OSPF A/P HA Config with Floating Static Routes

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

OSPF A/P HA Config with Floating Static Routes

Not applicable

I am trying to understand the sample OSPF Active/Passive HA configuration outlined in Tech Note: How to Configure OSPF  https://live.paloaltonetworks.com/docs/DOC-1939 .   The problem I have is with the floating static routes defined on upstream and downstream routers intended to reduce failover times.   Floating static routes are described in steps 12 through 14 in the Tech Guide.   In my small test network I have a session delay of 4 seconds (measured by continuous pings across the network) during a failover.  I believe my delay is actually OSPF convergence time.  Failover delay is shorter.  I don't think the floating static routes are helping to reduce delay.

While OSPF is still converging I can see the static routes on the upstream router and on the downstream router.  However, they do not appear on the Palo Alto firewalls.  Until OSPF converges, only connected routes appear in the firewall routing table.  Since OSPF is momentarily unavailable and redistributed routes are gone, it seems that I would have to define static routes with a high administrative cost pointing in the appropriate directions on the Palo Alto firewall cluster as well as on the upstream and downstream routers.

I appreciate comments.

ingThanks.

1 accepted solution

Accepted Solutions

L4 Transporter

You should not have to add the routes to the firewall since the forwarding table is synchronized between the units in an Active/Passive cluster.  I think these will not show in the routing table, but they should show up in the forwarding table on the Passive device (show routing fib).  If the routes are not showing up there it might be good to open a support case.

Also, making sure the Passive Link State setting is "Auto" will keep the link up so that can save some time, too.  You might also try reducing some of the hold timers to see if it makes a difference, but it is usually best to keep those to default, if possible.

Cheers,

Kelly

View solution in original post

1 REPLY 1

L4 Transporter

You should not have to add the routes to the firewall since the forwarding table is synchronized between the units in an Active/Passive cluster.  I think these will not show in the routing table, but they should show up in the forwarding table on the Passive device (show routing fib).  If the routes are not showing up there it might be good to open a support case.

Also, making sure the Passive Link State setting is "Auto" will keep the link up so that can save some time, too.  You might also try reducing some of the hold timers to see if it makes a difference, but it is usually best to keep those to default, if possible.

Cheers,

Kelly

  • 1 accepted solution
  • 4437 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!