Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
368
Views
0
Helpful
3
Replies

accessing failover firewall when route to it is learned from OSPF

mjsully
Level 1
Level 1

‎05-18-2010 06:50 AM - edited ‎03-11-2019 10:47 AM

I've got a pair of ASA firewalls that are accessed via a SOCKS server, so all management sessions to it is from this one ip address. The firewalls are running OSPF and learn the route to the SOCKS ip subnet via OSPF, so we are unable to directly access the standby firewall because the active OSPF route is not advertised to the failover firewall apparently. I need to be able to manage both these firewalls independently but if the OSPF routes don't sync to the backup firewall, do I have any workarounds? Is it possible to configure a static route to the SOCKS subnet on the primary firewall and give it a higher admin distance. That way, it would sync with the failover and allow me to connect to the failover using the static route, while the OSPF method would still work on the primary?

Labels:
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎05-18-2010 06:55 AM

Or more specifically add a host specific route on the primary which will get replicated the standby.

Jon

0 Helpful

mjsully
Level 1
Level 1
In response to Jon Marshall

‎05-18-2010 07:38 AM

can you elaborate on that? are you talking about adding a static route with a higher admin distance? If I simply add a static route, it will override the one learned from OSPF on the primary, which is not what we want. Is it possible to add an administrative distance to a route on an ASA? I see in the syntax how to change the metric, but nothing from admin distance.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to mjsully

‎05-18-2010 07:50 AM 

mjsully wrote:
can you elaborate on that? are you talking about adding a static route with a higher admin distance? If I simply add a static route, it will override the one learned from OSPF on the primary, which is not what we want. Is it possible to add an administrative distance to a route on an ASA? I see in the syntax how to change the metric, but nothing from admin distance.

I was suggesting adding a host route only. That way the subnet route learnt from OSFP will still be used and only traffic to the SOCKS server will use the static host route on both the primary and secondary. This seemed to me to be the least intrusive way to achieve what you want.

You can add a metric to the route so you could try adding it to the primary with an AD higher than OSPF which would mean it would not be entered into the routing table on the primary and so OSPF would continue to be used. Whether it will then replicate it to the secondary i couldn't say for sure but worth testing because if it did replicate it then it should be used on the standby due to no OSPF routes.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card