Routing issue with failover FWSMs

Unanswered Question
Apr 7th, 2008
User Badges:

I have two cat6500's with FWSMs in failover mode.

To make failover working, it is neccessary to extend all networks on the FW to the standby unit.

All is working fine, however:

The two cat6500s are interconnected with a 10 Gbps link, using OSPF.

A separate link is used for the failover link and the state link.

The outside VLAN of the firewall is extended to the other unit over a 1Gbps link.

HSRP on the router is used.

The customer is double connected to both firewalls (inside).

This scenario is with a routed firewall, but the same problem is with a transparent one.

I've attached a picture of the setup.

The FWSM at the left is active. The router in the same chassis is the active HSRP router.

When a computer behind the firewall connects to a computer behind the left router, the data path is as desired:

forward path: PC-FWSM-Left router-PC

return path: PC-Left Router-FWSM-PC

When the computer wants to connect to a server behind the right router:

forward path: PC-FWSM-Left Router-Right Router-PC

The reverse path is different:

PC-Right Router-FWSM-PC

This is because the outside VLAN is directly connected to both routers. The reverse path will travel over the 1 Gbps link, and not using the 10 Gbps link.

To solve this, I need a floating 'Directly connected', but that is not possible.

Is there anyone with a great idea? I have a workaround, but need fresh ideas.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Mon, 04/07/2008 - 03:50
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

I am a little confused. If you want the return traffic to go over the 10Gbps link and not the 1Gbps then only allow the outside vlan for the FWSM's across the 10Gbps link.

Am i missing something obvious ?


mvandorp Mon, 04/07/2008 - 04:24
User Badges:

Maybe.... For me it's obvious, but I'm working on this quite some time now...

Normally, the VLANs are isolated to either the left or the right part of the network (2 nodes in our campus). Only the outside VLAN is extended over a separate 1 Gbps link, because this is needed for firewall failover.

The 10 Gbps is a routed link, No VLANs there.

To explain further: The firewall does link monitoring. When eg. the left link goes down, the firewall switches over to the other side, in this example to the right.

The HSRP group switches too, because I track the physical interface (that is possible, because it's the same chassis). That is: the HSRP group on the *outside* VLAN tracks the physical interface of the *inside* VLAN(s).

The HSRP interface does not go down: this is the outside of the FW, which is still up. Return traffic will flow from a PC connected at the left router, over the outside VLAN to the right, to maintain connectivity.

Now the path is again not optimal, but in this case it's acceptable. After all, the network is in an error state, and connectivity is more important.

When the link restores, The FWSM switches back, the routing should restore, and the optimal paths should be used again.

I need dynamic routing to adjust the data path in case of a link failure.

The optimal path should use the same chassis as much as possible, and inter-chassis traffic should go over the 10 Gbps link.

Makes this thins clear? If not, please ask!



This Discussion