I am using HSRP to create a failover pair of 891F security routers. This router pair will act as a firewall between headquarters and a "mostly trusted" partner. I have a directive to use stateful inspection whenever possible so I'd like to use the zone based firewalling (ZBF) feature of the 891F routers.
I am familiar with ZBF configuration but I don't know if, or how well existing TCP connections would survive following an HSRP failover event. There would be only a few hosts communicating through these routers but once they establish a TCP connection, they keep it up until something breaks (which is quite rare).
I know the ZBF connection tables won't be shared across the router pair, but would the newly "active" router (following an HSRP failover) create a new entries in its connection table upon seeing any outbound TCP packet, or if it has to see an outbound SYN packet first? In other words, could my hosts maintain their existing TCP connections through a firewall failover event with only a TCP retry or two, or would the connections have to timeout, reset or whatever and force the hosts to establish new connections? I know the difference in recovery time between these scenarios may only be a minute or three but two minutes would likely result in me getting paged at 3:00 AM.
Thanks in advance!