I am redesigning our border and we have two 2921 routers that are at the edge because we are terminating BGP there. The routers have HSRP configured on the ISP side and each router has one connection to one of the ASA5550. The ASA are running in active/standby configuration.
I've a included a picture. My question is if 2921-1 looses it's internet connection 2921-2 takes over due to HSRP. At this point how does ASA5550-1 know to swap to the standby node? Wouldn't it think that it's connection to 2921-1 is still good? My 2921s only have 3 ports. I'm using 1 for ISP, 1 for ASA connection and 1 for Managment.
the solution to your network is to connect the 2921 routers and the ASAs to a shared L2 VLAN using a switch you may use a stackable switches for increased redundancy in this way HSRP VIP can be reach by any of the firewalls in case of router down it can be handled automatically
for improved design you may need to add a link between the routers and run between them iBGP so incase of a link down only you will not blackhole outbound traffic
hope this help
I do have a 2960 switch I can use but that would leave me a single point of failure and I am not authorized any equipment purchase at this time. Is there no solution without additional euipmment?
No formactive standby FWs with HSRP routers this is the onlysolution
You can buy one more switch only even used one just as temp solution to get it working
try object Tracking with EEM. You have to inform your active firewall and a simple Way is, to Shut Down the Router Interface.
Can you describe the connect to your isp more in Detail?
Sent from Cisco Technical Support iPad App
Just put two switches between router and firwall and also connect both switches each other then you will have fully redundant function without any manual config when Internet link down.