cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2494
Views
0
Helpful
6
Replies

OSPF router and ASA Active/Standby

mmacdonald70
Level 1
Level 1

We have a pair of ASA firewalls running A/S failover. They talk OSPF with the network. Unfortunately, it seems that the secondary firewall doesn't get any routes (via OSPF or the Primary). This is causing issues with monitoring.

We have temporarily fixed it with a static route to our monitoring station but I was wondering if there is a way to get the routes propagated from the primary to the secondary?

6 Replies 6

bgl-group
Level 1
Level 1

Are you talking about the secondary doesn't have any routes whilsts the primary is running.

If you are this is what I would expect to see as the secondary is completely passive and just monitors the HA link.

If you want to monitor the backup unit whilst the primary is in service then I would use dedicated managment interfaces and have a route from the core into the management network.

That is what I mean. There are two problems with this scenario. The first is that I mentioned. There is no way to (easily) monitor the firewall. The second, which I just thought of is more of a problem. In the case of a statefull failover, the new primary will have to wait for OSPF to reconverge before it can work.

This would most likely defeat the purpose of a stateful failover connection.

No when it does failover it moves the routing tables along with the mac addresses to the (formerly) passive firewall. Therefore the adjacent router just sees a short loss of carrier to the firewall and then recovers.

Normal loss of comms is under 5 seconds when we do it on our systems.

routing tables are NOT stateful.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#Reg

you will, indeed, have to wait for OSPF to reconverge.

Floating static routes? I know the PIX supports the ability to add static routes with administrative distances - why not just add a static route with a higher administrative distance thatn OSPF to the config. That way the standby should have a route whilst it isn't participating in OSPF. When it fails over the static should get overwritten by the OSPF route assuming there is one with the same prefix?

Andy

That is what I did. Unfortunately, the networks on either side of the firewalls are complicated and share the same IP space. This makes static routes painful.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: