cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2934
Views
0
Helpful
5
Replies

Firewall Active/Standby behavior question

Gerard Gasca
Level 1
Level 1

     I am redesigning our border and we have two 2921 routers that are at the edge because we are terminating BGP there. The routers have HSRP configured on the ISP side and each router has one connection to one of the  ASA5550. The ASA are running in active/standby configuration.

I've a included a picture. My question is if 2921-1 looses it's internet connection 2921-2 takes over due to HSRP. At this point how does ASA5550-1 know to swap to the standby node? Wouldn't it think that it's connection to 2921-1 is still good? My 2921s only have 3 ports.  I'm using 1 for ISP, 1 for ASA connection and 1 for Managment.

Thank you,

GerryHSRP.jpg

5 Replies 5

Marwan ALshawi
VIP Alumni
VIP Alumni

Hi Gerry,

the solution to your network is to connect the 2921 routers and the ASAs to a shared L2 VLAN using a switch you may use a stackable switches for increased redundancy in this way HSRP VIP can be reach by any of the firewalls in case of router down it can be handled automatically

for improved design you may need to add a link between the routers and run between them iBGP so incase of a link down only you will not blackhole outbound traffic

hope this help

I do have a 2960 switch I can use but that would leave me a single point of failure and I am not authorized any equipment purchase at this time. Is there no solution without additional euipmment?

No formactive standby FWs with HSRP routers this is the onlysolution

You can buy one more switch only even used one just as temp solution to get it working

ms01
Level 1
Level 1

Hi Gerry,

try object Tracking with EEM. You have to inform your active firewall and a simple Way is, to Shut Down the Router Interface.

Can you describe the connect to your isp more in Detail?

Isp---rt1--asa1/active
|
I
Isp--rt2--asa2/standby

Greetings
Michael

Sent from Cisco Technical Support iPad App

scottchang
Level 1
Level 1

Hi Gerard,

Just put two switches between router and firwall and also connect both switches each other then you will have fully redundant function without any manual config when Internet link down.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco