For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Dengfeng_54944's avatar
Dengfeng_54944
Icon for Nimbostratus rankNimbostratus
Feb 11, 2013

what will happend with HSRP failover with auto_lasthop but without lasthop pool setup

We are running 10.2.x with auto_lasthop set but we did not have lasthop pool set and used, what will happend when the external HSRP routers failsover: will it only affect existing sessions and new connection will not be affected?

 

Not have time to test it in lab yet.

 

 

config
design

6 Replies

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Feb 11, 2013
    That depends on what happens to the MAC address that's listed in the connection.

     

     

    if the MAC that initiated the connection fails over with the HSRP then it's invisible.

     

    if the MAC that initiated the connection DOES NOT fail over with the HSRP, then the existing connections in the connection table will hang.

     

     

    This is by design apparently. IIRC the only way to have this behaviour change is to configure a last-hop pool. In which case a poolmember down will (apparently) cause a fixup of the lasthop MAC address for the connections in the connection table already. Thinking back though there was some reason we couldn't use lasthop pools when I last looked at this (Back when I used to look after a firewall sandwhich), but I can't quite remember why ATM...

     

     

     

    H
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Feb 11, 2013

    I think it will only be be existing sessions. New sessions will come from a different MAC and be OK. That is until HSRP fails back (if configured to do so). Why don't you want to use a Last Hop Pool?

     

    @Hamish, Lasthop Pools doesn't work with VRRP which is what those firewalls probably ran.

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Feb 11, 2013
    based on sol9487, i understand existing connection will be affected. new connection could be okay because it will be coming from new mac address.

     

     

    sol9487: BIG-IP support for neighboring VRRP/HSRP routers

     

    http://support.f5.com/kb/en-us/solutions/public/9000/400/sol9487.html

     

     

    just my 2 cents.
  • Dengfeng_54944's avatar
    Dengfeng_54944
    Icon for Nimbostratus rankNimbostratus
    Feb 11, 2013

    We are using cisco HSRP, active hsrp node's mac address did not failover together

     

    Anyone tested this in a lab environment?

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Feb 11, 2013
    If the MAC address doesn't fail over, existing connections fail (Assuming the router with that MAC died) and new connections get the new nodes MAC address.

     

     

    if the router DIDN'T fail (i.e. An admin changed HSRP priorities etc), then nothing should be affected (Because the router can still route). YMMV, I've seen some confgis where only the HSRP active router can reach the destination (e.g. someone relying on static routes and the failover was because of an untracked link/interface failure).

     

     

    H
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Feb 11, 2013
    Posted By What Lies Beneath on 02/11/2013 07:23 AM

    @Hamish, Lasthop Pools doesn't work with VRRP which is what those firewalls probably ran.

     

     

    Nope. That would invalidate the whole reason for building a firewall sandwhich... No, IIRC it was because last-hop pools were one-way, whereas we were balaning in both directions...

     

     

    H