I have a retail customer that has 2 routers at each store location running HSRP. Each router has a T1 to the internet and a DMVPN tunnel back to corporate and both routers are running ZBF. Under normal circumstances this works well. But in a failover situation, when the T1 on Router 1 fails HSRP makes the 0.0.0.0 route be Router 2. Traffic originating from the LAN uses Router 1 as the default gateway, so they are still sourcing from Router 1. Return traffic in a failover scenario comes through Router 2 to get back to the LAN side. This would be fine except ZBF on Router 2 never sees the request so it blocks the return traffic. The only way I have been able to get this to work is to pass the traffic instead of inspecting it within ZBF. But this defeats the purpose of traffic inspection. I am at a loss as to how to get this solution to work.
Zone Based Firewall stateful HA support is being considered, and last I checked is on the roadmap to be implemented in 15M/T release sometime in mid-2011. That said, please don't quote me on this as the standard "I don't represent the official Cisco view" disclaimer applies . I would suggest you contact your cisco rep to confirm this and help make the business case for it.
Thanks for your insight, Wen. I had considered a similar config. But I was hoping that we could achieve this somehow with ZBF. I will test this config and see if I get any better outcome. Thanks again.
Unfortunately there's really no other way around this. The firewall (classic or ZBF) is stateful by definition, so it can't work with asymmetric connections. For now we are stuck with doing this with the classic firewall until the HA feature is added for ZBF.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...