Active-Active Firewall - BGP failure condition

a.jones — Mon, 17 Oct 2022 15:23:06 GMT

Hi All,

How can I instigate a firewall failover for an Active-Active firewall if BGP fails? I feel I need a full failover but please tell me if I am wrong.

Here is the situation: Firewall in Active-Active mode, HA1,2 and 3 up. BGP peering on outside and inside interface. 1 BGP peer on outside to local cpe. Inside peers to local cpe and remote datacentre cpe for resilience. When the BGP fails on the outside path, the inside peering is still up - traffic fails over to the Active-Secondary I thought the the traffic would route through the HA3 link but the traffic path just fails - failed ping that is - I think it's going through Active-Secondary with route back through Active-Primary with no outside network established - does that make sense?

How could we mitigate against this failure? Having dual peering on the outside is not an option. If the interface fails it is configured to failover but this scenario is that the bgp drops and the interface stays up.

Regards

Adrian

Re: Active-Active Firewall - BGP failure condition

rmfalconer — Thu, 20 Oct 2022 16:07:03 GMT

Is the expectation that BGP to the provider goes down on A-P that traffic will then go to A-S? I assume you've preferenced the prefix(es) learned through A-P so that's the better path from your internal gear.

When BGP on A-P goes down, those prefixes should be withdrawn and traffic goes to A-S. Sounds like that's happening.

What does the routing table look like on A-S when BGP is down on A-P?

What does a traceroute show?

topic Re: Active-Active Firewall - BGP failure condition in General Topics

Active-Active Firewall - BGP failure condition

Re: Active-Active Firewall - BGP failure condition