Has anyone been able to successfully get subsecond failovers to work with active/passive firewalls running dynamic routing protocols such as BGP or OSPF? In our lab testing, it appears we can get the firewall to failover instantly, but then it takes BGP a few seconds to drop/re-establish. Our next testing will be OSPF to see if that helps speed it up any. But then we'd have to redistribute those routes into BGP (our core) which might introduce a few second gap. So far testing failovers (manual failovers via the gui), while running BGP and pinging peer behind the FW, we drop several pings. With static routes in place, the failover seems to happen quick enough that no pings drop.
I've searched about every article on this site and tried about all the suggestions for faster failover, bgp timers, etc.
On another note, would going active/active help this scenario? The only main reason (other than link failures, firewall failures, etc.) I'd expect a failover would be for a firewall upgrade/maintenance. Granted that will be done during a maintenance window if possible. But we have some "custom" applications that might go offline and fail to our DR site if they loose connectivity for very long.
Thanks
... View more