cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1718
Views
5
Helpful
9
Replies

routing from Cisco router to firewall Active/Passive

Jerome C.
Level 1
Level 1

Hello

I have a provider router connected on my router on interface gi0/0/0. On my router, I have a connection between Gi0/0/1 to an interface on my active firewall and I have a connection between Gi0/0/2 to an interface on my passive firewall.

 

How I can configure my router for : 

 

- trafic from the WAN through Myrouter_Gi0/0/1 to ActiveFW_eth0 (normal mode)

- trafic from the WAN through Myrouter_Gi0/0/2 to  PassiveFW_eth0 when I restart my active firewall (version upgrade for example). I try to have a configuration where the communication continue between my router and my firewall cluster even when my firewall active is unreachable (during a boot).

 

BR

9 Replies 9

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,
The Active/Passive interfaces must have IP addresses in the same subnet.
If your router supports Layer2 switchport and SVIs then it should be trivial to connect the firewall to Gi0/0/1-2 and have them both configured in the same VLAN.

If your router only have routed interfaces, you will need to use a BVI. Configure Gi0/0/1-2 in the same bridge group and configure a BVI with an IP address in the same subnet as the Active/Passive firewall interfaces.

 

cheers,
Seb.

Hello

 

Currently I have this configuration. But this morning, when I upgraded the version of my passive firewall, the communication has been lost from the WAN (from my provider)...

 

BR

Perhaps the Passive was in fact the Active? Either way the failover should prevent this failure from occurring.

 

Did the ISR router completely lose its OSPF adjacency with the ASAs?

To be honest, I don't know. I was able to connect on my router from the WAN but the firewall was unreachable until the passive FW come back. But the OSP configuration on the firewall is definied on cluster level...

Like most HA, it *should* work!

 

Now that the FW pair is reachable again, can you share the output of sh failover history for both devices?

the FW is not a Cisco FW but Palo Alto

it certainly sounds like it was the active device that was upgraded if an outage was seen, when upgrading Palo Alto in HA you need to ensure you disable preempt on both boxes to aviod unexpected reboots.

I'm sure I have upgraded the passive firewall....

hmmm, take a look in the ISR logs:

sh log | inc OSPF

 

...do the timestamps between the state change from FULL to DOWN and then back to LOADING to FULL correspond to your outage? 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: