ASA OSPF Routing - Active/Standby failover

Unanswered Question
Feb 23rd, 2007

Hey all,

I'm in the process of moving our QA ASAs into our production environment. I just started to migrate the configurations but am seeing an issue with OSPF routing on the standby firewall. In our QA environment, both the active and standby ASAs have a routing table populated with OSPF routes. It appears as the the active ASA replicates it's routing table to the failover ASA. But on the production ASAs... after enabling failover I do not see the same routing table. I have stateful failover enabled and I see configuration replication happening. I can see not difference in the configurations that would cause this. Any ideas?

Standby Unit:

failover

failover lan unit secondary

failover lan interface FAILOVER-INTERNET Management0/0

failover replication http

failover mac address GigabitEthernet0/0 0011.1925.1034 0011.9135.1712

failover mac address GigabitEthernet0/1 0011.9251.7176 0011.8816.3341

failover mac address GigabitEthernet0/2 0011.0166.6091 0011.6891.9166

failover link FAILOVER-INTERNET Management0/0

failover interface ip FAILOVER-INTERNET 10.50.225.1 255.255.255.0 standby 10.50.

225.2

Primary Unit

failover

failover lan unit primary

failover lan interface FAILOVER-INTERNET Management0/0

failover replication http

failover mac address GigabitEthernet0/0 0011.1925.1034 0011.9135.1712

failover mac address GigabitEthernet0/1 0011.9251.7176 0011.8816.3341

failover mac address GigabitEthernet0/2 0011.0166.6091 0011.6891.9166

failover link FAILOVER-INTERNET Management0/0

failover interface ip FAILOVER-INTERNET 10.50.225.1 255.255.255.0 standby 10.50.225.2

-Mike

http://cs-mars.blogspot.com

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vitripat Fri, 02/23/2007 - 10:06

Not sure if I'm on the right track, but it seems that you are facing problems with OSPF derived routes not getting to the secondary PIX. If yes, then there is a bug filed for this which has not been resolved yet "CSCeb23798", under this "In the current design of PIX OSPF in a failover scenerio, there is no good way to propogate

OSPF derived routes to the stand-by PIX."

Work-around:

At this time, the only option is to use floating statics on the PIX so that the OSPF learned routes have a higher priority when failover does occur.

Though this doesnt sound to be very helpful, we are hoping that developers work aggresively on it.

Let us know if you have a different issue.

Regards,

Vibhor.

Actions

This Discussion