Subsecond failover with active/passive firewalls running dynamic routing possible?

jmurphy — Mon, 14 Mar 2016 13:33:31 GMT

Has anyone been able to successfully get subsecond failovers to work with active/passive firewalls running dynamic routing protocols such as BGP or OSPF? In our lab testing, it appears we can get the firewall to failover instantly, but then it takes BGP a few seconds to drop/re-establish. Our next testing will be OSPF to see if that helps speed it up any. But then we'd have to redistribute those routes into BGP (our core) which might introduce a few second gap. So far testing failovers (manual failovers via the gui), while running BGP and pinging peer behind the FW, we drop several pings. With static routes in place, the failover seems to happen quick enough that no pings drop.

I've searched about every article on this site and tried about all the suggestions for faster failover, bgp timers, etc.

On another note, would going active/active help this scenario? The only main reason (other than link failures, firewall failures, etc.) I'd expect a failover would be for a firewall upgrade/maintenance. Granted that will be done during a maintenance window if possible. But we have some "custom" applications that might go offline and fail to our DR site if they loose connectivity for very long.

Thanks

Re: Subsecond failover with active/passive firewalls running dynamic routing possible?

licenselu — Mon, 14 Mar 2016 14:56:04 GMT

Hello,

For OSPF, just enabled graceful restart !!

PS: enable this feature also on the neighbor device.

Graceful restart is also available for BGP but I have never tested it !!

Regards,

topic Re: Subsecond failover with active/passive firewalls running dynamic routing possible? in General Topics

Subsecond failover with active/passive firewalls running dynamic routing possible?

Re: Subsecond failover with active/passive firewalls running dynamic routing possible?