Ethernet1/8 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 1288 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.14(1), Mate 9.14(1)
Serial Number: Ours JAD260807CX, Mate JAD260808PV
Last Failover at: 09:21:48 UTC Oct 25 2022
This host: Primary - Active
Active time: 528 (sec)
slot 0: FPR-1140 hw/sw rev (48.46/9.14(1)) status (Up Sys)
Interface mgmt1 (192.168.1.1): Normal (Not-Monitored)
Interface inside (10.10.30.111): No Link (Waiting)
Interface outside (10.10.30.111): No Link (Waiting)
Other host: Secondary - Sync Config
Active time: 0 (sec)
slot 0: FPR-1140 hw/sw rev (48.46/9.14(1)) status (Up Sys)
Interface mgmt1 (0.0.0.0): Unknown (Not-Monitored)
Interface inside (0.0.0.0): Unknown (Waiting)
Interface outside (0.0.0.0): Unknown (Waiting)

-------------------------------------------

and the failover isn't work if I disconnect 1 cable in active firewall.

Anybody know about this case and how to reslove this.

Thank you so much!!!

hungvu.bk37 · ‎11-04-2022

HI all,

I already found out the solution.

1. We need create separeate port channels for 4 cable as below link:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start.html

2. We need to use VLAN or Install L2SW between Firewall and Router. We need a boardcast domain between for failover function work proprely. Check link below for more detail. In my case I use Vlan.

https://serverfault.com/questions/335799/will-traffic-get-through-a-standby-firewall-if-the-active-firewalls-interface-t

View solution in original post

balaji.bandi · ‎10-25-2022

is that output after the link is removed? is this Firepower imaged with ASA ?

check some guided config :

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110740-asafailover-transparent-mode.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

hungvu.bk37 · ‎10-25-2022

No, It is result when normal. I concern about "normal (waiting)" status. As I check in some document I see as below

It is transparent mode and I just can set IP address for BVI only

hungvu.bk37 · ‎10-25-2022

as I check, this firewall use "ASA Version 9.14(1)"

MHM Cisco World · ‎10-25-2022

Transparent Firewall Mode Requirements

When the active unit fails over to the standby unit, the connected switch port running Spanning Tree Protocol (STP) can go into a blocking state for 30 to 50 seconds when it senses the topology change. To avoid traffic loss while the port is in a blocking state, you can configure one of the following workarounds depending on the switch port mode:

•

Access mode—Enable the STP PortFast feature on the switch:

interface interface_id

spanning-tree portfast

The PortFast feature immediately transitions the port into STP forwarding mode upon linkup. The port still participates in STP. So if the port is to be a part of the loop, the port eventually transitions into STP blocking mode.

•

Trunk mode—Block BPDUs on the security appliance on both the inside and outside interfaces:

access-list id ethertype deny bpdu

access-group id in interface inside_name

access-group id in interface outside_name

Blocking BPDUs disables STP on the switch. Be sure not to have any loops involving the security appliance in your network layout.

If neither of the above options are possible, then you can use one of the following less desirable workarounds that impacts failover functionality or STP stability:

•

Disable failover interface monitoring.

•

Increase failover interface holdtime to a high value that will allow STP to converge before the security appliances fail over.

•

Decrease STP timers to allow STP to converge faster than the failover interface holdtime.

hungvu.bk37 · ‎10-25-2022

Hi @MHM Cisco World,

I try to follow your advise but seem not work. Do you have any solution else?

hungvu.bk37 · ‎10-27-2022

anybody can help me this case, anything need to warning at router side. For now, I configure portchannel with lacp protocol. Any idea to fix this case?

hungvu.bk37 · ‎11-04-2022

HI all,

I already found out the solution.

1. We need create separeate port channels for 4 cable as below link:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start.html

2. We need to use VLAN or Install L2SW between Firewall and Router. We need a boardcast domain between for failover function work proprely. Check link below for more detail. In my case I use Vlan.

https://serverfault.com/questions/335799/will-traffic-get-through-a-standby-firewall-if-the-active-firewalls-interface-t

MHM Cisco World · ‎11-05-2022

can you share the last topology because I dont see SW in your original post.

hungvu.bk37 · ‎11-06-2022

the last topology as picture below

the router can configure as the switch with "switchport access vlan 200" command. I just set IP address for vlan 200 and route it on static router table.