Service Interruption upon an Active/Standby Switchover of Firewalls on an OSPF Network

Publication Date:  2014-01-06 Views:  449 Downloads:  0
Issue Description
The networking is as follows:

Description:
The figure shows a typical square network. The entire network runs dynamic routing protocol Open Shortest Path First (OSPF). The NE40E functions as an area border router (ABR). The cost is set to 50 on the interconnection interface of the NE40E. When the network runs properly, the test PC connects to the test server using the route identified by the yellow line. When USG5530-01 is faulty, the test PC connects to the test server using the route identified by the red line.
Fault symptom:
When USG5530-01 goes Down, the test PC fails to connect to the test server.
Alarm Information
None
Handling Process
Perform the following configurations on USG5530-02:
1. ip route-static 10.20.1.0 255.255.255.0 NULL0
2. ospf 64 router-id X.X.X.X
import-route static type 1
Root Cause
The test PC is on network segment 192.168.1.0. A firewall must perform source-based Network Address Translation (NAT) so that the test PC can connect to the test server. The network segment of the NE40E interface connected to the firewall is 10.10.1.0/24. The customer wants this network segment to be translated into network segment 10.20.1.0/24. Therefore, the following configurations must be completed on the firewall:
1. ip route-static 10.20.1.0 255.255.255.0 NULL0 (Configure the address after translation as the destination address and specify the NULL0 interface so that the firewall has a route to the network segment after translation.)
2. ospf 64 router-id X.X.X.X
import-route static type 1 (Advertise the static route to OSPF so that OSPF-capable devices can send response packets with destination IP address 10.20.1.0 to the firewall.)
The preceding configurations exist on USG5530-01, but not on USG5530-02. Therefore, when USG5530-01 goes Down, services are interrupted.
Suggestions
1. Ensure that configurations are the same on the active and standby devices.
2. Static routes on the active and standby devices cannot be synchronized through heartbeat packets. Therefore, static route configurations must be manually completed on the active and standby devices.

END