accessing failover firewall when route to it is learned from OSPF

Unanswered Question
May 18th, 2010

I've got a pair of ASA firewalls that are accessed via a SOCKS server, so all management sessions to it is from this one ip address. The firewalls are running OSPF and learn the route to the SOCKS ip subnet via OSPF, so we are unable to directly access the standby firewall because the active OSPF route is not advertised to the failover firewall apparently. I need to be able to manage both these firewalls independently but if the OSPF routes don't sync to the backup firewall, do I have any workarounds? Is it possible to configure a static route to the SOCKS subnet on the primary firewall and give it a higher admin distance. That way, it would sync with the failover and allow me to connect to the failover using the static route, while the OSPF method would still work on the primary?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 05/18/2010 - 06:55

Or more specifically add a host specific route on the primary which will get replicated the standby.

Jon

mjsully Tue, 05/18/2010 - 07:38

can you elaborate on that? are you talking about adding a static route with a higher admin distance? If I simply add a static route, it will override the one learned from OSPF on the primary, which is not what we want. Is it possible to add an administrative distance to a route on an ASA? I see in the syntax how to change the metric, but nothing from admin distance.

Jon Marshall Tue, 05/18/2010 - 07:50

mjsully wrote:

can you elaborate on that? are you talking about adding a static route with a higher admin distance? If I simply add a static route, it will override the one learned from OSPF on the primary, which is not what we want. Is it possible to add an administrative distance to a route on an ASA? I see in the syntax how to change the metric, but nothing from admin distance.

I was suggesting adding a host route only. That way the subnet route learnt from OSFP will still be used and only traffic to the SOCKS server will use the static host route on both the primary and secondary. This seemed to me to be the least intrusive way to achieve what you want.

You can add a metric to the route so you could try adding it to the primary with an AD higher than OSPF which would mean it would not be entered into the routing table on the primary and so OSPF would continue to be used. Whether it will then replicate it to the secondary i couldn't say for sure but worth testing because if it did replicate it then it should be used on the standby due to no OSPF routes.

Jon

Actions

This Discussion