Layer 3 Failover Active <> Active

Unanswered Question
Oct 11th, 2007

Two firewalls, active <> active, one located in one data center at one

physical location, the other is located in another data center at another

physical location. This arrangement is for disaster recover purposes and to

save money (1 pair instead of 2 pairs of firewalls). There are two of the same

service provider connections at each location.


Is there a Cisco technology that allows STATEFUL load-balancing between

these two separated firewalls WITHOUT the requirement of a layer 2 span

between their inside interfaces?

Put another way: is there such a thing as Layer 3 Failover for Cisco


* The initial positioning would have these two firewall's respective

locations in these two different data centers and so would have them located on

different IP subnets.

** I am aware of load-balancing options for traffic prior to that traffic

reaching the inside interface of these two firewalls (CSS, GSLB, CSM, 3rd

party LB's) but a firewall failure using inside LB to move traffic back and

forth between the two I don't believe would be stateful (from the FW's perspective) and

that is a requirement in this case.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
autobot130 Sun, 10/14/2007 - 13:38

I've been thinking of doing something like this as well.

So far, the only thing I can think of is a L2TP tunnel between the two FWSM or using dot1q-tunneling between the two switches.

Unfortunately I cannot do this in my scenario because our data centers are seperated by SONET interfaces so it will lose the dot1q tags.

The other idea is perhaps creating an L2 MPLS network to pass the FWSM stateful/failover keepalive msgs between the two. Which is creating an L2VPN PSEUDOWIRE MPLS in between.

I think it may work.... I havent tested yet but let me know if you're going to try it.

mprescher Mon, 10/29/2007 - 14:31

After looking at all the options and contacting several regional Cisco Security resources the answers seems to be, no-can-do. The interface sharing relies on L2 (same subnet) connectivity ala HSRP. It makes sense to me in so far as L3 state can not be maintained if the traffic is coming in to two different L3 (subnets) interfaces - the two ASA failover interfaces have to have the same L3 picture (same subnet) of the packets. So...alas, no breakthroughs on this one.


This Discussion