cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
383
Views
5
Helpful
9
Replies
Highlighted
Beginner

routing from Cisco router to firewall Active/Passive

Hello

I have a provider router connected on my router on interface gi0/0/0. On my router, I have a connection between Gi0/0/1 to an interface on my active firewall and I have a connection between Gi0/0/2 to an interface on my passive firewall.

 

How I can configure my router for : 

 

- trafic from the WAN through Myrouter_Gi0/0/1 to ActiveFW_eth0 (normal mode)

- trafic from the WAN through Myrouter_Gi0/0/2 to  PassiveFW_eth0 when I restart my active firewall (version upgrade for example). I try to have a configuration where the communication continue between my router and my firewall cluster even when my firewall active is unreachable (during a boot).

 

BR

9 REPLIES 9
Highlighted
VIP Advisor

Hi there,
The Active/Passive interfaces must have IP addresses in the same subnet.
If your router supports Layer2 switchport and SVIs then it should be trivial to connect the firewall to Gi0/0/1-2 and have them both configured in the same VLAN.

If your router only have routed interfaces, you will need to use a BVI. Configure Gi0/0/1-2 in the same bridge group and configure a BVI with an IP address in the same subnet as the Active/Passive firewall interfaces.

 

cheers,
Seb.

Highlighted

Hello

 

Currently I have this configuration. But this morning, when I upgraded the version of my passive firewall, the communication has been lost from the WAN (from my provider)...

 

BR

Highlighted

Perhaps the Passive was in fact the Active? Either way the failover should prevent this failure from occurring.

 

Did the ISR router completely lose its OSPF adjacency with the ASAs?

Highlighted

To be honest, I don't know. I was able to connect on my router from the WAN but the firewall was unreachable until the passive FW come back. But the OSP configuration on the firewall is definied on cluster level...

Highlighted

Like most HA, it *should* work!

 

Now that the FW pair is reachable again, can you share the output of sh failover history for both devices?

Highlighted

the FW is not a Cisco FW but Palo Alto

Highlighted

it certainly sounds like it was the active device that was upgraded if an outage was seen, when upgrading Palo Alto in HA you need to ensure you disable preempt on both boxes to aviod unexpected reboots.
Highlighted

I'm sure I have upgraded the passive firewall....

Highlighted

hmmm, take a look in the ISR logs:

sh log | inc OSPF

 

...do the timestamps between the state change from FULL to DOWN and then back to LOADING to FULL correspond to your outage?