HSRP Hello Packets Across Firewall

It appears like you are trying to offer HA for the different sites, HSRP is for outgoing traffic not inbound.

Can you attach a drawing of what you are trying todo?

harbor235 ;}

I have added the HA Topology.

In the diagram,i'm referring to routers R1 and R2 at primary and seconday sites respectively. As you can see, both are setup for HSRP as active and standby. Now, hellow packets need to flow between them over CWDM link to maintain thier respective states and failover to occur.

Indeed HSRP is setup for outgoing traffic in the topology.

Now, my question was how the firewall allows the HSRP hello packets from R1 to reach R2, as they are not routable. Does any ACL need to be setup in the firewall for multicast hello pacets with destination, 224.0.0.2 or what  ?

Plz clarify. Thanks.

HA-Topolog-Design.doc

Gotcha, ok, the vlan defined for the server should be available throughout the switch mesh(both sides)
HSRP should be running on the 6509s SVI(switch virtual interface)  for that vlan. So, the HSRP speaking interfaces should be on the 6509s not the edge routers.  

Match your HSRP active with your root bridge and traffic should flow to the correct side, you can also use dynamic routing to the edge, you can manipulate the egree path by applying a higher cost to the scondary path. This applies as well to static routing.

harbor235 ;}

I assume the 6509s are doing routing

harbor235 ;}

the main point is that HSRP sends hello packets to multicast address 224.0.0.2 with udp port 1985.

harbor235 ;}

 Yes, you are right 6509s are doing the routing. But i feel my question is not answered yet.

For edge routers (R1 & R2 ) failover, HSRP is configured on the same router interface facing the firewall and tracking enabled on the interface facing the ISP at the primary site. Hence, the moment HSRP is enabled on R1 and R2, they should be exchanging Hello packets to know who is active and therefore ll forward the traffic.

But hello packets are L2 packets and firewall is L3 device, how does then these packets go past the firewall and  reach R2 over the L2 CWDM link at secondary site ?

Or in general how does a firewall allow HSRP hello packets as most of the redundant designs would be having edge router in front of a firewall.

Hope, i'm clear.

Thank you.

What are you using HSRP for? I assume you want HA for the servers, correct? If one side goes down the other becomes active enabling you to take advantage of your dual homed architecture. If so then then HSRP VIP and interfaces should be for the VLAN terminated on the 6500 and not the edge routers.
There is no layer 2 connectivty between the edge routers, typically you do not route HSRP hellos to form HSRP adjancies. Tracking can be perfromed on the link between the FW and the 6500 as well. With routing on, if there is a edge router link failure routing will take over and move the traffic.

Configure HSRP group on the 6500's, enable routing between 6500's and firewall, and firewall and the edge devices.

What type of FW are you using? Your design severly limits the throughput to your servers, it also makes the 6500s less than it's capabilities.

And you are right, the FW will not pass the layer 2 traffic through the FW

Firewall will not pass HSRP in routed mode. HSRP is for LAN segments that need a HA outbound path out of the LAN segement where servers/desktops may reside. You are configuring HSRP in the wrong place, it needs to be on the device and interface closests to the systems you want to have an HA GW.

harbor235 ;}

Am using HSRP on R1for Internet Link failover.

Which is terminating directly on the R1 interface facing the ISP. As this interface is connectiong to ISP, and we do not ve control no this link we enabled tracking on this interface. And the interface of R1 connecting to FWSM firewall is where i have actually enabled HSRP with VIP.

This VIP i have used in FWSM firewall context ( routed mode ) for external route  i.e

route 0 0 203.x.x.x. ( actual IP of the R1 interface facing the FWSM )

instead

route 0 0 VIP of the R1 interface facing FWSM.

This is done so that if link between FWSM and R! fails or R1 interface fails or firewall  external virtual interface fails, traffic ll be automatically routed  to secondary internet link at the secondary site via ISP.

Here, also note that FWSM is also in failover mode i.e FWSM mod at primary site is in Acive mode and another FWSM at secondary site is in Satndby mode.

Yes, we do have HSRP configured also for SVI VLANs where server are connected on 6500 switch. The server gwy is the HSRP VIP.

Let me know what you think.

THank you.

You should be using dynamic routing or even weighted static routing tracking on an interface for internet link failover. This elimates the HSRP config issues.

Are you doing BGP with your provider?

Are you running an IGP? OSPF, EIGRP?

Routing is a much better solution

harbor235 ;}

Yes, we are using BGP with ISP and static routing on the router.

Well with a sound BGP design traffic failover via multi-homing is no problem. Do you really have a FW between the edge router and the 6500 and a FWSM? I would utilize an IGP (OSPF) between your edge and your 6500's or even potentially IBGP. That way you have dynamic fail over from routing perspective throughout your site, instead off the design you now have which is problematic.

If you only have a FWSM then you do not have to inspect traffic on the connecter vlans between the edge and the 6500s, you inspect the vlans closer to the servers. This allows you to get dynamic routing down to the 6500s whcih allows them to make routing descsions based on external link failures.

harbor235 ;}

We have FWSM firewall between 6500 and the edge router. Even now dynamic failover to seconday Internet link is happening with HSRP, if the interface of R1 facing FWSM fails or the tracked interfacer facing the ISP fails. However, i have two clarifications to understand:

1. I already asked -  about HSRP hello packets. R1 and R2 r indeed currently in active n standby roles, but as i said i'm little not sure how HSRP hello packets are getting in to FWSM and then to 6500 and then over the CWDM L2 link over to seconday site.

2. 2nd question, i would wanna ask you only after 1st is cleared just to keep address the issues one by one and also to keep it simple.

I think, th diagram that i sent should tell you all.

Plz let me know what you think.

THank you.

1) HSRP is sourced from the router VIP interface using udp port 1985, HSRP hellos are sent to multicast address 224.0.0.2, Are you allowing multicast or udp traffic from the source? I would have to see your security policy. HSRP members do not have to be in the same subnet, the traffic can be routed so it depends on your setup. I guess I missed where you said HSRP is layer 2, it's not, it's layer 3.

harbor235 ;}

You mean allowing HSRP multicast UDP traffic in the firewall ? Yes, i have. But i'm not sure if the  HSRP packets are being allowed through the firewall due the following ACL:

ACL 100 extended permit udp <R1 interface IP> host 224.0.0.2

or due to some other mechanism, because HSRP failover is happening. And also - HSRP members are in the same subnet.

Let me know, if you want to see any configurations so that i can send you.

Thank you

Yes, thats it, the vip maybe in the same subnet as the HSRP group but the physical interface must be in different subnets.

harbor235 ;}

But i understand , you think some way this design is not correct and has problems...can you highlight that aspect ?

Thats another question, however, you are not leveraging dynamic routing fully and you are making it more complex. That does not make it wrong, I would just do it differntly. I would take the HSRP packets traversing the firewall out of the equation, thus eliminating another potential point of failure.

Your failover time is dictated by your internet link and BGP, why not use that natively to shift the traffic instead of using BGP aand HSRP, it can be done with BGP. Again your way is not wrong just i would do it differntly.

Let me know how it goes,

harbor235 ;}

The other question i said about is :
As i told you the upstream FWSM firewall (routed mode) is also in Active state along with R1 router at the primary site.
The FWSM has two firewall contexts, one for Internet traffic and the other for WAN traffic.
The default route in both the firewall contexts is the VIP of the downstream HSRP router.
Now, when i was testing the edge router R1/ Internet link failover at primary site, i found the upstream FWSM firewall was not failing over to its conterpart at secondary site just like R1 was failing over to R2.

Due to this, i had to manually force the FWSM failover to secondary site and only then the edge router/ internet link failover was fully happening. Otherwise, not.

I was of the view that if edge router R1 failed or internet link failed, FWSM firewall also would failover
making the whole failover process seamless and automatic.

But i found it otherwise. Can you opine, why the FWSM is not failing over.

Thank you.

I answered your original question, and then I added additional information, not bad for 250 pts

please award points and submit another  question,

harborr235 ;}

I have added more points.

And my another question i have alredy asked in my last post. But i ll add here again:

As i told you the upstream FWSM firewall (routed mode) is also in Active state along with R1 router at the primary site.
The FWSM has two firewall contexts, one for Internet traffic and the other for WAN traffic.
The default route in both the firewall contexts is the VIP of the downstream HSRP router.
Now, when i was testing the edge router R1/ Internet link failover at primary site, i found the upstream FWSM firewall was not failing over to its conterpart at secondary site just like R1 was failing over to R2.

Due to this, i had to manually force the FWSM failover to secondary site and only then the edge router/ internet link failover was fully happening. Otherwise, not.

I was of the view that if edge router R1 failed or internet link failed, FWSM firewall also would failover
making the whole failover process seamless and automatic.

But i found it otherwise. Can you opine, why the FWSM is not failing over.

Thank you,

sorry i missed type the points.

You have HSRP configured on the edge routers, and you are tracking on the external interfaces, how does the FWSM know that there has been a routing change? The connector net between the FWSM and the router is up in several/most faliure scenarios. That's why I was trying to explain to you that you need to use routing to make the outbound traffic shift when there is a external failure. If you were using dynamic routing (can't you are in context mode) this would be easy.

The firewall would need to hairpin traffic to make it work, a firewall does not  work that way.  If HSRP was confgured closer to the servers on the 6500's before the firewall then the traffic could be routed to the correct firewall via dynamic routing.

harbor235 ;}

I am not sure i got your reply clear. Plz can you put it in little more elaborate way.

Also, i would wanna know, what we need to change in configuration and where, to make FWSM also failover, when the edge router fails.

Thank you,

The firewall will failover when there are changes to firewall interfaces, not when there is a failover of your external link(s) on your edge routers, you need dynamic routing to achieve this and potentially a redesign. High availability is not achieved by only configuring HSRP, you need to have a robust HA configuration throughout your architecture.

harbor235 ;}

Right, that changes to firewall interfaces will triggers its failover and which is not happening when the interface of R1 facing the firewall fails.

Can you suggest the robust HA configuration particularly w.r.t firewall and edge router that ll set right. I would appreciate if u could show a samlpe config of dynamic routing and how it ll help our design.

Thank youi

But that is my point, the firewall interfaces are not failing so the firewall will not shift the traffic.  The interface that is failing is the external interface of the edge router (the link facing your ISP)? or is it the router interface between the router and the firewall.

If it is the interface between the firewall and the router, is that interface being monitored?

Do you have a secondary IP address configured?
DO you have the correct licensing?
Are the primary and secondary both in multi context mode?
Are the software versions the same?

here is a failover troubleshooting doc;

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080965dec.shtml

harbor235 ;}

Yes, the interface that is failing is the one between the firewall and the router and not the external interface (facing the ISP).

Yes, interfaces are being monitored.

What secondary IP address you mean ?

Both FWSM have the same license of 20 contexts

Both FWSM mods are in multi context mode

Both share the same versions, 3.1 (1)


We have manually brought down the interface of the edge router that is connecting to firewall.  But yet the firewall external interface is shows status as UP.

Does it have anything to do because the firewall interface is virtual in nature, as you would know, becoz it is a virtual firewall context.

Thank you.

By monitored I mean that you have specified that that interface is being monitored by the firewall for failover purposes.

As far as secondary address, you need to specify the secondary ip address for the failover firewall?

The original question has been answered and much more, Please award points and ask a question now about firewall failover configuration

good luck,


harbor235 ;}

I have awarded additional points.

Yes, the firewall interface is being monitored by the firewall for failover purpose.

Secondary address is also configured for the failover.

Now, can we look at the firewall failover configuration.

Thank you.

I need to see your firewall config, sanitize it and post if yo can.

harbor235

Sure, i will in some time.

Thank you.

I have attached the sanitized firewall configuration files for your persusal.

Thank you.
Firewall-Context-Config.txt
Firewall-Failover-Config.txt

The FWSM's are in seperate chassis, correct?

In multiple context mode, the state link resides in the system context. This interface and the failover interface are the only interfaces in the system context. All other interfaces are allocated to and configured from within security contexts.

harbor235 ;}

Yes, you are right. Both FWSMs are in separate chassis.

State link and failover interface are sitting on system context, with all other interfaces a;llocated in within security contexts.

How did you test failover? Or what failure occured that did not fail the FW interfaces over?

harbor235  ;}

As i said, on R1 router we have enabled tracking on external interface facing the ISP as we dont ve control on the link to ISP. Also we have configured HSRP on the R1 interface connecting the firewall.

Now to test the failover, we manually bring down the external interface of the R1 router triggering Edge router/link failover. All inbound traffic now comes in through the R2 router and seconday link at seconday site. But as the upstream firewall failover is not happening traffic is coming and stopping till R2 router and then i have manually force the failover on the primary FWSM to standby FWSM and then traffic flow is normal.

Thank you

Does the firewall configuration have a default route to the VIP of the HSRP group?

context Internet
  description Internet Connection
  allocate-interface Vlan16 Int1
  allocate-interface Vlan160 Ext1               ?????
  allocate-interface Vlan166 ext2              ??????
 
How many external connections are there?

What is the VIP IP? Can you post your routing table too.

If the FWs are on a vlan and you point the default route to the VIP it does not have to failover to work, the firewall will only


harbor235 ;}

Yes, firewall has default route to VIP of HSRP grp..the IP is 204.x.x.244 ( i ve highlighted in the config file )

there's only one external connection represented by Ext1, whre R1 router interface is connected.

ext2 represents DMZ interface as you can c in the config.

Routing table is already there in the file i sent u earlier.

I did not get your last line....can you complete it.

Thank you

The last line, if the external FW interfaces (primary and secondary) are in VLAN  160 and R1 and R2s inside interfaces are in VLAN 160, then when the HSRP fails to the backup, there is no need to failover the FW because the firewall can still route to the VIP which is now being responded to by the backup router.

The firewall does not fail becuase the HSRP group failed on the router, it will fail only when it's interfaces have failed. Remeber, just because the HSRP group failed because of a change in the interface you are tracking, that does not mean that inside interface has failed, all that it means is that the backup router interface will now respond to the arp requests for the VIP, the physical inerface is still up and it also still responds to traffic directed to the IP address assigned (non VIP). If you want traffic  to shift to one side or another you will need to do what I have recommended earlier, use routing.

harbor235 ;}

 I get your point on why firewall will not failover. But unless i manually force the firewall to failover, inbound traffic is getting stopped at the backup router.

The problem is the manual intervention to force the firewall failover and my need is how to make it automatic.

Thank you

Where are you suggesting that routing be incorporated , which will enable firewall failover also along with edge router failover.

If the change is w.r.t to implementing dynamic routing in place of static routing, the yes we can think of.

Pushing 6500 down and letting it connect to the router is perhaps not a viable change that can be done at this juncture as v are into production.

But does it mean that - in the current design there is no way we can make firewall failover automatic if and when edge router fails ?

I did not offer up a design but in many of my previous replies I recommneded dyanmic routing. The problem you have is that you are using your Firewall between your edge and distibution. In addtion,
you are using multiple context mode which does not allow dynamic routing to be configured. This architecture limits what you can do.

You could run a routing protocol through the firewall to the 6500, this would allow the failover of traffic
to the secondary side. This does not make the firewall failover, traffic will failover. You would have to run the FWs in active/active mode.

harbor235 ;}

The clarity is now better. But plz let me know, normally, in a normal design where firewall is to placed. Esp in the case, if it is a collapsed architecture.

Thank you

It depends, but where ever you put it, you need to assess your over all architecture and plan out how you will handle security, HA, routing, switchig, etc .......



harbor235 ;}