Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Firewall Active/Standby behavior question

     I am redesigning our border and we have two 2921 routers that are at the edge because we are terminating BGP there. The routers have HSRP configured on the ISP side and each router has one connection to one of the  ASA5550. The ASA are running in active/standby configuration.

I've a included a picture. My question is if 2921-1 looses it's internet connection 2921-2 takes over due to HSRP. At this point how does ASA5550-1 know to swap to the standby node? Wouldn't it think that it's connection to 2921-1 is still good? My 2921s only have 3 ports.  I'm using 1 for ISP, 1 for ASA connection and 1 for Managment.

Thank you,

GerryHSRP.jpg

Everyone's tags (7)
5 REPLIES

Firewall Active/Standby behavior question

Hi Gerry,

the solution to your network is to connect the 2921 routers and the ASAs to a shared L2 VLAN using a switch you may use a stackable switches for increased redundancy in this way HSRP VIP can be reach by any of the firewalls in case of router down it can be handled automatically

for improved design you may need to add a link between the routers and run between them iBGP so incase of a link down only you will not blackhole outbound traffic

hope this help

New Member

Firewall Active/Standby behavior question

I do have a 2960 switch I can use but that would leave me a single point of failure and I am not authorized any equipment purchase at this time. Is there no solution without additional euipmment?

Firewall Active/Standby behavior question

No formactive standby FWs with HSRP routers this is the onlysolution

You can buy one more switch only even used one just as temp solution to get it working

New Member

Re: Firewall Active/Standby behavior question

Hi Gerry,

try object Tracking with EEM. You have to inform your active firewall and a simple Way is, to Shut Down the Router Interface.

Can you describe the connect to your isp more in Detail?

Isp---rt1--asa1/active
|
I
Isp--rt2--asa2/standby

Greetings
Michael

Sent from Cisco Technical Support iPad App

New Member

Firewall Active/Standby behavior question

Hi Gerard,

Just put two switches between router and firwall and also connect both switches each other then you will have fully redundant function without any manual config when Internet link down.

2172
Views
0
Helpful
5
Replies
CreatePlease to create content