Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco 2621 with failover firewalls

We have a Cisco 2621 connected to a pair of firewalls with failover enabled. During failover testing, we found that with the backup active, not all inbound IP traffic was being processed. Restarting the router fixed this problem. When the primary came back on line, the router had to be reset again. We looked at the defined routes and the route to our IP block is listed as a permanent route. Other static routes are not listed as permanent. Does this designation as a permanent route "lock" in the MAC address of the next device?


New Member

Re: Cisco 2621 with failover firewalls

How are you connected to the 2621? Are you bridging the Ethernet Interfaces?

New Member

Re: Cisco 2621 with failover firewalls

Both firewalls are connected to a hub, which is connected to the 2621. We have solved the problem. We found the lack of expiration for the ARP entries on the 2621 were the root of the problem. The ARP cache on the 2621 was not set with a timeout value and the firewalls did not force an ARP update when they came on line. The 2621 was trying to route traffic to the MAC address of the "down" firewall. By setting a timeout value on the 2621 we force a process where the ARP table entries expire before the failover firewall comes on line. The 2621 then discovers the new device and builds an ARP table for it.

CreatePlease login to create content