Showing results for 
Search instead for 
Did you mean: 

Get the latest new and information the November issue of the Cisco Small Business Monthly Newsletter


SA540 Firewall Rules Fail when Optional Port Configured to Failover

Today, I configured a client's SA540 for failover.  The primary WAN port is FIOS with a static IP address.  The optional port is Road Runner cable with a static IP address.  The failover tested successfully.  However, now the SA540 cannot be accessed on its internal IP address ( and none of the firewall rules work any longer.  There are several rules but to name two; remote desktop port forwarding to an internal server, and HTTPS to another internal server.  Both rules use IP addresses different than the SA540's WAN IP address.  Additional external IP addresses were configured previously and assigned and they worked up to the point were the failover was configured.

Now here is the strange part.  If the optional port cable is removed from the port, everything returns to normal, but plug it back in and problems.  I even tried disabling failover in the SA540's configuration and it made no difference unless the cable was unplugged.

As you might imagine the client is upset about this.  Anyone have any ideas? 

The firmware is 2.1.18.


PS.  About an hour after I posted this, I tried moving the remote desktop external connection from one of the additional IP addresses configured in the SA540 to the dedicated WAN address and remote desktop sessions were then forwarded into the correct server.  Apparently, the additional IP addresses are not working with the two ISP failover configured, or at least it doesn't work in my configuration.  Any help on this would be much appreciated.  The additional IP addresses are configured in the same subnet as the dedicated (primary) WAN port.   Again, this worked until failover with another ISP was configured.

Everyone's tags (3)
Cisco Employee

SA540 Firewall Rules Fail when Optional Port Configured to Failo

Hi Anthony,

Could you please upgrade your box to the latest MR4 RC1 image first, and

let me know if the issue is resolved. At meanwhile we are looking into your


Please follow the instruction below to obtain the firmware:




Re: SA540 Firewall Rules Fail when Optional Port Configured to F

It was updated several days ago.  If you have the diagnostics data I sent to Quendale, you will see that the router has the updated firmware, MR4 RC1.  It did not resolve the problem.  There is now an escalated case with Cisco TAC.  It seems I turned up a big problem. 

Thank you,

Tony Lombardi


SA540 Firewall Rules Fail when Optional Port Configured to Failo

This issue has been resolved. After much testing and discussions with the great guys at Cisco TAC, we determined that Verizon FIOS is doing something on their routers to defeat use of IP aliasing. If you have FIOS and you must have more than one IP address and expect to create an IP alias to direct traffic in a 1 to 1 NAT to a node on your network, FIOS doesn’t work. Contact with Verizon technical support is no help. They are oblivious to the problem and don’t want to be bothered.

Tony Lombardi