We have HSRP configured between two switches (SW_A& SW_B)
SW_A: VL 150 = 10.1.150.5, VIP = 10.1.150.4
SW_B: VL 150 = 10.1.150.6, VIP = 10.1.150.4
Both of these switches are interconnected via a Port-Channel (802.1q) and we have an SVI for eigrp peering between the two switches.
Two firewalls (FW_A & FW_B) configured in FO. Each FW is attached it each switch
FW_A/Active ---- SW_: Default GW: 0.0.0.0/0 10.1.150.4
FW_B/Stndby ---- SW_B
We failed over the firewalls (FW_B/Active and FW_A/Stndby)
We admin shut the interlink between SW_A & SW_B
We lost connectivity to the both firewalls and the Internet
This event was done during a maintenance window, thus, no impact to the business
My question is: since SW_A was the HSRP primary/active switch and has the role of forwarding packets and being the default GW (VIP: 10.1.150.1) for FW_B (connected to SW_B), is the reason why we lost connectivity is because this firewall trying to send traffic to the HSRP active switch, which was SW_A and disconnected from SW_B?
SW_A: HSRP Active role
FW_A: Prim/Standby role
SW_B: HSRP standby role
FW_B: Second/Active role
SW_A is disconnected from B
In this kind of situation, what is the solution is dynamically make SW_B become the active HSRP switch when the active FW is connected to it?
Thanks in advance,
We need more information and a high-level diagram to understand what interface connected where?
Are your FW sync link also goes from same switch (how is your sync Link)
For reference HSRP :
Thanks for your quick response and the URLs.
When you say sync link are you referring to the FO link? Each firewall has a physical interface configured for FO.
High level diag is attached.
The Links you mentioned CORE_A and CORE_B?
Did you isolate all the links?
yes, it's much more clear in this diagram. you have a dedicated link. what scenario did you configure FW failover you monitoring all the links here?
FW_A FO Config:
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover link failover GigabitEthernet0/3
failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/3 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 6 of 1049 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.8(4)8, Mate 9.8(4)8
post a topology if possible it would be easier to understand
Sorry! Yesterday, I posted the wrong diag. I just posted the correct one.
- FWs were failed over (FW_A to FW_B)
- Po2 was admin shut
- Most of the user-data traffic from the Dist switches (SW_A & SW_B) to the Core switches (Core_A & Core_B) was taking the next-hop of the IP address assigned to Core_A (this is due the fact that we are using L3-MEC )
- We lost connectivity to the FWs, Internet, and other edge devices
Thanks in advance for your input.
If the Link between Core to Core Shutdown.
you have alternative path via ( Dist A or Dist B)
how is your L3 MEC configured between Core and Dist ( what protocol you using to exchange routes?
i Like to see the configuration here. the first instance of all Cores and Dist.