04-07-2009 03:30 AM
Situation: ISG-2000 HA A/S pair is connected to Cisco 7609 pair. Each FW has two uplinks, one to each router. Each uplink interface is part of one point-to-point OSPF. FW redistributes its connected subnets in OSPF so each router receives routes via its point-to-point OSPF network. Routers run BGP and redistribute routes in OSPF so FW receives the same routes from two different router-id's.
Issue 1: "Sometimes" we see during flow debugging that router 1 advertises FW connected subnets so FW receives packets from router 1 but as it learns the remote subnets through router 2 the reply packet cannot go out the same interface it came in and is therefore dropped even when policies are setup for both zones/interfaces. What is the best way to have active/backup uplinks in a way that FW receives/sends packets from/to the same router.
Issue 2: We turned off SVI on router 1 to remove it as OSPF neighbor of the FW to allow only single uplink to the FW. This fixed the issue 1 above and all TCP applications started working. However, all GTP/UDP traffic stopped working i.e. existing GTP tunnels were not switched to the other OSPF uplink plus new GTP tunnels also did not established through the other OSPF uplink. Why?
Issue 3: "clear session all" fixed the issue 2 above. But when remote tunnel endpoints were "not connected" subnets of FW and only learned through OSPF why were the tunnels not switched to second OSPF uplink? How to prevent this "GTP hang" in case one uplink goes down due to some network problem?
04-07-2009 10:55 AM
Hmm, it looks like the session was not updated with the new routes after the fail over.
Could you check the session with :
(1) get sess dst-ip X.X.X.X and take a look at the routes shown in the session
(2) after the routes fail run the same cmd again and check the routes to see if the session has updated the new routes to be used.
I think once we are clear on this point we should be able to move forward.
04-08-2009 10:18 AM
I have asked for logs. I don't have direct access. Let me ask this though. Can I increase the cost of one of the two interfaces that is running point-to-point OSPF network so that ISG always installs the routes learned from the other interface into its routing table?
04-08-2009 12:00 PM
Hmm, you can but I think we can check the routing table now to see if the routes are correct.
The issue is I guess that the tunnel sessions are not updating the session though.
In that case, even if the routes were installed correctly you will still have a problem, so we need to confirm which it is.