topic Re: OSPF with Active/Passive HA in General Topics

OSPF with Active/Passive HA

rchung54 — Thu, 18 Apr 2019 11:47:51 GMT

Hi,

I came across this design guide and looking at labbing this up for testing, as the design could be a good fit for our production environment, with a few tweaks. In my case, I'll be using OSPF between the firewalls and internal routers A and B. The connections to the edge routers A and B will be the provider routers, so they will be outside facing and I won't be running OSPF between them.

I have a few question about the floating static routes mentioned:

1. are these floating static routes configured on internal router A and edge router A?

2. are these floating static routes also configured on the Palo Alto as static routes? As the screen shots show them being on the Palo Alto.

Just to get my upstream and downstream routers right:

1. Is the upstream router edge router A?

2. Is the downstream router Internal router A?

Anyone used this design on their production network? Any limitations, advantages/disadvantages with the design?

Your advice and thoughts are appreciated.

Re: OSPF with Active/Passive HA

jeremy.larsen — Thu, 18 Apr 2019 14:28:12 GMT

IMO,

If you are doing Active/Passive, why not put a switch between the routers and the Firewall HA pair. An ARP transition is almost unnoticeable and solves the goofy floating static setup.
Or, just go all the way and run this as Active/Active. While your at it, full mesh the routers/firewalls and build your redundancy that way?

There are a lot of design solutions in a setup like this. But to answer your question, the floating static is set on ALL routers in this setup (but different IP on the internal vs the external routers). The reason for the floating static is that the Next Hop IP will transition to the Passive Firewall before OSPF reconverges from a failure event. With a floating static, this means there is a backup route already in the table. So when OSPF goes down temporarily (and it will), this backup route is ready and waiting to be pushed into the FIB for near uninterrupted traffic flows.

I highly recommend reading through the PAN documentation on HA - https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/high-availability/ha-overview.html

Does this make sense?

Re: OSPF with Active/Passive HA

rchung54 — Tue, 23 Apr 2019 10:38:22 GMT

Hi Jeremy,

Thank you for your reply. Why the floating static routes are used, does make sense, in case OSPF does fail, the traffic will still flow.

So I would configure a static route on Edge Routers A and B (the upstream routers), pointing to the Datacentre LAN. And a static route pointing to the Internet/0.0.0.0/0, on Internal Routers A and B (the downstream routers). Is this correct for this scenario?

An Active/Active option is not possible as the Palo's will be 25 miles apart from each other (for DR purposes). The two Palos will be connected via the HA link over 2 x L2 links between two sites. One of these L2 links will be the primary (the active) and the other will be the secondary (the backup link), hence exploring the Active/Passive design option.

Please let me know if I am right about the configs of the static routes, on those routers.

Re: OSPF with Active/Passive HA

rchung54 — Tue, 23 Apr 2019 15:18:16 GMT

@ jeremy.larsen

So, I've been labbing this up and have created the floating static routes on all the routers as you mentioned. In steps 12 and 13 of the configuration guide, it says redistribute the floating static routes upstream and downstream. Does this mean I have to create a Redistribution Profile on the Palo Alto and add it to the Export Rules in OSPF?

Many thanks in advance.

Re: OSPF with Active/Passive HA

jeremy.larsen — Wed, 24 Apr 2019 12:50:22 GMT

The redistribution will have to be done on your routers because this is where the static routes are created. Since you have L2 between the sites, I would REALLY look at either sticking an HA switch stack between the routers and the FW and letting ARP handle all of this for you. Otherwise I would look at Active/Active and Anycast your Default Gateways down. It just appears you are over-complicating an easy solution IMO.

Re: OSPF with Active/Passive HA

rchung54 — Wed, 24 Apr 2019 14:22:12 GMT

@jeremy.larsen

Hi Jeremy, do you mean a switch between Internal Router A (and B) and Firewall 1 (and 2) and use VRRP or HSRP?

Re: OSPF with Active/Passive HA

jeremy.larsen — Wed, 24 Apr 2019 16:57:38 GMT

Yes. But, since they are all in the same subnet, you could probably skip the VRRP/HSRP. The IP on the FW will just move and re-ARP. Session state would be maintained. It really depends on how you have your routing set up and if you are able to do the same L2 on the "external" side as well.

Re: OSPF with Active/Passive HA

jeremy.larsen — Thu, 25 Apr 2019 20:29:20 GMT

Here is another idea you should consider. Rebuild the way you are thinking about your HA/DR/etc plan. break the HA pair and operate each FW independently. Think of them as Routers (because they are) and route ALL traffic between sites through the firewalls. This is of course only if you have enough horsepower to push whatever bandwidth you have available between sites. Any inbound services should be routed through some kind of load balancer (ie - F5/Netscaler/etc). Use DNS to move your inbound services if your primary site goes down or even load balance both ISPs and you could have both sites running even if the interconnects go down. I really don't like the floating static design as there are more dynamic ways of handling this problem. You could also run an HA pair at each site in this design which gives you even more failure protections.

Penny for you thoughts?

Re: OSPF with Active/Passive HA

BrianSnow — Wed, 02 Apr 2025 23:19:15 GMT

I haven't been able to find the guide referenced in the original post. Does anyone have a link or an updated version?