They are on the same subnet. 

R1: 10.10.10.2
R2: 10.10.10.3
CE: 10.10.10.4

"They are on the same subnet."

Exactly how, as you show 6 interfaces?

Thanks @Giuseppe Larosa 

On R1 and R2 BDI interfaces are used. R1 and R2 are directly connected to each ether and the same bridge ID is allowed on this direct link. R1 is connected to to CE which is a firewall, and I don't have access to. My concerns was about the L2 management protocols is they always allowed on a firewall VLAN interface (spanning-tree, VRRP, etc) or an explicit permit policy has to be implemented. R1 is connected to CE via a L2 switch X. R2 is connected to  to CE via a another L2 switch Y. I don't have access to either of these switches. 

I dont have problem with IRB or VRRP configuration. But thanks for links sharing

Hello @Ab26 ,

just to understand also R1's link to L2 switch X is in the same bridge domain as the R1-R2 direct link ?

And the same happens for R2's link to switch Y ?

I would implement a link between switch X and switch Y, with a L2 link between them what the FW does on its interfaces becomes less important.

However, if the FW blocks STP BPDUs to flow between its two interfaces to switch X and to switch Y this can create issues.

Check what you see on Switch X and Swich Y including what MAC addresses are learned on each interface.

if the FW is actually a FW HA pair , only one link is active and it is the only one where a MAC address is learned.

Hope to help

Giuseppe

It's correct as you wrote, all interfaces are in the same VLAN (or bridge-domain), say VLAN 10.

The L2 switches should be connected to each other, but unfortunately I don't have access them nor the FW and the customer won't share their internal set up 

Hello @Ab26 ,

provide an advice to the customer that a link between Switch X and Switch Y is highly recommended in order to make VRRP communications not depending on FW settings either default settings or explicit config.

Ask them also if the FW is actually an HA pair or a form of cluster ( active/active) because this is important info to take in account.

Hope to help

Giuseppe

@Giuseppe Larosa has twice recommended a L2 link between switches X and Y (for other readers, those switchrs aren't shown on OP diagram), which will insure you have L2 path redundancy (allowing VRRP to operate correctly).  However, for optimal operation, you'll want to logically block a specific L2 link to preclude traffic needing to transit that link or network devices.  For example if R1 is the active gateway, do you want traffic to transit R2?

Thanks @Joseph W. Doherty! I work for a service provider and the network is way more complicated than what I've shared here. I try not to over complicate things when I write a post here in Cisco Community. Instead, I try to ask specific questions that I've concern about. But I understand that this platform should be useful for anyone who has a similar problem.

In my case, yes I want R1 to remain the active GW and it's OK that the traffic passes from R2 to R1 as this is by design to our core network. Everything on the CE side I don't have access to, I can only provide recommendations to our customer and if something won't work, then I have to tell them in advance 

Unclear what your CE/FW is doing at L2.

Given what you posted, and assuming R1<>R2 is good, what happens if either CE<>R1 or CE<>R2 is broken?

Good question, however these links are out of my responsibly. I assume that the FW is set up as HA with L2 connection to 2 switches and then to R1 and R2. If the link between CE to R1 fails the traffic will go to R2 then to R1 as R1 will remain the primary VRRP in this case.

---

@Ab26 wrote:

Good question, however these links are out of my responsibly. I assume that the FW is set up as HA with L2 connection to 2 switches and then to R1 and R2. If the link between CE to R1 fails the traffic will go to R2 then to R1 as R1 will remain the primary VRRP in this case.

---

Well, as you don't know the expected behavior for losing CE connection is, cannot really say what the expected behavior will be for losing the router to router link.

Again, normally what you showed is a triangle L2 loop, and for it to function correctly, one of the links needs to be either physically or logically down.  The router to router link being physically or logically down would meet that requirement, but for correct operation the two CE connected links would need to provide L2 between the two routers.