How can I instigate a firewall failover for an Active-Active firewall if BGP fails? I feel I need a full failover but please tell me if I am wrong.
Here is the situation: Firewall in Active-Active mode, HA1,2 and 3 up. BGP peering on outside and inside interface. 1 BGP peer on outside to local cpe. Inside peers to local cpe and remote datacentre cpe for resilience. When the BGP fails on the outside path, the inside peering is still up - traffic fails over to the Active-Secondary I thought the the traffic would route through the HA3 link but the traffic path just fails - failed ping that is - I think it's going through Active-Secondary with route back through Active-Primary with no outside network established - does that make sense?
How could we mitigate against this failure? Having dual peering on the outside is not an option. If the interface fails it is configured to failover but this scenario is that the bgp drops and the interface stays up.
Is the expectation that BGP to the provider goes down on A-P that traffic will then go to A-S? I assume you've preferenced the prefix(es) learned through A-P so that's the better path from your internal gear.
When BGP on A-P goes down, those prefixes should be withdrawn and traffic goes to A-S. Sounds like that's happening.
What does the routing table look like on A-S when BGP is down on A-P?
What does a traceroute show?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!