cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
656
Views
0
Helpful
5
Replies

failover

suthomas1
Level 6
Level 6

A general question here regarding failover. in the attached diagram, if  router1 fails, should the firewalls also failover accordingly? or the traffic would continue flowing based on standby router taking over as active.

Thanks in advance.

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

suthomas1 wrote:

A general question here regarding failover. in the attached diagram, if  router1 fails, should the firewalls also failover accordingly? or the traffic would continue flowing based on standby router taking over as active.

Thanks in advance.

It's not clear from the diagram exactly how things are interconnected. For example the firewalls do not seem to have an interconnection whereas an active/standby pair of firewalls would have a L2 interconnect for failover.

The routers in your diagram, are they physical routers or L3 switches ? If they are L3 switches and one failed then yes the firewalls should failover as well as long as you are monitoring the inside interface. If they are physical routers and the link was a P2P link ie. there was no switch in between the router and the firewall then yes the firewalls would failover. If there was a L2 switch in between then no they would not.

However it's not clear how any of this would work in your diagram. If the router failed but the firewall did not failover then there is no path from the standby router to the active firewall in your topology.

Jon

View solution in original post

5 Replies 5

Ganesh Hariharan
VIP Alumni
VIP Alumni

A general question here regarding failover. in the attached diagram, if  router1 fails, should the firewalls also failover accordingly? or the traffic would continue flowing based on standby router taking over as active.

Thanks in advance.

                    Attachments:

Hi,

As per th question that depends if router 1 fails traffic will shifted to router 2 but firewall will shift over to other one thatdepends on you configuration of firewall and data flow how you have configured in the network.

If router 1 and router 2 are in HSRP/VRRP active /backup mode then onely router will failover and firewall not.Firewall failover is totally depends on the firewall redundacny configuration which you would have configured in ACTIVE/STANDBY at this stage only one ip will be there for both router to forward the traffic.

Hope that help

If helpful do rate the post

Ganesh.H

Jon Marshall
Hall of Fame
Hall of Fame

suthomas1 wrote:

A general question here regarding failover. in the attached diagram, if  router1 fails, should the firewalls also failover accordingly? or the traffic would continue flowing based on standby router taking over as active.

Thanks in advance.

It's not clear from the diagram exactly how things are interconnected. For example the firewalls do not seem to have an interconnection whereas an active/standby pair of firewalls would have a L2 interconnect for failover.

The routers in your diagram, are they physical routers or L3 switches ? If they are L3 switches and one failed then yes the firewalls should failover as well as long as you are monitoring the inside interface. If they are physical routers and the link was a P2P link ie. there was no switch in between the router and the firewall then yes the firewalls would failover. If there was a L2 switch in between then no they would not.

However it's not clear how any of this would work in your diagram. If the router failed but the firewall did not failover then there is no path from the standby router to the active firewall in your topology.

Jon

My mistake, i should have put it more clearly. Apologies.

both firewalls( active/standby) alongwith routers(hsrp) sit on 2 node layer2 switches. In this case if one of these switches were to go down( for eg.),

triggering the router to failover, would the firewalls also failover.

Thank You.

suthomas1 wrote:

My mistake, i should have put it more clearly. Apologies.

both firewalls( active/standby) alongwith routers(hsrp) sit on 2 node layer2 switches. In this case if one of these switches were to go down( for eg.),

triggering the router to failover, would the firewalls also failover.

Thank You.

No need to apologise, just wanted to clarify how everything was connected up.

If one of the switches failed then yes the firewall would failover although interestingly the router wouldn't necessarily failover. Routers don't failover in the same way.

The issue you have with the routers is that if the switch dies then the outside interface of the router would be in a down state but the inside interface connecting to your LAN would still be up. So the active HSRP router would be the one with the failed interface. This isn't a problem if both routers are connected to both switches but if the active router is connected to the switch that fails and that is it's only connection then traffic has no way to get to the standby firewall which is now the new active firewall. So you can either

1) connect each router to both switches

or

2) use interface tracking with HSRP so that if the outside interface goes down, which it will if the switch dies, then the HSRP priority is reduced and the other router takes over the active role.

Edit - i've assumed in the above that the switches used to interconnect the firewalls and the routers are not the same switches that the inside interfaces of the routers connect to ie. the LAN facing interfaces. If they are the same switches then yes a switch failure would failover the router as well.

Jon

suthomas,
As mentioned my jon, make sure you have monitor setup for your inside & outside interfaces.  sometime people setup failover but forget to setup monitoring for crtitical interfaces.
Without monitoring the interfaces, if the line protocol is down, that will not trigger failover.
In order to view the status of monitored interfaces: In single context mode, enter the show monitor-interface command in global configuration mode and
Make sure status is normal.
For eaxmple
ASA(config)#show monitor-interface
        This host: Secondary - Active
                Interface inside (192.168.1.1): Normal
                Interface outside (172.16.1.1): Normal
        Other host: Secondary - Standby Ready
                Interface inside (192.168.1.2): Normal
                Interface outside (172.16.1.2): Normal
Review Cisco Networking for a $25 gift card