OSPF router and ASA Active/Standby

Unanswered Question
May 24th, 2009

We have a pair of ASA firewalls running A/S failover. They talk OSPF with the network. Unfortunately, it seems that the secondary firewall doesn't get any routes (via OSPF or the Primary). This is causing issues with monitoring.

We have temporarily fixed it with a static route to our monitoring station but I was wondering if there is a way to get the routes propagated from the primary to the secondary?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bgl-group Tue, 05/26/2009 - 01:03

Are you talking about the secondary doesn't have any routes whilsts the primary is running.

If you are this is what I would expect to see as the secondary is completely passive and just monitors the HA link.

If you want to monitor the backup unit whilst the primary is in service then I would use dedicated managment interfaces and have a route from the core into the management network.

mmacdonald70 Tue, 05/26/2009 - 14:08

That is what I mean. There are two problems with this scenario. The first is that I mentioned. There is no way to (easily) monitor the firewall. The second, which I just thought of is more of a problem. In the case of a statefull failover, the new primary will have to wait for OSPF to reconverge before it can work.

This would most likely defeat the purpose of a stateful failover connection.

bgl-group Tue, 05/26/2009 - 23:47

No when it does failover it moves the routing tables along with the mac addresses to the (formerly) passive firewall. Therefore the adjacent router just sees a short loss of carrier to the firewall and then recovers.

Normal loss of comms is under 5 seconds when we do it on our systems.

andrew.butterworth Thu, 05/28/2009 - 14:38

Floating static routes? I know the PIX supports the ability to add static routes with administrative distances - why not just add a static route with a higher administrative distance thatn OSPF to the config. That way the standby should have a route whilst it isn't participating in OSPF. When it fails over the static should get overwritten by the OSPF route assuming there is one with the same prefix?

Andy

mmacdonald70 Thu, 05/28/2009 - 16:53

That is what I did. Unfortunately, the networks on either side of the firewalls are complicated and share the same IP space. This makes static routes painful.

Actions

This Discussion