cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
581
Views
0
Helpful
1
Replies

What happens to TCP connections through ZBF after HSRP failover?

darthnul
Level 1
Level 1

I am using HSRP to create a failover pair of 891F security routers.  This router pair will act as a firewall between headquarters and a "mostly trusted" partner.  I have a directive to use stateful inspection whenever possible so I'd like to use the zone based firewalling (ZBF) feature of the 891F routers. 

I am familiar with ZBF configuration but I don't know if, or how well existing TCP connections would survive following an HSRP failover event.  There would be only a few hosts communicating through these routers but once they establish a TCP connection, they keep it up until something breaks (which is quite rare).

I know the ZBF connection tables won't be shared across the router pair, but would the newly "active" router (following an HSRP failover) create a new entries in its connection table upon seeing any outbound TCP packet, or if it has to see an outbound SYN packet first?  In other words, could my hosts maintain their existing TCP connections through a firewall failover event with only a TCP retry or two,  or would the connections have to timeout, reset or whatever and force the hosts to establish new connections?  I know the difference in recovery time between these scenarios may only be a minute  or three but two minutes would likely result in me getting paged at 3:00 AM.

      Thanks in advance!

 

1 Reply 1

joseoroz
Cisco Employee
Cisco Employee

Hello

Based on the documentation if the zone based is configured with an stateful link the connection database should be shared between the units:

 

The data synchronization link is used to transfer stateful information from the firewall and to synchronize the stateful database. The pairs of redundant interfaces are configured with the same unique ID number, known as the redundant interface identifier (RII).

 

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/15-2mt/sec-data-zbf-ha.html

 

Kind regards,

 

Jose Orozco.

 

Review Cisco Networking for a $25 gift card