I have a provider router connected on my router on interface gi0/0/0. On my router, I have a connection between Gi0/0/1 to an interface on my active firewall and I have a connection between Gi0/0/2 to an interface on my passive firewall.
How I can configure my router for :
- trafic from the WAN through Myrouter_Gi0/0/1 to ActiveFW_eth0 (normal mode)
- trafic from the WAN through Myrouter_Gi0/0/2 to PassiveFW_eth0 when I restart my active firewall (version upgrade for example). I try to have a configuration where the communication continue between my router and my firewall cluster even when my firewall active is unreachable (during a boot).
The Active/Passive interfaces must have IP addresses in the same subnet.
If your router supports Layer2 switchport and SVIs then it should be trivial to connect the firewall to Gi0/0/1-2 and have them both configured in the same VLAN.
If your router only have routed interfaces, you will need to use a BVI. Configure Gi0/0/1-2 in the same bridge group and configure a BVI with an IP address in the same subnet as the Active/Passive firewall interfaces.
Perhaps the Passive was in fact the Active? Either way the failover should prevent this failure from occurring.
Did the ISR router completely lose its OSPF adjacency with the ASAs?
To be honest, I don't know. I was able to connect on my router from the WAN but the firewall was unreachable until the passive FW come back. But the OSP configuration on the firewall is definied on cluster level...
Like most HA, it *should* work!
Now that the FW pair is reachable again, can you share the output of sh failover history for both devices?
hmmm, take a look in the ISR logs:
sh log | inc OSPF
...do the timestamps between the state change from FULL to DOWN and then back to LOADING to FULL correspond to your outage?