Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Cisco IOS Firewall with Stateful Failover

I'm looking at using the IOS Firewall feature set with stateful failover between two 2900 series routers.  I have been working with a configuration that involves the "inside" being WAN interfaces on two different subnets and the "outside" being two LAN interfaces on the same subnet using HSRP.  In reading the datasheet there were two configurations mentioned but mine isn't exactly either.

What I am seeing is the sessions not sycning up.  I have tried reversing the inside/outside roles and they were sycing the sessions across.  You could see them by using the  "show ip inspect sessions" command and validate the HEX value of the sessions.  Now I see the sessions on the HSRP active router but not the HSRP standby router.

I have enabled several different debugs but I'm not getting a lot of output and even with I clear the active sessions for the ip inspect ha session I don't really get anything.

Anyone have any tips for getting a configuration similar to this working?

Everyone's tags (4)
Cisco Employee

Re: Cisco IOS Firewall with Stateful Failover

I believe this link will provide all the answers that you are looing for.


New Member

Re: Cisco IOS Firewall with Stateful Failover

I have been using that link for the configuration.  In looking at the guide it's wanting HSRP on both sides(inside and outside).  What I was curious was if anyone has done something similar to the diagram below.  I have also attached the diagram in case the picture below is too small. 

Hall of Fame Super Blue

Re: Cisco IOS Firewall with Stateful Failover

As far as i know you can't do this because a requirement is that HSRP must be run on the inside interfaces ie. from the doc that you are working from -

Restrictions for Stateful Failover

When configuring redundancy for a Cisco IOS firewall, the following restrictions exist:

HSRP requires the inside interface to be connected via LANs.

So unless you connect the WAN interfaces to the same subnet i don't it's possible.


CreatePlease to create content