Solved: OSPF Route Issue

karamalomari · ‎05-31-2022

I have a Router that is connected to High Availability Firewall using 2 different interfaces on the Router.

The interfaces are layer 3 interfaces with the HA Firewall.

The router is receiving the internal routes from the Firewall on both Interfaces.

The routes are preferred on the router from the second interface and I would like to change it to first interface.

When giving the command on Second Interface

show ip ospf interface g0/2 | inc Cost

The output:

Process ID 1, Router ID 10.10.10.1, Network Type BROADCAST, Cost: 1

Also, when giving the command on First Interface

show ip ospf interface g0/2 | inc Cost

The output:

Process ID 1, Router ID 10.10.10.1, Network Type BROADCAST, Cost: 1

Now the question I want the router to prefer the first interface not the second interface, so can I do that by increasing the cost under Second Interface? or is there a different way?

MHM Cisco World · ‎06-15-2022

as mention before, ASA HA work as Active/standby and ONLY active is forward traffic the standby is not until failover happened.

FW default route toward WAN router 
FW subent route toward Core SW

in WAN router


static route toward active ASA interface.

remember that during the failover the standby will use previous active ip and that make WAN router never detect change and you don't have any issue with FW.

View solution in original post

Jon Marshall · ‎05-31-2022

That would be the best way to do it, so just increase the cost on the second interface.

Jon

Flavio Miranda · ‎05-31-2022

Hi

To prefer the first interface, change the cost of second interface

R1#conf t
R1(config)#int gi0/2
R1(config-if)#ip ospf cost 10

Now, something seems weird in this example.

The cost will interfere on the router sending traffic. You mention that the router has two interface to the same firewall cluster with different IP address?

Can you share this topology just for curiosity?

balaji.bandi · ‎05-31-2022

Now the question I want the router to prefer the first interface not the second interface, so can I do that by increasing the cost under Second Interface?

Certain degree you have answered some point here.

But what happends if the fail over take place, and Firewall seconday become active ? (stay as active ?) - you going to change again manually cost ?

or is there a different way?

Not sure at this stage. until we see clear picture of topology here ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎05-31-2022

the config is wrong !!
the router have two interface toward ASA active/standby,
this make failover is not work ever.
the ASA active and standby must share same subnet and hence the router will connect via one interface.

the solution for you case is
ASA active/active this give you the choice to config two router interface to both ASA.

paul driver · ‎05-31-2022

Hello

although the ospf interface cost can influence path cost in this case the active path should be based on the active primary FW in the HA cluster

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

karamalomari · ‎06-01-2022

I will prepare the topology and share today for clear understanding.

Just to mention that we have

 3 x WAN Routers --> 2 x L2 Switches --> Firewalls (Active/Standby).

The reason to use L2 switch is the firewall doesn't have enough fiber ports to connect the 3 WAN Routers.

All the connections are full mesh from

3 x WAN RTR's --> 2 x L2 Switches --> FW's.

MHM Cisco World · ‎06-01-2022

can I ask why OSPF not static route ?

karamalomari · ‎06-14-2022

The reason the client wants dynamic routing all the way from

WAN Routers --> FW --> Data Center.

In order to have full mesh from the

3 WAN Routers --> FW --> Data Center

we need to connect each WAN router to the FW's and since the FW doesn't have enough Fiber ports we have to use L2 switches in between as a HUB for the connection.

I hope this explains the setup in the best way possible. I will try to share the layout but I am out of the office on emergency leave.

MHM Cisco World · ‎06-15-2022

as mention before, ASA HA work as Active/standby and ONLY active is forward traffic the standby is not until failover happened.

FW default route toward WAN router 
FW subent route toward Core SW

in WAN router


static route toward active ASA interface.

remember that during the failover the standby will use previous active ip and that make WAN router never detect change and you don't have any issue with FW.