Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
928
Views
0
Helpful
10
Replies

HSRP in a FO Situation

zekebashi
Level 4
Level 4

‎01-24-2020 12:57 PM

Hello,

 

We have HSRP configured between two switches (SW_A& SW_B)

    SW_A: VL 150 = 10.1.150.5, VIP = 10.1.150.4 

    SW_B: VL 150 = 10.1.150.6, VIP = 10.1.150.4

Both of these switches are interconnected via a Port-Channel (802.1q) and we have an SVI for eigrp peering between the two switches.

 

Two firewalls (FW_A & FW_B) configured in FO. Each FW is attached it each switch

     FW_A/Active ---- SW_: Default GW: 0.0.0.0/0 10.1.150.4

     FW_B/Stndby ---- SW_B

 

We failed over the firewalls (FW_B/Active and FW_A/Stndby)

We admin shut the interlink between SW_A & SW_B

We lost connectivity to the both firewalls and the Internet

This event was done during a maintenance window, thus, no impact to the business

 

My question is: since SW_A was the HSRP primary/active switch and has the role of forwarding packets and being the default GW (VIP: 10.1.150.1) for FW_B (connected to SW_B), is the reason why we lost connectivity is because this firewall trying to send traffic to the HSRP active switch, which was SW_A and disconnected from SW_B?

 

SW_A: HSRP Active role

FW_A: Prim/Standby role

 

SW_B: HSRP standby role

FW_B: Second/Active role

 

SW_A is disconnected from B

 

In this kind of situation, what is the solution is dynamically make SW_B become the active HSRP switch when the active FW is connected to it?

 

Thanks in advance,

~zK

 

 

Labels:
0 Helpful
10 Replies 10

balaji.bandi
Hall of Fame
Hall of Fame

‎01-24-2020 01:17 PM - edited ‎01-24-2020 01:18 PM

We need more information and a high-level diagram to understand what interface connected where?

Are your FW sync link  also goes from same switch (how is your sync Link)

 

For reference  HSRP :

 

https://www.cisco.com/c/en/us/td/docs/switches/blades/3040/software/release/12-2_44_se/configuration/guide/swhsrp.html#wp1084266

 

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/HA_campus_DG/hacampusdg.html#wp1108117

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

zekebashi
Level 4
Level 4
In response to balaji.bandi

‎01-24-2020 01:54 PM - edited ‎01-30-2020 08:17 AM

Thanks for your quick response and the URLs.

 

When you say sync link are you referring to the FO link? Each firewall has a physical interface configured for FO.

 

High level diag is attached.

 

Much appreciated.

~zK

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to zekebashi

‎01-24-2020 02:35 PM

The Links you mentioned CORE_A and CORE_B?

 

Did you isolate all the links?

 

yes, it's much more clear in this diagram. you have a dedicated link. what scenario did you configure FW failover you monitoring all the links here?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

zekebashi
Level 4
Level 4
In response to balaji.bandi

‎01-24-2020 03:12 PM - edited ‎01-24-2020 08:53 PM

FW_A FO Config:

!

failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover link failover GigabitEthernet0/3
failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2

------------------------------

show fail


Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/3 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 6 of 1049 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.8(4)8, Mate 9.8(4)8

---------------------------

0 Helpful

zekebashi
Level 4
Level 4
In response to balaji.bandi

‎01-24-2020 03:14 PM

Since this was a planned maintenance to test the ops of the FO, we manually failedover the FWs (no failover active)

 

 

Best, ~zK

0 Helpful

paul driver
VIP
VIP

‎01-24-2020 03:04 PM

Hello

post a topology if possible it would be easier to understand 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

zekebashi
Level 4
Level 4
In response to paul driver

‎01-24-2020 03:06 PM - edited ‎01-30-2020 08:16 AM

@paul driver

 

I posted the topology in my previous post. Here it is attached.

 

Thanks in advance.

Best, ~zK

0 Helpful

zekebashi
Level 4
Level 4
In response to zekebashi

‎01-25-2020 01:32 PM

@paul driver 

@balaji.bandi 

 

Sorry! Yesterday, I posted the wrong diag. I just posted the correct one.

-  FWs were failed over (FW_A to FW_B)

-  Po2 was admin shut

-  Most of the user-data traffic from the Dist  switches (SW_A & SW_B) to the Core switches (Core_A & Core_B) was taking the next-hop of the IP address assigned to Core_A (this is due the fact that we are using L3-MEC ) 

-  We lost connectivity to the FWs, Internet, and other edge devices

 

Thanks in advance for your input.

~zK

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to zekebashi

‎01-25-2020 03:56 PM

If the Link between Core to Core Shutdown.

 

you have alternative path via ( Dist A or Dist B)

 

how is your L3 MEC configured between Core and Dist ( what protocol you using to exchange routes?

 

i Like to see the configuration here. the first instance of all Cores and Dist.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

zekebashi
Level 4
Level 4
In response to balaji.bandi

‎02-03-2020 08:37 AM

@balaji.bandi 

@paul driver

 

I got it figured it. Thanks for your time. Always appreciated.

 

~zK

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card