?
Solved

HSRP Hello Packets Across Firewall

Posted on 2009-04-21
45
Medium Priority
?
1,712 Views
Last Modified: 2012-05-06
I understand that HSRP hello packets are not routable.
But, normally, when a redundant infrastructure is built esp in case of a primary and secondary data centre, firewalls usually sit behind the perimeter edge router.  These routers are setup with HSRP to act as Active and Standy routers in  the respective sites.

Offcourse, both sites will have a L2 connectivity to allow hello packets to travel between the sites.
But what i want to understand it is - with edge routers connected to firewalls and configured with HSRP, how Hello packets would be passed by firewall and then forwarded over distribution layer and finally over the L2 link to the secondary data centre site standby router.

Can some one clarify this, plz ?

Thank you.
0
Comment
Question by:vbongarala
  • 23
  • 22
45 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 24198031


It appears like you are trying to offer HA for the different sites, HSRP is for outgoing traffic not inbound.

Can you attach a drawing of what you are trying todo?

harbor235 ;}
0
 

Author Comment

by:vbongarala
ID: 24201488
I have added the HA Topology.

In the diagram,i'm referring to routers R1 and R2 at primary and seconday sites respectively. As you can see, both are setup for HSRP as active and standby. Now, hellow packets need to flow between them over CWDM link to maintain thier respective states and failover to occur.

Indeed HSRP is setup for outgoing traffic in the topology.

Now, my question was how the firewall allows the HSRP hello packets from R1 to reach R2, as they are not routable. Does any ACL need to be setup in the firewall for multicast hello pacets with destination, 224.0.0.2 or what  ?

Plz clarify. Thanks.

HA-Topolog-Design.doc
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24204056


Gotcha, ok, the vlan defined for the server should be available throughout the switch mesh(both sides)
HSRP should be running on the 6509s SVI(switch virtual interface)  for that vlan. So, the HSRP speaking interfaces should be on the 6509s not the edge routers.  

Match your HSRP active with your root bridge and traffic should flow to the correct side, you can also use dynamic routing to the edge, you can manipulate the egree path by applying a higher cost to the scondary path. This applies as well to static routing.

harbor235 ;}
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 32

Expert Comment

by:harbor235
ID: 24204225

I assume the 6509s are doing routing

harbor235 ;}
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24204269


the main point is that HSRP sends hello packets to multicast address 224.0.0.2 with udp port 1985.

harbor235 ;}
0
 

Author Comment

by:vbongarala
ID: 24207460

 Yes, you are right 6509s are doing the routing. But i feel my question is not answered yet.

For edge routers (R1 & R2 ) failover, HSRP is configured on the same router interface facing the firewall and tracking enabled on the interface facing the ISP at the primary site. Hence, the moment HSRP is enabled on R1 and R2, they should be exchanging Hello packets to know who is active and therefore ll forward the traffic.

But hello packets are L2 packets and firewall is L3 device, how does then these packets go past the firewall and  reach R2 over the L2 CWDM link at secondary site ?

Or in general how does a firewall allow HSRP hello packets as most of the redundant designs would be having edge router in front of a firewall.

Hope, i'm clear.

Thank you.



0
 
LVL 32

Expert Comment

by:harbor235
ID: 24207790

What are you using HSRP for? I assume you want HA for the servers, correct? If one side goes down the other becomes active enabling you to take advantage of your dual homed architecture. If so then then HSRP VIP and interfaces should be for the VLAN terminated on the 6500 and not the edge routers.
There is no layer 2 connectivty between the edge routers, typically you do not route HSRP hellos to form HSRP adjancies. Tracking can be perfromed on the link between the FW and the 6500 as well. With routing on, if there is a edge router link failure routing will take over and move the traffic.

Configure HSRP group on the 6500's, enable routing between 6500's and firewall, and firewall and the edge devices.

What type of FW are you using? Your design severly limits the throughput to your servers, it also makes the 6500s less than it's capabilities.

And you are right, the FW will not pass the layer 2 traffic through the FW

Firewall will not pass HSRP in routed mode. HSRP is for LAN segments that need a HA outbound path out of the LAN segement where servers/desktops may reside. You are configuring HSRP in the wrong place, it needs to be on the device and interface closests to the systems you want to have an HA GW.

harbor235 ;}
0
 

Author Comment

by:vbongarala
ID: 24210945
Am using HSRP on R1for Internet Link failover.

Which is terminating directly on the R1 interface facing the ISP. As this interface is connectiong to ISP, and we do not ve control no this link we enabled tracking on this interface. And the interface of R1 connecting to FWSM firewall is where i have actually enabled HSRP with VIP.

This VIP i have used in FWSM firewall context ( routed mode ) for external route  i.e

route 0 0 203.x.x.x. ( actual IP of the R1 interface facing the FWSM )

instead

route 0 0 VIP of the R1 interface facing FWSM.

This is done so that if link between FWSM and R! fails or R1 interface fails or firewall  external virtual interface fails, traffic ll be automatically routed  to secondary internet link at the secondary site via ISP.

Here, also note that FWSM is also in failover mode i.e FWSM mod at primary site is in Acive mode and another FWSM at secondary site is in Satndby mode.

Yes, we do have HSRP configured also for SVI VLANs where server are connected on 6500 switch. The server gwy is the HSRP VIP.

Let me know what you think.

THank you.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24215124


You should be using dynamic routing or even weighted static routing tracking on an interface for internet link failover. This elimates the HSRP config issues.

Are you doing BGP with your provider?

Are you running an IGP? OSPF, EIGRP?

Routing is a much better solution

harbor235 ;}
0
 

Author Comment

by:vbongarala
ID: 24215220


Yes, we are using BGP with ISP and static routing on the router.

0
 
LVL 32

Expert Comment

by:harbor235
ID: 24215504

Well with a sound BGP design traffic failover via multi-homing is no problem. Do you really have a FW between the edge router and the 6500 and a FWSM? I would utilize an IGP (OSPF) between your edge and your 6500's or even potentially IBGP. That way you have dynamic fail over from routing perspective throughout your site, instead off the design you now have which is problematic.

If you only have a FWSM then you do not have to inspect traffic on the connecter vlans between the edge and the 6500s, you inspect the vlans closer to the servers. This allows you to get dynamic routing down to the 6500s whcih allows them to make routing descsions based on external link failures.

harbor235 ;}
0
 

Author Comment

by:vbongarala
ID: 24215901

We have FWSM firewall between 6500 and the edge router. Even now dynamic failover to seconday Internet link is happening with HSRP, if the interface of R1 facing FWSM fails or the tracked interfacer facing the ISP fails. However, i have two clarifications to understand:

1. I already asked -  about HSRP hello packets. R1 and R2 r indeed currently in active n standby roles, but as i said i'm little not sure how HSRP hello packets are getting in to FWSM and then to 6500 and then over the CWDM L2 link over to seconday site.

2. 2nd question, i would wanna ask you only after 1st is cleared just to keep address the issues one by one and also to keep it simple.

I think, th diagram that i sent should tell you all.

Plz let me know what you think.

THank you.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24216141


1) HSRP is sourced from the router VIP interface using udp port 1985, HSRP hellos are sent to multicast address 224.0.0.2, Are you allowing multicast or udp traffic from the source? I would have to see your security policy. HSRP members do not have to be in the same subnet, the traffic can be routed so it depends on your setup. I guess I missed where you said HSRP is layer 2, it's not, it's layer 3.

harbor235 ;}
0
 

Author Comment

by:vbongarala
ID: 24216283

You mean allowing HSRP multicast UDP traffic in the firewall ? Yes, i have. But i'm not sure if the  HSRP packets are being allowed through the firewall due the following ACL:

ACL 100 extended permit udp <R1 interface IP> host 224.0.0.2

or due to some other mechanism, because HSRP failover is happening. And also - HSRP members are in the same subnet.

Let me know, if you want to see any configurations so that i can send you.

Thank you
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24216361


Yes, thats it, the vip maybe in the same subnet as the HSRP group but the physical interface must be in different subnets.

harbor235 ;}
0
 

Author Comment

by:vbongarala
ID: 24216502


But i understand , you think some way this design is not correct and has problems...can you highlight that aspect ?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24217116


Thats another question, however, you are not leveraging dynamic routing fully and you are making it more complex. That does not make it wrong, I would just do it differntly. I would take the HSRP packets traversing the firewall out of the equation, thus eliminating another potential point of failure.

Your failover time is dictated by your internet link and BGP, why not use that natively to shift the traffic instead of using BGP aand HSRP, it can be done with BGP. Again your way is not wrong just i would do it differntly.

Let me know how it goes,

harbor235 ;}
0
 

Author Comment

by:vbongarala
ID: 24236780
The other question i said about is :
As i told you the upstream FWSM firewall (routed mode) is also in Active state along with R1 router at the primary site.
The FWSM has two firewall contexts, one for Internet traffic and the other for WAN traffic.
The default route in both the firewall contexts is the VIP of the downstream HSRP router.
Now, when i was testing the edge router R1/ Internet link failover at primary site, i found the upstream FWSM firewall was not failing over to its conterpart at secondary site just like R1 was failing over to R2.

Due to this, i had to manually force the FWSM failover to secondary site and only then the edge router/ internet link failover was fully happening. Otherwise, not.

I was of the view that if edge router R1 failed or internet link failed, FWSM firewall also would failover
making the whole failover process seamless and automatic.

But i found it otherwise. Can you opine, why the FWSM is not failing over.

Thank you.

0
 
LVL 32

Expert Comment

by:harbor235
ID: 24238319


I answered your original question, and then I added additional information, not bad for 250 pts

please award points and submit another  question,

harborr235 ;}
0
 

Author Comment

by:vbongarala
ID: 24238952
I have added more points.

And my another question i have alredy asked in my last post. But i ll add here again:

As i told you the upstream FWSM firewall (routed mode) is also in Active state along with R1 router at the primary site.
The FWSM has two firewall contexts, one for Internet traffic and the other for WAN traffic.
The default route in both the firewall contexts is the VIP of the downstream HSRP router.
Now, when i was testing the edge router R1/ Internet link failover at primary site, i found the upstream FWSM firewall was not failing over to its conterpart at secondary site just like R1 was failing over to R2.

Due to this, i had to manually force the FWSM failover to secondary site and only then the edge router/ internet link failover was fully happening. Otherwise, not.

I was of the view that if edge router R1 failed or internet link failed, FWSM firewall also would failover
making the whole failover process seamless and automatic.

But i found it otherwise. Can you opine, why the FWSM is not failing over.

Thank you,
0
 

Author Comment

by:vbongarala
ID: 24238957
sorry i missed type the points.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24241482


You have HSRP configured on the edge routers, and you are tracking on the external interfaces, how does the FWSM know that there has been a routing change? The connector net between the FWSM and the router is up in several/most faliure scenarios. That's why I was trying to explain to you that you need to use routing to make the outbound traffic shift when there is a external failure. If you were using dynamic routing (can't you are in context mode) this would be easy.

The firewall would need to hairpin traffic to make it work, a firewall does not  work that way.  If HSRP was confgured closer to the servers on the 6500's before the firewall then the traffic could be routed to the correct firewall via dynamic routing.

harbor235 ;}
0
 

Author Comment

by:vbongarala
ID: 24242087
I am not sure i got your reply clear. Plz can you put it in little more elaborate way.

Also, i would wanna know, what we need to change in configuration and where, to make FWSM also failover, when the edge router fails.

Thank you,
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24242787

The firewall will failover when there are changes to firewall interfaces, not when there is a failover of your external link(s) on your edge routers, you need dynamic routing to achieve this and potentially a redesign. High availability is not achieved by only configuring HSRP, you need to have a robust HA configuration throughout your architecture.

harbor235 ;}

0
 

Author Comment

by:vbongarala
ID: 24244290

Right, that changes to firewall interfaces will triggers its failover and which is not happening when the interface of R1 facing the firewall fails.

Can you suggest the robust HA configuration particularly w.r.t firewall and edge router that ll set right. I would appreciate if u could show a samlpe config of dynamic routing and how it ll help our design.

Thank youi
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24244560


But that is my point, the firewall interfaces are not failing so the firewall will not shift the traffic.  The interface that is failing is the external interface of the edge router (the link facing your ISP)? or is it the router interface between the router and the firewall.

If it is the interface between the firewall and the router, is that interface being monitored?

Do you have a secondary IP address configured?
DO you have the correct licensing?
Are the primary and secondary both in multi context mode?
Are the software versions the same?

here is a failover troubleshooting doc;

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080965dec.shtml

harbor235 ;}
0
 

Author Comment

by:vbongarala
ID: 24244793

Yes, the interface that is failing is the one between the firewall and the router and not the external interface (facing the ISP).

Yes, interfaces are being monitored.

What secondary IP address you mean ?

Both FWSM have the same license of 20 contexts

Both FWSM mods are in multi context mode

Both share the same versions, 3.1 (1)


We have manually brought down the interface of the edge router that is connecting to firewall.  But yet the firewall external interface is shows status as UP.

Does it have anything to do because the firewall interface is virtual in nature, as you would know, becoz it is a virtual firewall context.

Thank you.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24245591


By monitored I mean that you have specified that that interface is being monitored by the firewall for failover purposes.

As far as secondary address, you need to specify the secondary ip address for the failover firewall?

The original question has been answered and much more, Please award points and ask a question now about firewall failover configuration

good luck,


harbor235 ;}
0
 

Author Comment

by:vbongarala
ID: 24246832

I have awarded additional points.

Yes, the firewall interface is being monitored by the firewall for failover purpose.

Secondary address is also configured for the failover.

Now, can we look at the firewall failover configuration.

Thank you.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24246905


I need to see your firewall config, sanitize it and post if yo can.

harbor235
0
 

Author Comment

by:vbongarala
ID: 24246937
Sure, i will in some time.

Thank you.
0
 

Author Comment

by:vbongarala
ID: 24249595



I have attached the sanitized firewall configuration files for your persusal.

Thank you.
Firewall-Context-Config.txt
Firewall-Failover-Config.txt
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24251710


The FWSM's are in seperate chassis, correct?

In multiple context mode, the state link resides in the system context. This interface and the failover interface are the only interfaces in the system context. All other interfaces are allocated to and configured from within security contexts.

harbor235 ;}
0
 

Author Comment

by:vbongarala
ID: 24252105

Yes, you are right. Both FWSMs are in separate chassis.

State link and failover interface are sitting on system context, with all other interfaces a;llocated in within security contexts.

0
 
LVL 32

Expert Comment

by:harbor235
ID: 24252220


How did you test failover? Or what failure occured that did not fail the FW interfaces over?

harbor235  ;}
0
 

Author Comment

by:vbongarala
ID: 24252428

As i said, on R1 router we have enabled tracking on external interface facing the ISP as we dont ve control on the link to ISP. Also we have configured HSRP on the R1 interface connecting the firewall.

Now to test the failover, we manually bring down the external interface of the R1 router triggering Edge router/link failover. All inbound traffic now comes in through the R2 router and seconday link at seconday site. But as the upstream firewall failover is not happening traffic is coming and stopping till R2 router and then i have manually force the failover on the primary FWSM to standby FWSM and then traffic flow is normal.

Thank you
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24252783

Does the firewall configuration have a default route to the VIP of the HSRP group?

context Internet
  description Internet Connection
  allocate-interface Vlan16 Int1
  allocate-interface Vlan160 Ext1               ?????
  allocate-interface Vlan166 ext2              ??????
 
How many external connections are there?

What is the VIP IP? Can you post your routing table too.

If the FWs are on a vlan and you point the default route to the VIP it does not have to failover to work, the firewall will only


harbor235 ;}
0
 

Author Comment

by:vbongarala
ID: 24252895

Yes, firewall has default route to VIP of HSRP grp..the IP is 204.x.x.244 ( i ve highlighted in the config file )

there's only one external connection represented by Ext1, whre R1 router interface is connected.

ext2 represents DMZ interface as you can c in the config.

Routing table is already there in the file i sent u earlier.

I did not get your last line....can you complete it.

Thank you
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24253237


The last line, if the external FW interfaces (primary and secondary) are in VLAN  160 and R1 and R2s inside interfaces are in VLAN 160, then when the HSRP fails to the backup, there is no need to failover the FW because the firewall can still route to the VIP which is now being responded to by the backup router.

The firewall does not fail becuase the HSRP group failed on the router, it will fail only when it's interfaces have failed. Remeber, just because the HSRP group failed because of a change in the interface you are tracking, that does not mean that inside interface has failed, all that it means is that the backup router interface will now respond to the arp requests for the VIP, the physical inerface is still up and it also still responds to traffic directed to the IP address assigned (non VIP). If you want traffic  to shift to one side or another you will need to do what I have recommended earlier, use routing.

harbor235 ;}
0
 

Author Comment

by:vbongarala
ID: 24253501

 I get your point on why firewall will not failover. But unless i manually force the firewall to failover, inbound traffic is getting stopped at the backup router.

The problem is the manual intervention to force the firewall failover and my need is how to make it automatic.

Thank you



0
 
LVL 32

Accepted Solution

by:
harbor235 earned 1400 total points
ID: 24255001

You need routing, only problem is that you may have to redesign your network. The FWSM does not support dynamic routing in multiple context mode. I would push the FWSM down, let the 6500 Layer 3 piece connect to the edge router. This requires allot of changes.


harbor235 ;}
0
 

Author Comment

by:vbongarala
ID: 24256208

Where are you suggesting that routing be incorporated , which will enable firewall failover also along with edge router failover.

If the change is w.r.t to implementing dynamic routing in place of static routing, the yes we can think of.

Pushing 6500 down and letting it connect to the router is perhaps not a viable change that can be done at this juncture as v are into production.

But does it mean that - in the current design there is no way we can make firewall failover automatic if and when edge router fails ?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24260017



I did not offer up a design but in many of my previous replies I recommneded dyanmic routing. The problem you have is that you are using your Firewall between your edge and distibution. In addtion,
you are using multiple context mode which does not allow dynamic routing to be configured. This architecture limits what you can do.

You could run a routing protocol through the firewall to the 6500, this would allow the failover of traffic
to the secondary side. This does not make the firewall failover, traffic will failover. You would have to run the FWs in active/active mode.

harbor235 ;}

0
 

Author Comment

by:vbongarala
ID: 24260295

The clarity is now better. But plz let me know, normally, in a normal design where firewall is to placed. Esp in the case, if it is a collapsed architecture.

Thank you
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24260460


It depends, but where ever you put it, you need to assess your over all architecture and plan out how you will handle security, HA, routing, switchig, etc .......



harbor235 ;}
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question