cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
414
Views
0
Helpful
10
Replies
Highlighted
Enthusiast

HSRP in a FO Situation

Hello,

 

We have HSRP configured between two switches (SW_A& SW_B)

    SW_A: VL 150 = 10.1.150.5, VIP = 10.1.150.4 

    SW_B: VL 150 = 10.1.150.6, VIP = 10.1.150.4

Both of these switches are interconnected via a Port-Channel (802.1q) and we have an SVI for eigrp peering between the two switches.

 

Two firewalls (FW_A & FW_B) configured in FO. Each FW is attached it each switch

     FW_A/Active ---- SW_: Default GW: 0.0.0.0/0 10.1.150.4

     FW_B/Stndby ---- SW_B

 

We failed over the firewalls (FW_B/Active and FW_A/Stndby)

We admin shut the interlink between SW_A & SW_B

We lost connectivity to the both firewalls and the Internet

This event was done during a maintenance window, thus, no impact to the business

 

My question is: since SW_A was the HSRP primary/active switch and has the role of forwarding packets and being the default GW (VIP: 10.1.150.1) for FW_B (connected to SW_B), is the reason why we lost connectivity is because this firewall trying to send traffic to the HSRP active switch, which was SW_A and disconnected from SW_B?

 

SW_A: HSRP Active role

FW_A: Prim/Standby role

 

SW_B: HSRP standby role

FW_B: Second/Active role

 

SW_A is disconnected from B

 

In this kind of situation, what is the solution is dynamically make SW_B become the active HSRP switch when the active FW is connected to it?

 

Thanks in advance,

~zK

 

 

Everyone's tags (1)
10 REPLIES 10
Highlighted
VIP Mentor

Re: HSRP in a FO Situation

We need more information and a high-level diagram to understand what interface connected where?

Are your FW sync link  also goes from same switch (how is your sync Link)

 

For reference  HSRP :

 

https://www.cisco.com/c/en/us/td/docs/switches/blades/3040/software/release/12-2_44_se/configuration/guide/swhsrp.html#wp1084266

 

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/HA_campus_DG/hacampusdg.html#wp1108117

 

 

BB
*** Rate All Helpful Responses ***
Highlighted
Enthusiast

Re: HSRP in a FO Situation

Thanks for your quick response and the URLs.

 

When you say sync link are you referring to the FO link? Each firewall has a physical interface configured for FO.

 

High level diag is attached.

 

Much appreciated.

~zK

Highlighted
VIP Mentor

Re: HSRP in a FO Situation

The Links you mentioned CORE_A and CORE_B?

 

Did you isolate all the links?

 

yes, it's much more clear in this diagram. you have a dedicated link. what scenario did you configure FW failover you monitoring all the links here?

 

BB
*** Rate All Helpful Responses ***
Highlighted
Enthusiast

Re: HSRP in a FO Situation

FW_A FO Config:

!

failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover link failover GigabitEthernet0/3
failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2

------------------------------

show fail


Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/3 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 6 of 1049 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.8(4)8, Mate 9.8(4)8

---------------------------

Highlighted
Enthusiast

Re: HSRP in a FO Situation

Since this was a planned maintenance to test the ops of the FO, we manually failedover the FWs (no failover active)

 

 

Best, ~zK

Highlighted
VIP Mentor

Re: HSRP in a FO Situation

Hello

post a topology if possible it would be easier to understand 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted
Enthusiast

Re: HSRP in a FO Situation

@paul driver

 

I posted the topology in my previous post. Here it is attached.

 

Thanks in advance.

Best, ~zK

Highlighted
Enthusiast

Re: HSRP in a FO Situation

@paul driver 

@balaji.bandi 

 

Sorry! Yesterday, I posted the wrong diag. I just posted the correct one.

-  FWs were failed over (FW_A to FW_B)

-  Po2 was admin shut

-  Most of the user-data traffic from the Dist  switches (SW_A & SW_B) to the Core switches (Core_A & Core_B) was taking the next-hop of the IP address assigned to Core_A (this is due the fact that we are using L3-MEC ) 

-  We lost connectivity to the FWs, Internet, and other edge devices

 

Thanks in advance for your input.

~zK

Highlighted
VIP Mentor

Re: HSRP in a FO Situation

If the Link between Core to Core Shutdown.

 

you have alternative path via ( Dist A or Dist B)

 

how is your L3 MEC configured between Core and Dist ( what protocol you using to exchange routes?

 

i Like to see the configuration here. the first instance of all Cores and Dist.

 

BB
*** Rate All Helpful Responses ***
Highlighted
Enthusiast

Re: HSRP in a FO Situation

@balaji.bandi 

@paul driver

 

I got it figured it. Thanks for your time. Always appreciated.

 

~zK