Users Fail to Access the Internet Through NAT After Active/Standby Switchover Due to Incorrect Route Configuration

Publication Date:  2015-07-02 Views:  148 Downloads:  0
Issue Description
Network Topology:



Service overview:
As shown in the figure, two USGs are deployed in hot standby networking and form square networking with Cisco switches. FW1 is the active device, and FW2 is the standby device.

Symptom:

Disconnect the network cable of the WAN or LAN interface on FW1. The firewalls can rapidly switch the statuses. However, NAT services fail. The NAT configuration is as follows:

nat server global 20.211.136.26 inside 10.211.146.75 vrrp 4

Shut down FW1. Services are still unavailable.
Handling Process
After the active/standby switchover, the server still cannot be accessed. Therefore, the standby device may be incorrectly configured, or the MAC forwarding table on the switches are not refreshed. Verify the configurations which are all correct. Display session statistics on the firewalls. The session statistics show that new sessions are established on FW1 after the network cable of the WAN interface on FW1 is disconnected, and the sessions on FW2 do not increase. This proves that packets from the server are still transmitted to FW1. This phenomenon indicates that the MAC forwarding table on the switch is not refreshed.

The onsite engineer connects a PC to the switch, pings the virtual address of the firewall LAN interface, and checks the session statistics. The statistics show that the session is established on FW2, and the sessions increase on FW2, but not FW1. The result shows that the switch works properly. You need to check the server configuration.

Connect the WAN interface of FW1 to the switch again and add the interface that is not in use to VRRP to trigger active/standby switchover. Then display session statistics. The sessions on FW1 increase, and reverse sessions are displayed. This proves that the services are available. Ask the customer to access the Internet from the server. The access succeeds. The analysis shows that the problem occurs on the server because packets to the Internet are all forwarded to FW1. Ask the customer to send the routing table of the server. The routing table shows that the next hop of the route points to the real IP address of the LAN interface on FW1.

Change the route on the server and conduct the switchover test again. No faults occur. The customer forgets to change the route on the server when deploying hot standby on the existing standalone network.
Root Cause
Due to a route configuration problem on the server, all packets destined to the Internet are forwarded to FW1. When the network cable of the WAN or LAN interface on FW1 is disconnected, services become unavailable.
Solution
Change the next hop of the route on the server to the virtual IP address of the LAN interface of the firewalls.

END