[c-nsp] [Fwd: FWSM 3.1 and Servers with redundant cards]

Patrick McEvilly patrick_mcevilly at harvard.edu
Sat Sep 1 09:05:47 EDT 2007



The FWSM supports asymmetric traffic using the asr-group configuration.
I believe this will do what you want it to do.

Patrick

>From the docs.

In some situations, return traffic for a session may be routed through a
different interface than it
originated from. In failover configurations, return traffic for a
connection that originated on one unit may
return through the peer unit. This most commonly occurs when two
interfaces on a single FWSM, or two
FWSMs in a failover pair, are connected to different service providers
and the outbound connection does
not use a NAT address. By default, the FWSM drops the return traffic
because there is no connection
information for the traffic.
You can prevent the return traffic from being dropped using the
asr-group command on interfaces where
this is likely to occur. When an interface configured with the asr-group
command receives a packet for
which it has no session information, it checks the session information
for the other interfaces that are in
the same group.
Note In failover configurations, you must enable Stateful Failover for
session information to be passed from
the standby unit or failover group to the active unit or failover group.
If it does not find a match, the packet is dropped. If it finds a match,
then one of the following actions
occurs:
• If the incoming traffic originated on a peer unit in a failover
configuration, some or all of the layer
2 header is rewritten and the packet is redirected to the other unit.
This redirection continues as long
as the session is active.
• If the incoming traffic originated on a different interface on the
same unit, some or all of the layer
2 header is rewritten and the packet is re-injected into the stream.
Note Using the asr-group command to configure asymmetric routing support
is more secure than using the
static command with the nailed option.

Enter the following commands to add an interface to an asymmetric
routing group. Stateful Failover
must be enabled for asymmetric routing support to function properly
between units in failover
configurations.
hostname/ctx1(config)# interface if
hostname/ctx1(config-if)# asr-group num
Valid values for num range from 1 to 32. You need to enter the command
for each interface that will
participate in the ASR group. You can view the number of ASR packets
transmitted, received, or dropped
by an interface using the show interface detail command.
You can create up to 32 ASR groups and assign a maximum of 8 interfaces
to each group.
Note The upstream and downstream routers must use one MAC address per
VLAN and have different MAC
addresses for different VLANs to allow for the redirection of packets
from a standby unit to an active
unit in failover configurations.



Hi,


For redundancy reasons, we have a server with two network cards.

Each card belongs to a subnet and each subnet to a different DMZ.

The server has two default routes with different metrics, where the prefered
default route is in the DMZ_1.


+--------+-card_1--192.168.1.1/24----DMZ_1--+--------+
| SERVER |                                  |  FWSM  |---OUTSIDE
+--------+-card_2--192.168.2.1/24----DMZ_2--+--------+


The problem is that when we telnet from the outside to the ip destination
192.168.2.1, the server replies using the ip source 192.168.1.1.

So the FWSM blocs, as it should, the SYN/ACK from the server:

%FWSM-6-302013:
Built inbound TCP connection 146242008855220280
for OUTSIDE:10.10.10.140/9244 (10.10.10.140/9244)
to DMZ_2:192.168.2.1/23 (192.168.2.1/23)

%FWSM-6-106015:
Deny TCP (no connection)
from 192.168.2.1/23 to 10.10.10.140/9244
flags SYN ACK  on interface DMZ_1

Given that we have one FWSM (so no exchange of states), is there anyway to
overcome that issue from the FWSM?

Would it help to bring each DMZ in its own context?

Any comment will be welcomed.

Thank you.


Christophe





More information about the cisco-nsp mailing list