Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Control Link in Zone-Based Policy Firewall High Availability

Hi all

I have set up a zone-based policy firewall with HA on two 2911 routers as per the Cisco security configuration guide, for an active/passive LAN-LAN cluster.

All works as expected, but there is one problem I find:

when the control link between the two devices fails, they go into an active/active state as each member assumes it's the last surviving member. The ARP entries for the Virtual IPs on the neighboring devices point to the device that last claimed the active role (usually the standby device). This works in a way, just sessions don't get synched anymore (control link is the same as data link).

Now when the link comes back up, the preemtion works and the active, former standby device goes back to standby. But the ARP entries on the neighboring devices still point to the standby device and nothing goes (also sessions established during the active/active state are lost due to resync with the now active member).

This is a single point of failure and what I need is a way to mitigate that.



application redundancy

  group 1

   control <interface> protocol 1

only one control interface is allowed. Other manufacturers with similar functionality provide for the possibilty of a backup control link, for example the internal LAN interface or a dedicated backup link.

How would I go about that? Maybe use a port-channel for the control/data link (but I'm out of interfaces)?

Thanks for any insights...



Control Link in Zone-Based Policy Firewall High Availability

Hi Bro

With regards to this, if you’ve limited physical ports, there’s nothing much you can do. However, the active device and the standby devices (control link) must be connected through a switch (not directly). This will resolve your issue.

I presume you’ve complied with the following as well;

a)  The interfaces attached to the devices must have the same redundant interface identifier (RII).

b)  The active device and the standby device must have the same Cisco IOS XE Zone-Based Firewall configuration.

c)  The active device and the standby device must run on an identical version of the Cisco IOS XE software.

d)  Embedded Service Processor (ESP) must match on both active and standby devices.

For further details on this, please kindly refer to this URL

P/S: if you do find this comment useful, please do rate them nicely :-)

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
CreatePlease to create content