I have two cat6500's with FWSMs in failover mode.
To make failover working, it is neccessary to extend all networks on the FW to the standby unit.
All is working fine, however:
The two cat6500s are interconnected with a 10 Gbps link, using OSPF.
A separate link is used for the failover link and the state link.
The outside VLAN of the firewall is extended to the other unit over a 1Gbps link.
HSRP on the router is used.
The customer is double connected to both firewalls (inside).
This scenario is with a routed firewall, but the same problem is with a transparent one.
I've attached a picture of the setup.
The FWSM at the left is active. The router in the same chassis is the active HSRP router.
When a computer behind the firewall connects to a computer behind the left router, the data path is as desired:
forward path: PC-FWSM-Left router-PC
return path: PC-Left Router-FWSM-PC
When the computer wants to connect to a server behind the right router:
forward path: PC-FWSM-Left Router-Right Router-PC
The reverse path is different:
This is because the outside VLAN is directly connected to both routers. The reverse path will travel over the 1 Gbps link, and not using the 10 Gbps link.
To solve this, I need a floating 'Directly connected', but that is not possible.
Is there anyone with a great idea? I have a workaround, but need fresh ideas.