cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2493
Views
5
Helpful
7
Replies

Zone Based Firewall and HSRP

Jason Tidwell
Level 1
Level 1

All,

I have a retail customer that has 2 routers at each store location running HSRP.  Each router has a T1 to the internet and a DMVPN tunnel back to corporate and both routers are running ZBF. Under normal circumstances this works well.  But in a failover situation, when the T1 on Router 1 fails HSRP makes the 0.0.0.0 route be Router 2.  Traffic originating from the LAN uses Router 1 as the default gateway, so they are still sourcing from Router 1.  Return traffic in a failover scenario comes through Router 2 to get back to the LAN side.  This would be fine except ZBF on Router 2 never sees the request so it blocks the return traffic.  The only way I have been able to get this to work is to pass the traffic instead of inspecting it within ZBF.  But this defeats the purpose of traffic inspection.  I am at a loss as to how to get this solution to work.

1 Accepted Solution

Accepted Solutions

wzhang
Cisco Employee
Cisco Employee

Hi,

What you need here is stateful failover for the firewall feature. Unfortunately that's only supported in the classic IOS firewall and not for the Zone Based firewall, see http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_sfo.html.

Thanks,

Wen

View solution in original post

7 Replies 7

wzhang
Cisco Employee
Cisco Employee

Hi,

What you need here is stateful failover for the firewall feature. Unfortunately that's only supported in the classic IOS firewall and not for the Zone Based firewall, see http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_sfo.html.

Thanks,

Wen

Hi Wen,

Thank you for sharing this information! As a Cisco employee, do you perhaps have any internal information whether a stateful failover feature for CBAC/Zone Based Firewall is being considered?

Best regards,

Peter

Hi, Peter:

Zone Based Firewall stateful HA support is being considered, and last I checked is on the roadmap to be implemented in 15M/T release sometime in mid-2011. That said, please don't quote me on this as the standard "I don't represent the official Cisco view" disclaimer applies . I would suggest you contact your cisco rep to confirm this and help make the business case for it.

Thanks,

Wen

Hi Wen,

Thank you very much for the info.

That said, please don't quote me on this as the standard "I don't represent the official Cisco view" disclaimer applies .

Surely, I am taking it that way.

Best regards,

Peter

Does anyone have any news regarding this feature?

It would be great to have stateful failover for ZBFW /w HSRP.

Thanks for your insight, Wen.  I had considered a similar config.  But I was hoping that we could achieve this somehow with ZBF.  I will test this config and see if I get any better outcome.  Thanks again.

Hi,

Unfortunately there's really no other way around this. The firewall (classic or ZBF) is stateful by definition, so it can't work with asymmetric connections. For now we are stuck with doing this with the classic firewall until the HA feature is added for ZBF.

Thanks,

Wen

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: