05-24-2009 06:54 AM - edited 03-11-2019 08:36 AM
We have a pair of ASA firewalls running A/S failover. They talk OSPF with the network. Unfortunately, it seems that the secondary firewall doesn't get any routes (via OSPF or the Primary). This is causing issues with monitoring.
We have temporarily fixed it with a static route to our monitoring station but I was wondering if there is a way to get the routes propagated from the primary to the secondary?
05-26-2009 01:03 AM
Are you talking about the secondary doesn't have any routes whilsts the primary is running.
If you are this is what I would expect to see as the secondary is completely passive and just monitors the HA link.
If you want to monitor the backup unit whilst the primary is in service then I would use dedicated managment interfaces and have a route from the core into the management network.
05-26-2009 02:08 PM
That is what I mean. There are two problems with this scenario. The first is that I mentioned. There is no way to (easily) monitor the firewall. The second, which I just thought of is more of a problem. In the case of a statefull failover, the new primary will have to wait for OSPF to reconverge before it can work.
This would most likely defeat the purpose of a stateful failover connection.
05-26-2009 11:47 PM
No when it does failover it moves the routing tables along with the mac addresses to the (formerly) passive firewall. Therefore the adjacent router just sees a short loss of carrier to the firewall and then recovers.
Normal loss of comms is under 5 seconds when we do it on our systems.
05-27-2009 07:09 AM
routing tables are NOT stateful.
you will, indeed, have to wait for OSPF to reconverge.
05-28-2009 02:38 PM
Floating static routes? I know the PIX supports the ability to add static routes with administrative distances - why not just add a static route with a higher administrative distance thatn OSPF to the config. That way the standby should have a route whilst it isn't participating in OSPF. When it fails over the static should get overwritten by the OSPF route assuming there is one with the same prefix?
Andy
05-28-2009 04:53 PM
That is what I did. Unfortunately, the networks on either side of the firewalls are complicated and share the same IP space. This makes static routes painful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide