Cisco SDWAN cEdges in Active/Active mode

jresende · ‎01-04-2022

Hi Community,

I have a topology where we have two Cisco IOS-XE SDWAN, in active/active mode.

This SDWAN routers has ZBFW feature enabled, and all firewall rules are in inspect mode.

The LAN interfaces of Both SDWAN Routers are connected to the same CORE Switch.

From Core switch to SDWAN routers, there default routes configured, with the same administrative distance, and from SDWAN routers to Core the same.

The Preference configuration for tunnel interfaces, SDWAN traffic, are the same.

In other words, the traffic from LAN to Internet and from LAN to SDWAN fabric, are totally load balancing, in/out traffic passing through both SDWAN routers at the same time. in attachment a draw for a better understanding.

In all Cisco documentation, configuration guides, I always have seen that is advised to use high availability mode, active/passive.

At the site, we had some applications which have been impacted, due inspect action enabled and the traffic passing through different routers at the same time.

My idea is to suggest internally, to configure the SDWAN routers in active/standy mode, however I have not find any Cisco documentation saying that is not advised to use active/active when we have inspection/stateful firewall configured.

Does anyone has any Cisco documentation where I can base myself and sell this idea?

swilke318 · ‎06-29-2022

Any luck here? We are pretty much in the same boat. I've never been able to get the ZBFW working with the HA scenario and just route up to an ASA. I haven't tested on the later releases nor have I seen any type of documentation detailing how to accomplish an HA scenario with ZBFW enabled. I have all but thrown in the towel and will probably deploy a couple firepower units to handle the firewalling at my HA sites.