cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
532
Views
5
Helpful
2
Replies

VPN communication lost only with one VLAN after a failover between firewalls

fmacias.duarte
Level 1
Level 1

Good afternoon,

This was interesting, here's the scenario (See attached picture for topology):

 

We have a site to site VPN and we have the same topology and configuration on both sites:

- Firewall HA Pair configuration

- Switches with HSRP with 3 vlans 

The HSRP configuration on the switches will always make switch 1 the active per the Priority and Preempt configuration.

My scenario today was: in site 2, firewall B was the active one, SW1 also active. I rebooted SW2, so the firewall B failed over to firewall A. At this point, firewall A and SW1 were the active ones.

After this, from site 1, I was not able to communicate with anything in vlan 10 at site 2, but I was able to communicate with the rest of the vlans just fine. I did a grace failback on the firewall and the communication was restored. At this point firewall B and SW1 were the active ones (just how I started). 

Here is the interesting thing: I did a grace failover from firewall B to firewall A, and the rebooted switch 2 (now firewall A and SW1 were the active ones, same topology that had failed before) and the communication was never lost

The communication failed when I forced the firewall to do a failover by rebooting the switch, but if I do a grace failover, prior rebooting the switch, the communication is never lost.

 

Let me know if my scenario make sense..

 

Thanks!

 

 

 

 
 

 

 

2 Replies 2

I would assume that the issue is on SW1.  Have you checked that VLAN 10 is present on SW1 and that it is allowed on all relevant trunks ports? Is the HSRP configuration on a VLAN interface? if so is VLAN 10 allowed on the uplink toward the ASA?  is the subinterface on the ASA configured correctly with vlan 10?

--
Please remember to select a correct answer and rate helpful posts

That was my initial thought, but I reviewed the status of the interface vlan 10 and the state was up up, I checked the vlan database and the vlan was there as well. I checked the trunk interfaces and all the vlans were allowed thought it. HSRP is configured on all the vlans (only vlan 10 was not responding from the remote site, locally it was accessible, the rest of the vlans were accessible from the remote site too).

 

What it threw me off is that when I issued the command "no failover active" on the firewall, the communication was never lost with any vlan (including vlan10). The communication with vlan 10 was lost only when the firewall failover by itself (rebooting the switch would make the firewall failover because of the monitored interfaces). Meaning that if I do a grace failover on the firewall before rebooting the switch, everything is fine, If I let the firewall do the failover by itself that's when it fails